[Bro] question about intel files
Azoff, Justin S
jazoff at illinois.edu
Tue Aug 2 06:04:35 PDT 2016
> On Aug 2, 2016, at 8:43 AM, philosnef <philosnef at yahoo.com> wrote:
>
> Are intel files loaded into memory or statically evaluated? We have a 7.4 meg intel file we are looking to push; however, out of 400 gigs of ram, we are using 400 gigs, with a load average well over 10.... This is only a 3.5 Gb/s sustained link. We have about 2000 lines of intel (cert hash, file hash, domain) currently. This new addition would drive this up to ~35,000 lines of intel. We are trying to determine if this is practical given our current load on the box.
>
> Also, why does bro continuously chew ram up? When first started, bro eats about 80 gigs, then moves up through the day to about 120-175. However, if we leave it running for a few days, it ends up at the max of the memory allowed for the system...
What process is using memory? Workers? Proxies? Manager? If you can include the output of 'broctl top' that would be helpful.
--
- Justin Azoff
More information about the Bro
mailing list