[ https://bro-tracker.atlassian.net/browse/BIT-1103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robin Sommer updated BIT-1103: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Memory leak in Bro Intel framework > ---------------------------------- > > Key: BIT-1103 > URL: https://bro-tracker.atlassian.net/browse/BIT-1103 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Environment: Red Hat Enterprise Linux Server release 6.5 > Reporter: Andrew Hoying > Assignee: Bernhard Amann > Priority: High > Labels: intel, leak > > The policy/frameworks/intel/seen bro scripts have a memory leak. On my > moderately busy Bro installation I am leaking about a gig of memory a day per > worker process with the Intel framework enabled. I can replicate by adding > the following to the local.bro default script and then running through a > small PCAP with primarily dns, dhcp and syslog traffic. > {{ > @load policy/frameworks/intel/seen > redef Intel::read_files += { > "/usr/local/bro/spool/domain_suspicious.txt", > }; > }} > The intel file is in the following format, here's a few sample lines. It is > generated automatically by CIF: > {{ > #fields indicator indicator_type meta.source meta.desc > meta.url meta.cif_impact meta.cif_severity meta.cif_confidence > mete-tools.biz Intel::DOMAIN CIF - need-to-know spammed domain > http://www.spamhaus.org/query/dbl?domain=mete-tools.biz (public) - > - 95 > rttvxygkmwlqmq.net Intel::DOMAIN CIF - need-to-know spammed > domain http://www.spamhaus.org/query/dbl?domain=rttvxygkmwlqmq.net (public) > - - 95 > podserveruho.com Intel::DOMAIN CIF - need-to-know spammed > domain http://www.spamhaus.org/query/dbl?domain=podserveruho.com (public) > - - 95 > wwfcogdgntlxw.biz Intel::DOMAIN CIF - need-to-know spammed > domain http://www.spamhaus.org/query/dbl?domain=wwfcogdgntlxw.biz (public) > - - 95 > }} > I compiled bro with gperftool debug support and followed the instructions > here: http://www.bro.org/development/howtos/leaks.html. (Note, the > instructions are wrong on the flags for ./configure, you need to add > --enable-perftools-debug to get the -m option for bro) > Here's the output from pprof top after running a PCAP trace with 10,000 > packets. Running traces with more packets show a greater number of lost > objects in the same code locations. > {{ > # pprof bin/bro "/tmp/bro.24541.net_run-end.heap" --inuse_objects --lines > --heapcheck --edgefraction=1e-10 --nodefraction=1e-10 > Using local file bin/bro. > Using local file /tmp/bro.24541.net_run-end.heap. > Welcome to pprof! For help, type 'help'. > (pprof) top > Total: 4295 objects > 2150 50.1% 50.1% 2150 50.1% AsciiFormatter::ParseValue > /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:186 > 2141 49.8% 99.9% 2141 49.8% copy_string > /usr/src/bro-2.2/src/util.cc:155 > 2 0.0% 100.0% 2 0.0% re_alloc > /usr/src/bro-2.2/build/src/re-scan.cc:2287 > 1 0.0% 100.0% 1 0.0% RE_parse > /usr/src/bro-2.2/build/src/re-parse.y:110 > 1 0.0% 100.0% 1 0.0% RE_parse > /usr/src/bro-2.2/build/src/re-parse.y:133 > 0 0.0% 100.0% 2141 49.8% AsciiFormatter::ParseValue > /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:195 > 0 0.0% 100.0% 4 0.1% Connection::NextPacket > /usr/src/bro-2.2/src/Conn.cc:259 > 0 0.0% 100.0% 4 0.1% NetSessions::DispatchPacket > /usr/src/bro-2.2/src/Sessions.cc:189 > 0 0.0% 100.0% 4 0.1% NetSessions::DoNextPacket > /usr/src/bro-2.2/src/Sessions.cc:709 > 0 0.0% 100.0% 4 0.1% NetSessions::NextPacket > /usr/src/bro-2.2/src/Sessions.cc:247 > }} -- This message was sent by Atlassian JIRA (v6.2-OD-03#6206) _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev