Question regarding leaking file descriptors

Art_Maddalena · May 9, 2016, 12:58pm

Hi,

We are having a problem with leaking file descriptors when using ActiveHTTP. We do see the temporary files being deleted, but lsof shows the files not closed, so we eventually run out of file descriptors.

Sample Output:

bro 10687 root 1016r REG 253,0 283 57148394 /tmp/bro-activehttp-qque3JKygsj_body (deleted)

bro 10687 root 1017r REG 253,0 131 57148392 /tmp/bro-activehttp-qque3JKygsj_headers (deleted)

bro 10687 root 1018r REG 253,0 348 57148398 /tmp/bro-activehttp-nhBlB9hVchg_body (deleted)

bro 10687 root 1019r REG 253,0 131 57148396 /tmp/bro-activehttp-nhBlB9hVchg_headers (deleted)

Our code is at:

https://github.com/aol/moloch/blob/master/capture/plugins/wiseService/molochwise.bro#L98

We are using bro 2.4.1. Is this a known issue or do we need to change the code somehow?

Thank you for your help!

johanna · May 17, 2016, 4:59pm

Hello Art,

this is an active issue that should be fixed in the next release. The
ticket for this issue is at

https://bro-tracker.atlassian.net/browse/BIT-1594

I hope that helps,
Johanna

Topic		Replies	Views
Realtime File Extracting problem Zeek	3	65	May 6, 2022
weird: spontaneous_FIN problem for HTTP log Zeek	2	59	May 6, 2022
BRO 2.0 - SMTP - Saving file attachments causing many packet Drops Zeek	2	61	May 6, 2022
File Extraction Gaps Zeek	6	86	May 6, 2022
Trying to extract HTTP payload Zeek	11	79	May 6, 2022

Question regarding leaking file descriptors

Related Topics