Radium memory leak

Craig Merchant cmerchant at responsys.com
Mon Mar 25 23:04:53 EDT 2013 

Hey, Carter...

I tried installing the latest 3.0.7.7 client build and I'm still seeing a memory leak in radium when label files are enabled.

These are the searches that we launch when radium starts up:

        /usr/local/bin/ra -S 10.10.10.10:561 -n -u -c "," -s "+0dnstroke" | egrep -v "(^,|^0,)" >> /ssd/argus/splunk/reverse_keystroke.csv &

        /usr/local/bin/ralabel -S 10.10.10.10:561 -f /usr/local/argus/ralabel.conf -n -u -c "," -M dsrs="+label" label="blacklisted" -s +1dur,+label:200 - not dst net 10.0.0.0/8 and not dst net 12.130.140.0/24 and not dst port 25 and not dst port 53 >> /ssd/argus/splunk/blacklisted.csv &

        /usr/local/bin/ra -S 10.10.10.10:561 -n -u -c "," -M dsrs="+duser,+suser,+label" -u -e "^SSH-" -s "+1dur,+suser,+duser,+label:200" - not dst net 10.0.0.0/8 and not dst net 12.130.140.0/24 | egrep -v "whitelisted" >> /ssd/argus/splunk/suspicious_outbound_ssh.csv &

        /usr/local/bin/rastream -S 10.10.10.10:561 -M time 15m -B 10s -w /ssd/argus/%s.argus -f /usr/local/argus/rastream.sh &

The /usr/local/argus/rastream.sh launches four searches (with different filters) that look like the following:

racluster -r $FILES -M correct -m proto saddr daddr dport -c "@" -p 3 -u -Z b -n                                     -s "+0ltime,+trans,+dur,+runtime,+mean,+stddev,+sum,+sco,+dco,+spkts,+dpkts,+sb                                    ytes,+dbytes,+load,+sload,+dload,+loss,+sloss,+dloss,+ploss,+sploss,+dploss,+rat                                    e,+srate,+drate,+appbytes,+sappbytes,+dappbytes,+label:200"

I sent you the iana label file we're using a while back along with the ralabel.conf file.  Those are still pretty much the same (though I cleaned up some errors in the label file recently).  If you want the most recent version of the label file, let me know.  Or if you want some more samples of binary flow data.

Let me know how best to troubleshoot this...

Thx.

Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130326/44deecf1/attachment.html>

More information about the argus mailing list