[Snort-users] AANVAL or MYSQL question

Hui cao huica at ...589...
Thu Apr 24 09:54:23 EDT 2014


snort_main_thread_pid is used for packet processing, 
snort_reload_thread_pid is for reloading.

You might see from log:
Commencing packet processing #main_thread_id
Reload thread started, thread #reload_thread_id

Best,
Hui.
On 04/24/2014 07:55 AM, Y M wrote:
> >Snort packet processing is still single thread, but it also has other 
> threads such as reload thread, control socket thread etc. The reload 
> thread should be idle majority of the time.  If >you suspected it is 
> restarting, you will not see any message like “snort reloaded…”. You 
> will see “snort initializing “ or “restart” in the messages.
>
> Thanks Hui. That pretty much explains it. Is there a way to tell which 
> thread belongs to which Snort thread?
>
> YM
>
> ------------------------------------------------------------------------
> From: huica at ...589...
> To: snort at ...15979...; wkitty42 at ...14940...; 
> sgierczak at ...16714...
> CC: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] AANVAL or MYSQL question
> Date: Wed, 23 Apr 2014 22:03:07 +0000
>
> Snort packet processing is still single thread, but it also has other 
> threads such as reload thread, control socket thread etc. The reload 
> thread should be idle majority of the time.  If you suspected it is 
> restarting, you will not see any message like “snort reloaded…”. You 
> will see “snort initializing “ or “restart” in the messages.
>
> Best,
> Hui.
>
> From: Y M <snort at ...15979... <mailto:snort at ...15979...>>
> Date: Wednesday, April 23, 2014 at 5:19 PM
> To: waldo kitty <wkitty42 at ...14940... 
> <mailto:wkitty42 at ...14940...>>, "Gierczak, Stan" 
> <sgierczak at ...16714... <mailto:sgierczak at ...16714...>>
> Cc: snort-users <snort-users at lists.sourceforge.net 
> <mailto:snort-users at lists.sourceforge.net>>
> Subject: Re: [Snort-users] AANVAL or MYSQL question
>
> > @YM: maybe these are two threads of the same process? i see similar on my own
> > systems... three of them if i compile with the reload capability...
>
> Isn't Snort single-threaded? I wouldn't imagine it will be creating 
> another "thread" other than its own. On systems i look for there is 
> only one process on every system I checked. May be OS specific? not 
> likely?
>
> I forgot to mentions that my systems are also compiled with reload. 
> Which brings the question of if the Snort has been reloaded (not 
> restarted) on these systems or these processes are showing up after a 
> clean reboot?
>
> YM
>
> ------------------------------------------------------------------------
> From: snort at ...15979... <mailto:snort at ...15979...>
> To: wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>; 
> sgierczak at ...16714... <mailto:sgierczak at ...16714...>
> Date: Wed, 23 Apr 2014 21:13:32 +0000
> CC: snort-users at lists.sourceforge.net 
> <mailto:snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] AANVAL or MYSQL question
>
> > @YM: maybe these are two threads of the same process? i see similar on my own
> > systems... three of them if i compile with the reload capability...
>
> Isn't Snort single-threaded? I wouldn't imagine it will be creating 
> another "thread" other than its own. On systems i look for there is 
> only one process on every system I checked. May be OS specific? not 
> likely?
>
> YM
>
> > Date: Wed, 23 Apr 2014 13:49:37 -0400
> > From: wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>
> > To: SGierczak at ...16714... 
> <mailto:SGierczak at ...16714...>; snort at ...15979... 
> <mailto:snort at ...15979...>; snort-users at lists.sourceforge.net 
> <mailto:snort-users at lists.sourceforge.net>
> > Subject: Re: [Snort-users] AANVAL or MYSQL question
> >
> > On 4/22/2014 1:09 PM, Gierczak, Stan wrote:
> > [...]
> > > snort 1321 82.3 12.3 633956 501136 ? Rsl Apr21 1393:18
> > > /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
> > > /etc/snort/snort.conf -l /var/log/snort/eth0
> > >
> > > snort 3514 66.1 7.6 633684 308620 ? Rsl 12:01 4:34 /usr/sbin/snort
> > > -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l
> > > /var/log/snort/eth0
> >
> > @YM: maybe these are two threads of the same process? i see similar 
> on my own
> > systems... three of them if i compile with the reload capability...
> >
> > --
> > NOTE: No off-list assistance is given without prior approval.
> > Please keep mailing list traffic on the list unless
> > private contact is specifically requested and granted.
>
> ------------------------------------------------------------------------------ 
> Start Your Social Network Today - Download eXo Platform Build your 
> Enterprise Intranet with eXo Platform Software Java Based Open Source 
> Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn 
> Your Intranet Into A Collaboration Platform 
> http://p.sf.net/sfu/ExoPlatform <http://p.sf.net/sfu/ExoPlatform>
> _______________________________________________ Snort-users mailing 
> list Snort-users at lists.sourceforge.net 
> <mailto:Snort-users at lists.sourceforge.net> Go to this URL to change 
> user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
> list archive: 
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140424/614db4b7/attachment.html>


More information about the Snort-users mailing list