[Bro] Worker System Memory Exhaustion
Greg Grasmehr
greg.grasmehr at caltech.edu
Fri Apr 6 13:31:55 PDT 2018
I think Justin hit the nail on the head, we monitor two full /16, 3 /24
and 2 partial /16, in front of any local FW devices; similar to LBL.
Commenting out misc/scan did the trick, memory is now being freed as one
would expect.
We already know we have TONS of scanners traversing the network, so
probably don't need this at all although I am interested in hearing of
good alternatives.
Thanks again everyone, greatly appreciate the help.
Greg
> try commenting out
>
> @load misc/scan
>
> from local.bro.
>
> If you have a lot of address space and bro is before any firewall as opposed to after it, this is likely the source of the problems.
>
> If that fixes it there are other scan detection implementations that are a bit more efficient.
>
> —
> Justin Azoff
>
More information about the Bro
mailing list