UDP scan detection generates a large number of triggers

Description

These triggers then cause high CPU load. We had a fix already but I'm not sure if it has been confirmed that it solved the problem?

Environment

None

Activity

Show:
Aashish Sharma
February 21, 2014, 7:45 PM

Robin, All:

Here are the graphs for a run of all scan policies (OldScan + new scan.bro,
scan_udp.bro, scan_icmp.bro) from a run on a freebsd 9.1 box for
approximate 3 day duration.

Memory footprint continues to grow but I have noticed on other systems that
memory flattens out around 11G range (after 9 day uninterrupted run).

CPU is surprisingly low at on this host. (Attached graph). However on
other boxes I have seen CPU being high as time progresses.

It seems to me that scan_udp fix is probably working looking at this one
data point. I will enable these on other DMZ boxes and lets see if we see
same results.

Aashish

On Tue, Feb 18, 2014 at 2:41 PM, Robin Sommer (JIRA) <

Jon Siwek
February 21, 2014, 8:07 PM

Aashish, can you post or link to the versions of the scripts you're running? Just for the record, and also I had some changes I tried to describe on an email thread that I don't think made it across, so if I still have any suggestions I can just modify your script and post it back to you.

Robin Sommer
February 21, 2014, 8:12 PM

The CPU spikes worry me quite a bit. I can't quite tell if there's a pattern to it, i.e., if they come in regular intervals, and in particular if they align with the sumstats interval?

Aashish Sharma
February 21, 2014, 8:33 PM

John,

I am sending you the tar ball of the site-policy files in a direct email.

Aashish


Aashish Sharma (asharma@lbl.gov)
Cyber Security,
Lawrence Berkeley National Laboratory
http://go.lbl.gov/pgp-aashish
Office: (510)-495-2680 Cell: (510)-612-7971

Robin Sommer
March 7, 2014, 7:16 PM

Not in distribution yet.

Invalid

Assignee

Unassigned

Reporter

Robin Sommer

Labels

None

External issue ID

None

Components

Fix versions

Priority

Normal
Configure