[Bro-Dev] [JIRA] (BIT-1103) Memory leak in Bro Intel framework

2013-12-09 Thread Robin Sommer (JIRA) 

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1103:
--

Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 Memory leak in Bro Intel framework
 --

 Key: BIT-1103
 URL: https://bro-tracker.atlassian.net/browse/BIT-1103
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.2
 Environment: Red Hat Enterprise Linux Server release 6.5
Reporter: Andrew Hoying
Assignee: Bernhard Amann
Priority: High
  Labels: intel, leak

 The policy/frameworks/intel/seen bro scripts have a memory leak. On my 
 moderately busy Bro installation I am leaking about a gig of memory a day per 
 worker process with the Intel framework enabled. I can replicate by adding 
 the following to the local.bro default script and then running through a 
 small PCAP with primarily dns, dhcp and syslog traffic.
 {{
 @load policy/frameworks/intel/seen
 redef Intel::read_files += {
 /usr/local/bro/spool/domain_suspicious.txt,
 };
 }}
 The intel file is in the following format, here's a few sample lines. It is 
 generated automatically by CIF:
 {{
 #fields indicator   indicator_type  meta.source meta.desc   
 meta.urlmeta.cif_impact meta.cif_severity   meta.cif_confidence
 mete-tools.biz  Intel::DOMAIN   CIF - need-to-know  spammed domain  
 http://www.spamhaus.org/query/dbl?domain=mete-tools.biz (public)- 
   -   95
 rttvxygkmwlqmq.net  Intel::DOMAIN   CIF - need-to-know  spammed 
 domain  http://www.spamhaus.org/query/dbl?domain=rttvxygkmwlqmq.net (public)  
   -   -   95
 podserveruho.comIntel::DOMAIN   CIF - need-to-know  spammed 
 domain  http://www.spamhaus.org/query/dbl?domain=podserveruho.com (public)
   -   -   95
 wwfcogdgntlxw.biz   Intel::DOMAIN   CIF - need-to-know  spammed 
 domain  http://www.spamhaus.org/query/dbl?domain=wwfcogdgntlxw.biz (public)   
   -   -   95
 }}
 I compiled bro with gperftool debug support and followed the instructions 
 here: http://www.bro.org/development/howtos/leaks.html. (Note, the 
 instructions are wrong on the flags for ./configure, you need to add 
 --enable-perftools-debug to get the -m option for bro)
 Here's the output from pprof top after running a PCAP trace with 10,000 
 packets. Running traces with more packets show a greater number of lost 
 objects in the same code locations.
 {{
 # pprof bin/bro /tmp/bro.24541.net_run-end.heap --inuse_objects --lines 
 --heapcheck  --edgefraction=1e-10 --nodefraction=1e-10
 Using local file bin/bro.
 Using local file /tmp/bro.24541.net_run-end.heap.
 Welcome to pprof!  For help, type 'help'.
 (pprof) top
 Total: 4295 objects
 2150  50.1%  50.1% 2150  50.1% AsciiFormatter::ParseValue 
 /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:186
 2141  49.8%  99.9% 2141  49.8% copy_string 
 /usr/src/bro-2.2/src/util.cc:155
2   0.0% 100.0%2   0.0% re_alloc 
 /usr/src/bro-2.2/build/src/re-scan.cc:2287
1   0.0% 100.0%1   0.0% RE_parse 
 /usr/src/bro-2.2/build/src/re-parse.y:110
1   0.0% 100.0%1   0.0% RE_parse 
 /usr/src/bro-2.2/build/src/re-parse.y:133
0   0.0% 100.0% 2141  49.8% AsciiFormatter::ParseValue 
 /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:195
0   0.0% 100.0%4   0.1% Connection::NextPacket 
 /usr/src/bro-2.2/src/Conn.cc:259
0   0.0% 100.0%4   0.1% NetSessions::DispatchPacket 
 /usr/src/bro-2.2/src/Sessions.cc:189
0   0.0% 100.0%4   0.1% NetSessions::DoNextPacket 
 /usr/src/bro-2.2/src/Sessions.cc:709
0   0.0% 100.0%4   0.1% NetSessions::NextPacket 
 /usr/src/bro-2.2/src/Sessions.cc:247
 }}



--
This message was sent by Atlassian JIRA
(v6.2-OD-03#6206)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1103) Memory leak in Bro Intel framework

