[Bro] Remember to double check your DNS resolver configuration
Seth Hall
seth at icir.org
Thu Feb 9 10:22:01 PST 2017
Did evidence of this show up in stats.log? There are some fields that track the amount of DNS actively being performed by Bro in there.
.Seth
> On Feb 6, 2017, at 10:31 AM, Hosom, Stephen M <hosom at battelle.org> wrote:
>
> I’ve been troubleshooting an issue where a single node would have all of its workers grow in memory until they would be OOM killed. The troubleshooting process spanned multiple days and I only happened to come across this with some help from Justin combined with a thread on the issue tracker (https://bro-tracker.atlassian.net/browse/BIT-1482).
>
> Keep in mind that when you are using the MHR script (enabled by default) or the notary script, your Bro workers are performing a LOT of DNS. In my case I was using both. Since lookup_host_txt and lookup_host never return if the worker node doesn’t reach a DNS server, this results in what would appear to be a new thread for each new DNS query when your DNS resolvers are misconfigured.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list