[Bro] Worker System Memory Exhaustion
Azoff, Justin S
jazoff at illinois.edu
Fri Apr 6 05:24:37 PDT 2018
> On Apr 5, 2018, at 7:36 PM, Greg Grasmehr <greg.grasmehr at caltech.edu> wrote:
>
> Hello List,
>
> We're running Bro version 2.5-467 and shunting connections in an Arista
> 5100 via the excellent Dumbno. The system is essentially a Bro-in-a-box
> with 251G RAM and a Myricom SNF+ card. Bro spawns 32 workers to monitor
> a 10G link that averages roughly 5G and spikes to 7 on occasion. Logs
> are rotated every 1/2 hour.
Cool :-)
> The current configuration has been running for about 2 weeks and thus
> far the only problem I have encountered is that given enough time, the
> workers will eventually exhaust all of the available system memory
> including scratch.
Less cool :-(
> Currently I am running a watcher process which slowly restarts the
> workers once available memory is < 4G and this has solved the problem,
> but this seems an imperfect solution thus I am wondering if anyone knows
> the source of the apparent memory leak? Loaded scripts are attached and
> thanks in advance for any informative illumination on this issue.
try commenting out
@load misc/scan
from local.bro.
If you have a lot of address space and bro is before any firewall as opposed to after it, this is likely the source of the problems.
If that fixes it there are other scan detection implementations that are a bit more efficient.
—
Justin Azoff
More information about the Bro
mailing list