2013-12-05 Thread Seth Hall (JIRA) 

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Seth Hall updated BIT-1103:
---

Status: In Progress  (was: Open)

 Memory leak in Bro Intel framework
 --

 Key: BIT-1103
 URL: https://bro-tracker.atlassian.net/browse/BIT-1103
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.2
 Environment: Red Hat Enterprise Linux Server release 6.5
Reporter: Andrew Hoying
Priority: High
  Labels: intel, leak

 The policy/frameworks/intel/seen bro scripts have a memory leak. On my 
 moderately busy Bro installation I am leaking about a gig of memory a day per 
 worker process with the Intel framework enabled. I can replicate by adding 
 the following to the local.bro default script and then running through a 
 small PCAP with primarily dns, dhcp and syslog traffic.
 {{
 @load policy/frameworks/intel/seen
 redef Intel::read_files += {
 /usr/local/bro/spool/domain_suspicious.txt,
 };
 }}
 The intel file is in the following format, here's a few sample lines. It is 
 generated automatically by CIF:
 {{
 #fields indicator   indicator_type  meta.source meta.desc   
 meta.urlmeta.cif_impact meta.cif_severity   meta.cif_confidence
 mete-tools.biz  Intel::DOMAIN   CIF - need-to-know  spammed domain  
 http://www.spamhaus.org/query/dbl?domain=mete-tools.biz (public)- 
   -   95
 rttvxygkmwlqmq.net  Intel::DOMAIN   CIF - need-to-know  spammed 
 domain  http://www.spamhaus.org/query/dbl?domain=rttvxygkmwlqmq.net (public)  
   -   -   95
 podserveruho.comIntel::DOMAIN   CIF - need-to-know  spammed 
 domain  http://www.spamhaus.org/query/dbl?domain=podserveruho.com (public)
   -   -   95
 wwfcogdgntlxw.biz   Intel::DOMAIN   CIF - need-to-know  spammed 
 domain  http://www.spamhaus.org/query/dbl?domain=wwfcogdgntlxw.biz (public)   
   -   -   95
 }}
 I compiled bro with gperftool debug support and followed the instructions 
 here: http://www.bro.org/development/howtos/leaks.html. (Note, the 
 instructions are wrong on the flags for ./configure, you need to add 
 --enable-perftools-debug to get the -m option for bro)
 Here's the output from pprof top after running a PCAP trace with 10,000 
 packets. Running traces with more packets show a greater number of lost 
 objects in the same code locations.
 {{
 # pprof bin/bro /tmp/bro.24541.net_run-end.heap --inuse_objects --lines 
 --heapcheck  --edgefraction=1e-10 --nodefraction=1e-10
 Using local file bin/bro.
 Using local file /tmp/bro.24541.net_run-end.heap.
 Welcome to pprof!  For help, type 'help'.
 (pprof) top
 Total: 4295 objects
 2150  50.1%  50.1% 2150  50.1% AsciiFormatter::ParseValue 
 /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:186
 2141  49.8%  99.9% 2141  49.8% copy_string 
 /usr/src/bro-2.2/src/util.cc:155
2   0.0% 100.0%2   0.0% re_alloc 
 /usr/src/bro-2.2/build/src/re-scan.cc:2287
1   0.0% 100.0%1   0.0% RE_parse 
 /usr/src/bro-2.2/build/src/re-parse.y:110
1   0.0% 100.0%1   0.0% RE_parse 
 /usr/src/bro-2.2/build/src/re-parse.y:133
0   0.0% 100.0% 2141  49.8% AsciiFormatter::ParseValue 
 /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:195
0   0.0% 100.0%4   0.1% Connection::NextPacket 
 /usr/src/bro-2.2/src/Conn.cc:259
0   0.0% 100.0%4   0.1% NetSessions::DispatchPacket 
 /usr/src/bro-2.2/src/Sessions.cc:189
0   0.0% 100.0%4   0.1% NetSessions::DoNextPacket 
 /usr/src/bro-2.2/src/Sessions.cc:709
0   0.0% 100.0%4   0.1% NetSessions::NextPacket 
 /usr/src/bro-2.2/src/Sessions.cc:247
 }}



--
This message was sent by Atlassian JIRA
(v6.2-OD-03#6206)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1103) Memory leak in Bro Intel framework

