[Bro] Re-reading data in the input framework

[Bernhard Amann]

On Jun 29, 2012, at 1:45 AM, Sheharbano Khattak wrote:

> Thanks. I thought it creates a new stream for each read/remove. From your answer, it appears that each source with REREAD mode gets a dedicated stream that exists as long as Bro runs.

Exactly. The stream exists for the whole duration and the reader for the stream runs in a thread and checks for changes of the file.

Bernhard