All,
Has anyone else seen an impact in changing the dns_session_timeout parameter in bro?
I have been wrestling with Bro's memory usage for a while now (using bro 2.2 from securityonion to monitor DNS server traffic), and recently tried changing the dns_session_timeout value from the default of 10 seconds to 1 second. That has changed bro's memory consumption dramatically. While at the default 10 second timeout, Bro was slowly growing in RAM usage until the Linux OOM manager killed it (and broctl cron automatically restarted it...lather, rinse, repeat). With the 1 second timeout bro's been steady at ~200MB/worker for the past couple days.
While I'm happy that this seems to have fixed a problem, I'm wondering what other impact that change has had. Obviously, if the DNS server starts responding slowly bro will see the request and response as separate sessions...I think I can live with that. Is that the only impact of changing the dns_session_timeout variable?
Thanks.
aaron