[Bro] Fwd: High cpu when calling lookup_hostname

Pasqualino Paladino pasqualino.paladino at gmail.com
Mon May 9 06:20:37 PDT 2016 

The wa percentage seems to be 0% by top command so I guess that is not the
problem.

I have installed a local dns cache (Bind) and this seems to have improved a
little bit the performance, but bro keeps losing packets due to the “when”
call.



Thanks,

Pasquale


---------- Forwarded message ----------


*Chris Chiaverini* cchiaverini at bnl.gov
<bro%40bro.org?Subject=%5BBro%5D%20High%20cpu%20when%20calling%20lookup_hostname&In-Reply-To=CAGfy737aaeaCe__bqyE%2BqzsP3vdiV1%3D7e%3DOHzzTKv5DT%2ByL%2BsA%40mail.gmail.com>
*Fri May 6 05:27:20 PDT 2016*

It is probably in IO wait on the lookup.  Could you run a local caching
nameserver?  nscd is the easiest to setup but there are others.
Regards, Chris Chiaverini


---------- Forwarded message ----------
From: Pasqualino Paladino <pasqualino.paladino at gmail.com>
Date: 2016-05-06 12:16 GMT+02:00
Subject: High cpu when calling lookup_hostname
To: bro at bro.org


Hello everybody,



I’m using Bro 2.4.1 stable and I developed a script in order to add some
information to http.log.



This code snippet attempts to lookup each external hostname that is being
contacted by an internal IP.



*                                            if(c?$http && c$http?$host &&
c$http$host != ""){*

*                                                           when (local h =
lookup_hostname(c$http$host)){*

*
if (|h|>0 && (0.0.0.0 !in h))*

*
{*

*
c$http$host_ip = h;*

*
Log::write(HTTP::LOG, c$http);*

*
}*

*
return;*

*                                                           }*

*                                                           timeout 2 sec {*

*
return;*

*                                                           }*

*                                            }*



My problem is that the cores that have been assigned for Bro are using the
100% of the cpu and I guess the problem is caused by *when* call.

I have tried to install an internal dns cache (Bind9) in order to increase
the performance, but, having a 300 mb/s of throughput and setting 2 sec of
timeout doesn’t work .



By disabling the script bro has the expected behavior (around 50%-60% of
cpu usage).



Is anyone able to help me?



Thanks in advance,



Pasquale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160509/0245044b/attachment.html

More information about the Bro mailing list