[
https://bro-tracker.atlassian.net/browse/BIT-1103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robin Sommer updated BIT-1103:
------------------------------
Resolution: Merged (was: Fixed)
Status: Closed (was: Merge Request)
> Memory leak in Bro Intel framework
> ----------------------------------
>
> Key: BIT-1103
> URL: https://bro-tracker.atlassian.net/browse/BIT-1103
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.2
> Environment: Red Hat Enterprise Linux Server release 6.5
> Reporter: Andrew Hoying
> Assignee: Bernhard Amann
> Priority: High
> Labels: intel, leak
>
> The policy/frameworks/intel/seen bro scripts have a memory leak. On my
> moderately busy Bro installation I am leaking about a gig of memory a day per
> worker process with the Intel framework enabled. I can replicate by adding
> the following to the local.bro default script and then running through a
> small PCAP with primarily dns, dhcp and syslog traffic.
> {{
> @load policy/frameworks/intel/seen
> redef Intel::read_files += {
> "/usr/local/bro/spool/domain_suspicious.txt",
> };
> }}
> The intel file is in the following format, here's a few sample lines. It is
> generated automatically by CIF:
> {{
> #fields indicator indicator_type meta.source meta.desc
> meta.url meta.cif_impact meta.cif_severity meta.cif_confidence
> mete-tools.biz Intel::DOMAIN CIF - need-to-know spammed domain
> http://www.spamhaus.org/query/dbl?domain=mete-tools.biz (public) -
> - 95
> rttvxygkmwlqmq.net Intel::DOMAIN CIF - need-to-know spammed
> domain http://www.spamhaus.org/query/dbl?domain=rttvxygkmwlqmq.net (public)
> - - 95
> podserveruho.com Intel::DOMAIN CIF - need-to-know spammed
> domain http://www.spamhaus.org/query/dbl?domain=podserveruho.com (public)
> - - 95
> wwfcogdgntlxw.biz Intel::DOMAIN CIF - need-to-know spammed
> domain http://www.spamhaus.org/query/dbl?domain=wwfcogdgntlxw.biz (public)
> - - 95
> }}
> I compiled bro with gperftool debug support and followed the instructions
> here: http://www.bro.org/development/howtos/leaks.html. (Note, the
> instructions are wrong on the flags for ./configure, you need to add
> --enable-perftools-debug to get the -m option for bro)
> Here's the output from pprof top after running a PCAP trace with 10,000
> packets. Running traces with more packets show a greater number of lost
> objects in the same code locations.
> {{
> # pprof bin/bro "/tmp/bro.24541.net_run-end.heap" --inuse_objects --lines
> --heapcheck --edgefraction=1e-10 --nodefraction=1e-10
> Using local file bin/bro.
> Using local file /tmp/bro.24541.net_run-end.heap.
> Welcome to pprof! For help, type 'help'.
> (pprof) top
> Total: 4295 objects
> 2150 50.1% 50.1% 2150 50.1% AsciiFormatter::ParseValue
> /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:186
> 2141 49.8% 99.9% 2141 49.8% copy_string
> /usr/src/bro-2.2/src/util.cc:155
> 2 0.0% 100.0% 2 0.0% re_alloc
> /usr/src/bro-2.2/build/src/re-scan.cc:2287
> 1 0.0% 100.0% 1 0.0% RE_parse
> /usr/src/bro-2.2/build/src/re-parse.y:110
> 1 0.0% 100.0% 1 0.0% RE_parse
> /usr/src/bro-2.2/build/src/re-parse.y:133
> 0 0.0% 100.0% 2141 49.8% AsciiFormatter::ParseValue
> /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:195
> 0 0.0% 100.0% 4 0.1% Connection::NextPacket
> /usr/src/bro-2.2/src/Conn.cc:259
> 0 0.0% 100.0% 4 0.1% NetSessions::DispatchPacket
> /usr/src/bro-2.2/src/Sessions.cc:189
> 0 0.0% 100.0% 4 0.1% NetSessions::DoNextPacket
> /usr/src/bro-2.2/src/Sessions.cc:709
> 0 0.0% 100.0% 4 0.1% NetSessions::NextPacket
> /usr/src/bro-2.2/src/Sessions.cc:247
> }}
--
This message was sent by Atlassian JIRA
(v6.2-OD-03#6206)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
