These triggers then cause high CPU load. We had a fix already but I'm not sure if it has been confirmed that it solved the problem?
Robin, All:
Here are the graphs for a run of all scan policies (OldScan + new scan.bro,
scan_udp.bro, scan_icmp.bro) from a run on a freebsd 9.1 box for
approximate 3 day duration.
Memory footprint continues to grow but I have noticed on other systems that
memory flattens out around 11G range (after 9 day uninterrupted run).
CPU is surprisingly low at on this host. (Attached graph). However on
other boxes I have seen CPU being high as time progresses.
It seems to me that scan_udp fix is probably working looking at this one
data point. I will enable these on other DMZ boxes and lets see if we see
same results.
Aashish
On Tue, Feb 18, 2014 at 2:41 PM, Robin Sommer (JIRA) <
Aashish, can you post or link to the versions of the scripts you're running? Just for the record, and also I had some changes I tried to describe on an email thread that I don't think made it across, so if I still have any suggestions I can just modify your script and post it back to you.
The CPU spikes worry me quite a bit. I can't quite tell if there's a pattern to it, i.e., if they come in regular intervals, and in particular if they align with the sumstats interval?
John,
I am sending you the tar ball of the site-policy files in a direct email.
Aashish
–
Aashish Sharma (asharma@lbl.gov)
Cyber Security,
Lawrence Berkeley National Laboratory
http://go.lbl.gov/pgp-aashish
Office: (510)-495-2680 Cell: (510)-612-7971
Not in distribution yet.