Significant slow for smtp traffic

Zeek
1

Hello,

I am trying to use bro to monitor smtp requests in my network. Before putting it to production, I simulated the smtp traffic between clients and smtp server using avalanche as the rate of 100 emails/second to test the performance of bro. The size of the attachment is random between a few KBs to 8MB. I was running bro cluster using pf_ring as load balance and launching 20 workers pinned on different CPU. The average network bandwidth is about 200M - 300M. I observed significant slow to get smtp requests showing in the log. The CPU usage is pretty high(100% for every cpu I pinned) and is busy doing memcpy in BroString.cc:concatenate. After a few minutes, I can see a significant drop in the statistic of pf_ring.

Is there any suggestion how can I cope with this traffic?

2

Just find out that it is event smtp_data which causes the slowness. What’s the suggested event to capture smtp body and save it as eml file?

3

Using the file analysis framework is the best way. Are you just trying to save the box from any body transferred over SMTP or is there some particular things you’re looking for? Regardless, the event you’ll want to use is probably file_sniff. Something like this...

event file_sniff(f: fa_file, meta: fa_metadata)
  {
  if ( f$source == “SMTP" )
    {
    Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
    }
  }

  .Seth