Re: File preprocessor and snort daemon

["Hui Cao (huica)" <huica () cisco com>]

Hi Eugenio,

Thanks for reporting this and providing the patch.

We will take a look at this issue.

Best,
Hui.

On 5/7/15, 10:47 AM, "Eugenio Perez" <eugenio () redborder org> wrote:

> Hello all.
>
> We've detected a problem capture mode is enable in file preprocessor
> and snort is running as daemon.
>
> Snort is supposed to create curcular buffer where it will save files,
> and to spawn a new thread to poll these ones. However, this new thread
> is lost when snort forks (that is the expected behavior of fork), so
> there is no polling thread anymore.
>
> As a workaround, I restart file preprocessor in the fork with
> pthread_atfork, because (I think) I have no way to know when snort is
> forking, or how to delay file preprocessor starting.
>
> Patch is attached, and related commit in our github server is
> (https://github.com/redBorder/snort/commit/c17145ee17f0d067c5d638241fcd2b3
> c266ff718).
> Any comment/suggestion will be appreciated.
>
> Regards.


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!