[Bro] High cpu when calling lookup_hostname
Chris Chiaverini
cchiaverini at bnl.gov
Fri May 6 05:27:20 PDT 2016
It is probably in IO wait on the lookup. Could you run a local caching
nameserver? nscd is the easiest to setup but there are others.
Regards,
Chris Chiaverini
On 05/06/2016 06:16 AM, Pasqualino Paladino wrote:
>
> Hello everybody,
>
> I’m using Bro 2.4.1 stable and I developed a script in order to add
> some information to http.log.
>
> This code snippet attempts to lookup each external hostname that is
> being contacted by an internal IP.
>
> *if(c?$http && c$http?$host && c$http$host != ""){*
>
> *when (local h = lookup_hostname(c$http$host)){*
>
> *if (|h|>0 && (0.0.0.0 !in h))*
>
> *{*
>
> *c$http$host_ip = h;*
>
> *Log::write(HTTP::LOG, c$http);*
>
> *}*
>
> *return;*
>
> *}*
>
> *timeout 2 sec {*
>
> *return;*
>
> *}*
>
> *}*
>
> **
>
> My problem is that the cores that have been assigned for Bro are using
> the 100% of the cpu and I guess the problem is caused by *when* call.
>
> I have tried to install an internal dns cache (Bind9) in order to
> increase the performance, but, having a 300 mb/s of throughput and
> setting 2 sec of timeout doesn’t work .
>
> By disabling the script bro has the expected behavior (around 50%-60%
> of cpu usage).
>
> Is anyone able to help me?
>
> Thanks in advance,
>
> Pasquale
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160506/f8c941fd/attachment-0001.html
More information about the Bro
mailing list