2013-12-05 Thread Seth Hall (JIRA) 

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Seth Hall reassigned BIT-1103:
--

Assignee: Bernhard Amann

 Memory leak in Bro Intel framework
 --

 Key: BIT-1103
 URL: https://bro-tracker.atlassian.net/browse/BIT-1103
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.2
 Environment: Red Hat Enterprise Linux Server release 6.5
Reporter: Andrew Hoying
Assignee: Bernhard Amann
Priority: High
  Labels: intel, leak

 The policy/frameworks/intel/seen bro scripts have a memory leak. On my 
 moderately busy Bro installation I am leaking about a gig of memory a day per 
 worker process with the Intel framework enabled. I can replicate by adding 
 the following to the local.bro default script and then running through a 
 small PCAP with primarily dns, dhcp and syslog traffic.
 {{
 @load policy/frameworks/intel/seen
 redef Intel::read_files += {
 /usr/local/bro/spool/domain_suspicious.txt,
 };
 }}
 The intel file is in the following format, here's a few sample lines. It is 
 generated automatically by CIF:
 {{
 #fields indicator   indicator_type  meta.source meta.desc   
 meta.urlmeta.cif_impact meta.cif_severity   meta.cif_confidence
 mete-tools.biz  Intel::DOMAIN   CIF - need-to-know  spammed domain  
 http://www.spamhaus.org/query/dbl?domain=mete-tools.biz (public)- 
   -   95
 rttvxygkmwlqmq.net  Intel::DOMAIN   CIF - need-to-know  spammed 
 domain  http://www.spamhaus.org/query/dbl?domain=rttvxygkmwlqmq.net (public)  
   -   -   95
 podserveruho.comIntel::DOMAIN   CIF - need-to-know  spammed 
 domain  http://www.spamhaus.org/query/dbl?domain=podserveruho.com (public)
   -   -   95
 wwfcogdgntlxw.biz   Intel::DOMAIN   CIF - need-to-know  spammed 
 domain  http://www.spamhaus.org/query/dbl?domain=wwfcogdgntlxw.biz (public)   
   -   -   95
 }}
 I compiled bro with gperftool debug support and followed the instructions 
 here: http://www.bro.org/development/howtos/leaks.html. (Note, the 
 instructions are wrong on the flags for ./configure, you need to add 
 --enable-perftools-debug to get the -m option for bro)
 Here's the output from pprof top after running a PCAP trace with 10,000 
 packets. Running traces with more packets show a greater number of lost 
 objects in the same code locations.
 {{
 # pprof bin/bro /tmp/bro.24541.net_run-end.heap --inuse_objects --lines 
 --heapcheck  --edgefraction=1e-10 --nodefraction=1e-10
 Using local file bin/bro.
 Using local file /tmp/bro.24541.net_run-end.heap.
 Welcome to pprof!  For help, type 'help'.
 (pprof) top
 Total: 4295 objects
 2150  50.1%  50.1% 2150  50.1% AsciiFormatter::ParseValue 
 /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:186
 2141  49.8%  99.9% 2141  49.8% copy_string 
 /usr/src/bro-2.2/src/util.cc:155
2   0.0% 100.0%2   0.0% re_alloc 
 /usr/src/bro-2.2/build/src/re-scan.cc:2287
1   0.0% 100.0%1   0.0% RE_parse 
 /usr/src/bro-2.2/build/src/re-parse.y:110
1   0.0% 100.0%1   0.0% RE_parse 
 /usr/src/bro-2.2/build/src/re-parse.y:133
0   0.0% 100.0% 2141  49.8% AsciiFormatter::ParseValue 
 /usr/src/bro-2.2/src/threading/AsciiFormatter.cc:195
0   0.0% 100.0%4   0.1% Connection::NextPacket 
 /usr/src/bro-2.2/src/Conn.cc:259
0   0.0% 100.0%4   0.1% NetSessions::DispatchPacket 
 /usr/src/bro-2.2/src/Sessions.cc:189
0   0.0% 100.0%4   0.1% NetSessions::DoNextPacket 
 /usr/src/bro-2.2/src/Sessions.cc:709
0   0.0% 100.0%4   0.1% NetSessions::NextPacket 
 /usr/src/bro-2.2/src/Sessions.cc:247
 }}



--
This message was sent by Atlassian JIRA
(v6.2-OD-03#6206)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev