[Bro] High cpu when calling lookup_hostname
Pasqualino Paladino
pasqualino.paladino at gmail.com
Fri May 6 03:16:34 PDT 2016
Hello everybody,
I’m using Bro 2.4.1 stable and I developed a script in order to add some
information to http.log.
This code snippet attempts to lookup each external hostname that is being
contacted by an internal IP.
* if(c?$http && c$http?$host &&
c$http$host != ""){*
* when (local h =
lookup_hostname(c$http$host)){*
*
if (|h|>0 && (0.0.0.0 !in h))*
*
{*
*
c$http$host_ip = h;*
*
Log::write(HTTP::LOG, c$http);*
*
}*
*
return;*
* }*
* timeout 2 sec {*
*
return;*
* }*
* }*
My problem is that the cores that have been assigned for Bro are using the
100% of the cpu and I guess the problem is caused by *when* call.
I have tried to install an internal dns cache (Bind9) in order to increase
the performance, but, having a 300 mb/s of throughput and setting 2 sec of
timeout doesn’t work .
By disabling the script bro has the expected behavior (around 50%-60% of
cpu usage).
Is anyone able to help me?
Thanks in advance,
Pasquale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160506/7071b2c5/attachment.html
More information about the Bro
mailing list