BRO 2.0 - SMTP - Saving file attachments causing many packet Drops

Hello,

I moved to BRO 2.0 few days ago, so far it works great.

I am testing the SMTP write file to disk feature (entities.bro) which also works great on file attachments.

Due to load on my machine (60mbps) there are packet drops which causes the file assembly to be corrupted (BRO is running on tap and not in-line).

I suspect that the drops are caused by the excessive I/O when writing these attachments to disk.

I decided to optimize bro to get rid of the drops:

• I disabled all the scripts in init-default.bro (beside smtp) and also logging capabilities.
• Increased the system allocated buffer size in setvbuf() (BroFile::SetBuf - File.cc)
• Writing the file into tmpfs instead of the local directory

I am still suffering drops.

Am i doing something wrong? is there anyway to optimize it even better to get rid of the drops?

Thank You,
JD

I am testing the SMTP write file to disk feature (entities.bro) which also works great on file attachments.

Glad to hear that's working for you.

Am i doing something wrong? is there anyway to optimize it even better to get rid of the drops?

If you are using broctl, in your broctl.cfg file add the line (then install and restart in broctl)…
broargs = -l 9800

We have been seeing problems with the beta in some cases with packet loss at fairly low packet load which we are planning to address for the final release but reducing the snap length has typically been fixing it for people.

  .Seth