[Bro-Dev] [JIRA] (BIT-1183) topic/jsiwek/ascii-log-memleak-fix
[ https://bro-tracker.atlassian.net/browse/BIT-1183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16200#comment-16200 ] Jon Siwek commented on BIT-1183: The second commit on this branch I think should resolve problems people have w/ increased memory usage over time on the manager. The problem was this line: https://github.com/bro/bro/blob/a56c3437151985a1d0e4c881c047796109fbd81d/src/logging/writers/Ascii.cc#L158 At each rotation, that will add a new string that the Desc object has to check for when escaping strings. Over time, the cost of escaping things in the ASCII logs will increase until the rate at which logs can be formatted/written is lower than the rate at which logs are produced. Once that happens, Bro is unlikely to be able to catch up on the pending logs and so runs out of memory. > topic/jsiwek/ascii-log-memleak-fix > -- > > Key: BIT-1183 > URL: https://bro-tracker.atlassian.net/browse/BIT-1183 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Affects Versions: git/master >Reporter: Jon Siwek > Fix For: 2.3 > > > This branch fixes a memory leak in the ASCII log writer that occurs after > each rotation. -- This message was sent by Atlassian JIRA (v6.3-OD-02-026#6318) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-348) Reassembler integer overflow issues. Data not delivered after 2GB
[
https://bro-tracker.atlassian.net/browse/BIT-348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16201#comment-16201
]
Robin Sommer commented on BIT-348:
--
I took a quick a look. This looks like the right approach and I would
like to get it into 2.3. It will take me a bit more to go through in
more detail. In the meantime, could you do some additional testing
comparing output before and after on a trace of live traffic,
including in particular traffic with some large flows that exercise
the TCP wrap-around?
> Reassembler integer overflow issues. Data not delivered after 2GB
> -
>
> Key: BIT-348
> URL: https://bro-tracker.atlassian.net/browse/BIT-348
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
>Affects Versions: git/master
>Reporter: gregor
>Assignee: Jon Siwek
>Priority: High
> Labels: inttypes
> Fix For: 2.3
>
>
> {noformat}
> #!rst
> The TCP Reassembler does not deliver any data to analyzers after the first
> 2GB due to signed integer overflow (Actually it will deliver again between
> 4--6GB, etc.) This happens silently, i.e., without content_gap events or
> Undelivered calls.
> This report superseded BIT-315, BIT-137
> The TCP Reassembler (and Reassem) base class use ``int`` to keep track of
> sequence numbers and ``seq_delta`` to check for differences. If a connection
> exceeds 2GB, the relative sequence numbers (int) used by the Reassembler
> become negative. While many parts of the Reassembler still work (because
> seq_delta still reports the correct difference) some parts do not. In
> particular ``seq_to_skip`` is broken (and fails silently). There might well
> be other parts of the Reassembler that fail
> silently as well, that I haven't found yet.
> See Comments in TCP_Reassembler.cc for more details.
> The Reassembler should use int64. However this will require deep changes to
> the Reassembler and the TCP Analyzer and TCP_Endpoint classes (since we also
> store sequence numbers there). Also, the analyzer framework will need tweaks
> as well (e.g., Undelivered uses ``int`` for sequence numbers, also has to go
> to 64 bit)
> As a hotfix that seems to work I disabled the ``seq_to_skip`` features. It
> wasn't used by any analyzer or policy script (Note, that seq_to_skip is
> different from skip_deliveries). Hotfix is in
> topic/gregor/reassembler-hotfix
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3-OD-02-026#6318)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1183) topic/jsiwek/ascii-log-memleak-fix
[ https://bro-tracker.atlassian.net/browse/BIT-1183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1183: -- Status: Closed (was: Merge Request) > topic/jsiwek/ascii-log-memleak-fix > -- > > Key: BIT-1183 > URL: https://bro-tracker.atlassian.net/browse/BIT-1183 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Affects Versions: git/master >Reporter: Jon Siwek > Fix For: 2.3 > > > This branch fixes a memory leak in the ASCII log writer that occurs after > each rotation. -- This message was sent by Atlassian JIRA (v6.3-OD-02-026#6318) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [Auto] Merge Status
Open Merge Requests === IDComponentReporter AssigneeUpdated For Version PrioritySummary --- -- -- - -- - BIT-1168 [1] Bro Brian Little Seth Hall 2014-03-31 - Low Add Java version to software framework BIT-348 [2] Bro gregorJon Siwek 2014-04-17 2.3 HighReassembler integer overflow issues. Data not delivered after 2GB Open GitHub Pull Requests = IssueComponent User Updated Title --- --- -- #6 [3] bro jshlbrd [4] 2014-04-15 Intel::ADDR indicators in http host field [5] #4 [6] bro mareq [7]2014-04-01 Protocol identification heuristics. [8] #4 [9] time-machine mareq [10] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [11] #3 [12] time-machine mareq [13] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [14] #2 [15] time-machine mareq [16] 2014-04-09 Query interval start/end is now taken into account. [17] #1 [18] time-machine mareq [19] 2014-03-19 TM-16: Really skip VLAN header for indexing. [20] [1] BIT-1168 https://bro-tracker.atlassian.net/browse/BIT-1168 [2] BIT-348 https://bro-tracker.atlassian.net/browse/BIT-348 [3] Pull Request #6 https://github.com/bro/bro/pull/6 [4] jshlbrd https://github.com/jshlbrd [5] Merge Pull Request #6 with git pull https://github.com/jshlbrd/bro.git master [6] Pull Request #4 https://github.com/bro/bro/pull/4 [7] mareq https://github.com/mareq [8] Merge Pull Request #4 with git pull https://github.com/mareq/bro.git topic/mareq/analyzer-for-missing-request [9] Pull Request #4 https://github.com/bro/time-machine/pull/4 [10] mareq https://github.com/mareq [11] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [12] Pull Request #3 https://github.com/bro/time-machine/pull/3 [13] mareq https://github.com/mareq [14] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [15] Pull Request #2 https://github.com/bro/time-machine/pull/2 [16] mareq https://github.com/mareq [17] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [18] Pull Request #1 https://github.com/bro/time-machine/pull/1 [19] mareq https://github.com/mareq [20] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
