Radium memory leak

Carter Bullard carter at qosient.com
Tue Mar 26 07:53:37 EDT 2013 

Hmmmmm, I really thought we had fixed that.
Any sense of the rate of memory loss ?
I may need some flow data from you, if my data doesn't
generate any leaks.

I'll valgrind it today.

Carter

On Mar 25, 2013, at 11:04 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> Hey, Carter…
>  
> I tried installing the latest 3.0.7.7 client build and I’m still seeing a memory leak in radium when label files are enabled.
>  
> These are the searches that we launch when radium starts up:
>  
>         /usr/local/bin/ra -S 10.10.10.10:561 -n -u -c "," -s "+0dnstroke" | egrep -v "(^,|^0,)" >> /ssd/argus/splunk/reverse_keystroke.csv &
>  
>         /usr/local/bin/ralabel -S 10.10.10.10:561 -f /usr/local/argus/ralabel.conf -n -u -c "," -M dsrs="+label" label="blacklisted" -s +1dur,+label:200 - not dst net 10.0.0.0/8 and not dst net 12.130.140.0/24 and not dst port 25 and not dst port 53 >> /ssd/argus/splunk/blacklisted.csv &
>  
>         /usr/local/bin/ra -S 10.10.10.10:561 -n -u -c "," -M dsrs="+duser,+suser,+label" -u -e "^SSH-" -s "+1dur,+suser,+duser,+label:200" - not dst net 10.0.0.0/8 and not dst net 12.130.140.0/24 | egrep -v "whitelisted" >> /ssd/argus/splunk/suspicious_outbound_ssh.csv &
>  
>         /usr/local/bin/rastream -S 10.10.10.10:561 -M time 15m -B 10s -w /ssd/argus/%s.argus -f /usr/local/argus/rastream.sh &
>  
> The /usr/local/argus/rastream.sh launches four searches (with different filters) that look like the following:
>  
> racluster -r $FILES -M correct -m proto saddr daddr dport -c "@" -p 3 -u -Z b -n                                     -s "+0ltime,+trans,+dur,+runtime,+mean,+stddev,+sum,+sco,+dco,+spkts,+dpkts,+sb                                    ytes,+dbytes,+load,+sload,+dload,+loss,+sloss,+dloss,+ploss,+sploss,+dploss,+rat                                    e,+srate,+drate,+appbytes,+sappbytes,+dappbytes,+label:200"
>  
> I sent you the iana label file we’re using a while back along with the ralabel.conf file.  Those are still pretty much the same (though I cleaned up some errors in the label file recently).  If you want the most recent version of the label file, let me know.  Or if you want some more samples of binary flow data.
>  
> Let me know how best to troubleshoot this…
>  
> Thx.
> 
> Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130326/1ca42788/attachment.html>

More information about the argus mailing list