Re: AANVAL or MYSQL question

[Hui cao <huica () cisco com>]

snort_main_thread_pid is used for packet processing, 
snort_reload_thread_pid is for reloading.

You might see from log:
Commencing packet processing #main_thread_id
Reload thread started, thread #reload_thread_id

Best,
Hui.
On 04/24/2014 07:55 AM, Y M wrote:
> >Snort packet processing is still single thread, but it also has other 
> threads such as reload thread, control socket thread etc. The reload 
> thread should be idle majority of the time.  If >you suspected it is 
> restarting, you will not see any message like “snort reloaded…”. You 
> will see “snort initializing “ or “restart” in the messages.
>
> Thanks Hui. That pretty much explains it. Is there a way to tell which 
> thread belongs to which Snort thread?
>
> YM
>
> ------------------------------------------------------------------------
> From: huica () cisco com
> To: snort () outlook com; wkitty42 () windstream net; 
> sgierczak () presencehealth org
> CC: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] AANVAL or MYSQL question
> Date: Wed, 23 Apr 2014 22:03:07 +0000
>
> Snort packet processing is still single thread, but it also has other 
> threads such as reload thread, control socket thread etc. The reload 
> thread should be idle majority of the time.  If you suspected it is 
> restarting, you will not see any message like “snort reloaded…”. You 
> will see “snort initializing “ or “restart” in the messages.
>
> Best,
> Hui.
>
> From: Y M <snort () outlook com <mailto:snort () outlook com>>
> Date: Wednesday, April 23, 2014 at 5:19 PM
> To: waldo kitty <wkitty42 () windstream net 
> <mailto:wkitty42 () windstream net>>, "Gierczak, Stan" 
> <sgierczak () presencehealth org <mailto:sgierczak () presencehealth org>>
> Cc: snort-users <snort-users () lists sourceforge net 
> <mailto:snort-users () lists sourceforge net>>
> Subject: Re: [Snort-users] AANVAL or MYSQL question
>
> > @YM: maybe these are two threads of the same process? i see similar on my own
> > systems... three of them if i compile with the reload capability...
>
> Isn't Snort single-threaded? I wouldn't imagine it will be creating 
> another "thread" other than its own. On systems i look for there is 
> only one process on every system I checked. May be OS specific? not 
> likely?
>
> I forgot to mentions that my systems are also compiled with reload. 
> Which brings the question of if the Snort has been reloaded (not 
> restarted) on these systems or these processes are showing up after a 
> clean reboot?
>
> YM
>
> ------------------------------------------------------------------------
> From: snort () outlook com <mailto:snort () outlook com>
> To: wkitty42 () windstream net <mailto:wkitty42 () windstream net>; 
> sgierczak () presencehealth org <mailto:sgierczak () presencehealth org>
> Date: Wed, 23 Apr 2014 21:13:32 +0000
> CC: snort-users () lists sourceforge net 
> <mailto:snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] AANVAL or MYSQL question
>
> > @YM: maybe these are two threads of the same process? i see similar on my own
> > systems... three of them if i compile with the reload capability...
>
> Isn't Snort single-threaded? I wouldn't imagine it will be creating 
> another "thread" other than its own. On systems i look for there is 
> only one process on every system I checked. May be OS specific? not 
> likely?
>
> YM
>
> > Date: Wed, 23 Apr 2014 13:49:37 -0400
> > From: wkitty42 () windstream net <mailto:wkitty42 () windstream net>
> > To: SGierczak () presencehealth org 
> <mailto:SGierczak () presencehealth org>; snort () outlook com 
> <mailto:snort () outlook com>; snort-users () lists sourceforge net 
> <mailto:snort-users () lists sourceforge net>
> > Subject: Re: [Snort-users] AANVAL or MYSQL question
> >
> > On 4/22/2014 1:09 PM, Gierczak, Stan wrote:
> > [...]
> > > snort 1321 82.3 12.3 633956 501136 ? Rsl Apr21 1393:18
> > > /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c
> > > /etc/snort/snort.conf -l /var/log/snort/eth0
> > >
> > > snort 3514 66.1 7.6 633684 308620 ? Rsl 12:01 4:34 /usr/sbin/snort
> > > -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l
> > > /var/log/snort/eth0
> >
> > @YM: maybe these are two threads of the same process? i see similar 
> on my own
> > systems... three of them if i compile with the reload capability...
> >
> > --
> > NOTE: No off-list assistance is given without prior approval.
> > Please keep mailing list traffic on the list unless
> > private contact is specifically requested and granted.
>
> ------------------------------------------------------------------------------ 
> Start Your Social Network Today - Download eXo Platform Build your 
> Enterprise Intranet with eXo Platform Software Java Based Open Source 
> Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn 
> Your Intranet Into A Collaboration Platform 
> http://p.sf.net/sfu/ExoPlatform <http://p.sf.net/sfu/ExoPlatform>
> _______________________________________________ Snort-users mailing 
> list Snort-users () lists sourceforge net 
> <mailto:Snort-users () lists sourceforge net> Go to this URL to change 
> user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
> list archive: 
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!