[Bro] Suggestions on handling 1Gb/s HTTP traffic?

Azoff, Justin S jazoff at illinois.edu
Mon Oct 26 05:29:50 PDT 2015


> On Oct 26, 2015, at 1:36 AM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
> 
> Hi,
> 
> I recently tested bro 2.4.1 with ~1Gb/s HTTP traffic, it works but the
> processes die out of OOM within a few hours.

You need to elaborate on which processes are using memory and getting killed.

Posting this again:

Memory leaks are tricky.  It is important to make a distinction about what component is using a lot of memory:

1) the workers - analyzer issues and leaks in general would show up here.
2) the proxies - communication related
3) the manager - child - if the manager is overloaded the child will buffer log data
4) the manager - parent - if a logging destination is overloaded the parent will buffer log writes


-- 
- Justin Azoff




More information about the Bro mailing list