[Bro] Issues since 2.5.5

Jon Siwek jsiwek at corelight.com
Mon Nov 12 12:51:45 PST 2018


On Mon, Nov 12, 2018 at 1:16 PM James Lay <jlay at slave-tothe-box.net> wrote:
>
> Well..I think I'll also put my name in the "something is funky with
> 2.5.5" group.  I have seen far more crashes and OOM's with 2.5.5 than
> with 2.5.4.

Various thoughts:

* This is the first I've heard of trouble directly related to 2.5.5 in
contrast to 2.5.4. If you have reference to others reporting similar,
please point me at it as it may help with correlating/diagnosing.

* For any crashes, forwarding stack traces to reports at bro.org would help.

* For OOM, a first sanity check is to make sure reporter.log isn't
showing any scripting errors.  E.g. unitialized record field access is
known to leak memory, but it's also an underlying scripting mistake
that needs to fixed.

* Similarly, remember that memory utilization is effected by scripting
logic.  If you use any custom or external scripts/packages that are
not conservative with how they track state over time, that's always a
possible source of OOM problems that's independent of Bro version.  So
a question would be whether you are comparing the same configuration
between 2.5.4 and 2.5.5 or were some scripts/packages different?

- Jon


More information about the Bro mailing list