[Bro] Worker System Memory Exhaustion
Michał Purzyński
michalpurzynski1 at gmail.com
Fri Apr 6 14:17:47 PDT 2018
I’ve been monitoring /20 and several small subnets plus internal /8 with Justin’s simple scans and it’s excellent. Highly recommended. It’s also faster when it comes to detection.
> On Apr 6, 2018, at 1:45 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>
>
>> On Apr 6, 2018, at 4:31 PM, Greg Grasmehr <greg.grasmehr at caltech.edu> wrote:
>>
>> I think Justin hit the nail on the head, we monitor two full /16, 3 /24
>> and 2 partial /16, in front of any local FW devices; similar to LBL.
>> Commenting out misc/scan did the trick, memory is now being freed as one
>> would expect.
>>
>> We already know we have TONS of scanners traversing the network, so
>> probably don't need this at all although I am interested in hearing of
>> good alternatives.
>>
>> Thanks again everyone, greatly appreciate the help.
>>
>> Greg
>
> https://github.com/ncsa/bro-simple-scan
>
> https://github.com/initconf/scan-NG
>
> both are available in bro-pkg. I'm obviously partial to simple-scan, but
> Aashish is closer to you if you need someone to blame if it breaks :-)
>
>
> —
> Justin Azoff
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list