[Bro] Worker System Memory Exhaustion
Mike Dopheide
dopheide at gmail.com
Fri Apr 6 14:31:26 PDT 2018
So why not just replace the core misc/scan.bro with Justin's that seems
clearly better?
-Dop
On Fri, Apr 6, 2018 at 4:17 PM, Michał Purzyński <michalpurzynski1 at gmail.com
> wrote:
> I’ve been monitoring /20 and several small subnets plus internal /8 with
> Justin’s simple scans and it’s excellent. Highly recommended. It’s also
> faster when it comes to detection.
>
> > On Apr 6, 2018, at 1:45 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> >
> >
> >> On Apr 6, 2018, at 4:31 PM, Greg Grasmehr <greg.grasmehr at caltech.edu>
> wrote:
> >>
> >> I think Justin hit the nail on the head, we monitor two full /16, 3 /24
> >> and 2 partial /16, in front of any local FW devices; similar to LBL.
> >> Commenting out misc/scan did the trick, memory is now being freed as one
> >> would expect.
> >>
> >> We already know we have TONS of scanners traversing the network, so
> >> probably don't need this at all although I am interested in hearing of
> >> good alternatives.
> >>
> >> Thanks again everyone, greatly appreciate the help.
> >>
> >> Greg
> >
> > https://github.com/ncsa/bro-simple-scan
> >
> > https://github.com/initconf/scan-NG
> >
> > both are available in bro-pkg. I'm obviously partial to simple-scan, but
> > Aashish is closer to you if you need someone to blame if it breaks :-)
> >
> >
> > —
> > Justin Azoff
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180406/06d9e03d/attachment.html
More information about the Bro
mailing list