Changeset 54

Show
Ignore:
Timestamp:
04/17/08 21:49:35 (10 years ago)
Author:
rmcmillen
Message:

Fixes Ticket #24 by incorporating the changes to hflow in ChangeSet?  https://projects.honeynet.org/hflow/changeset/14. It now uses the is_local column of the flow table to identify local network traffic. Counters and Top 10 stats shoudl now be accurate. Fixed in version 1.2.7 with hflow version 1.99.25

Location:
walleye/trunk/walleye
Files:
3 modified

Legend:

Unmodified
Added
Removed
  • walleye/trunk/walleye/Makefile

    r53 r54  
    1 ver=1.2.6 
     1ver=1.2.7 
    22pname=walleye-${ver} 
    33 
  • walleye/trunk/walleye/walleye.pl

    r51 r54  
    265265    $query .= " left join sys_socket on sys_socket.flow_id = flow.flow_id and  flow.sensor_id = sys_socket.sensor_id"; 
    266266    $query .= " where  flow.sensor_id = ? "; 
    267     #cviecco ---$query .= " and local = ?"; 
     267    $query .= " and is_local = ?"; 
    268268    $query .= " and flow.src_start_sec > UNIX_TIMESTAMP(DATE_SUB(now(), INTERVAL ? HOUR  )) "; 
    269269    $query .= " group by src_ip order by 6 desc, 5 desc   limit 10"; 
     
    273273 
    274274     
    275     #cviecco- $sipq->execute($sensor,1,$report_duration) or die "error on query '$query'"; 
    276     $sipq->execute($sensor,$report_duration) or die "error on query '$query'"; 
    277  
     275    $sipq->execute($sensor,1,$report_duration) or die "error on query '$query'"; 
    278276 
    279277    my $rtable = new HTML::Table( 
     
    336334    $rtable->setCellColSpan(1,1,4); 
    337335    
    338     #cviecco $sipq->execute($sensor,0,$report_duration); 
    339     $sipq->execute($sensor,$report_duration) or die; 
     336    $sipq->execute($sensor,0,$report_duration); 
     337    #rob $sipq->execute($sensor,$report_duration) or die; 
    340338 
    341339    $ltable->addRow("Top 10 Remote Hosts"); 
     
    503501    $query  .= "from flow "; 
    504502    $query  .= "left join ids on ids.sensor_id = flow.sensor_id and ids.flow_id = flow.flow_id "; 
    505     #--cviecco $query  .= "where flow.sensor_id in $hp and local = ? "; 
    506     $query  .= "where flow.sensor_id in $hp  "; 
     503    $query  .= "where flow.sensor_id in $hp and is_local = ? "; 
    507504    $query  .= "and src_bytes > 0 and dst_bytes > 0 "; 
    508505    $query  .= "and src_end_sec > UNIX_TIMESTAMP(DATE_SUB(now(), INTERVAL ? HOUR) ) "; 
     
    515512    $query  .= "from flow "; 
    516513    $query  .= "left join ids on ids.sensor_id = flow.sensor_id and ids.flow_id = flow.flow_id "; 
    517     ##--cviecco $query  .= "where flow.sensor_id in $hp and local = ? "; 
    518     $query  .= "where flow.sensor_id in $hp "; 
     514    $query  .= "where flow.sensor_id in $hp and is_local = ? "; 
    519515    #$query  .= "and src_bytes > 0 and dst_bytes > 0 "; 
    520516    $query  .= "and src_end_sec > UNIX_TIMESTAMP(DATE_SUB(now(), INTERVAL ? HOUR) ) "; 
     
    525521 
    526522    #------ get number of flows / events in last 24 hours 
    527     $sql->execute(24) or die "error in query='$query_cam1'"; 
     523    $sql->execute(1,24) or die "error in query='$query_cam1'"; 
    528524    $ref = $sql->fetchall_arrayref(); 
    529525    foreach $foo(@$ref){ 
     
    533529    
    534530    #----- get number of flows / events in last 1 hours 
    535     $sql->execute(1) or die ; 
     531    $sql->execute(1,1) or die ; 
    536532    $ref = $sql->fetchall_arrayref(); 
    537533    foreach $foo(@$ref){ 
     
    542538    
    543539    #------ get number of flows / events in last 24 hours 
    544     $sql->execute(24) or die; 
     540    $sql->execute(0,24) or die; 
    545541    $ref = $sql->fetchall_arrayref(); 
    546542    foreach $foo(@$ref){ 
     
    550546    
    551547    #----- get number of flows / events in last 1 hours 
    552     $sql->execute(1) or die; 
     548    $sql->execute(0,1) or die; 
    553549    $ref = $sql->fetchall_arrayref(); 
    554550    foreach $foo(@$ref){ 
     
    561557 
    562558    #------ get number of flows / events in last 24 hours 
    563     $sql2->execute(24) or die; 
     559    $sql2->execute(1,24) or die; 
    564560    $ref = $sql2->fetchall_arrayref(); 
    565561    foreach $foo(@$ref){ 
     
    569565    
    570566    #----- get number of flows / events in last 1 hours 
    571     $sql2->execute(1) or die; 
     567    $sql2->execute(1,1) or die; 
    572568    $ref = $sql2->fetchall_arrayref(); 
    573569    foreach $foo(@$ref){ 
     
    578574    
    579575    #------ get number of flows / events in last 24 hours 
    580     $sql2->execute(24) or die; 
     576    $sql2->execute(0,24) or die; 
    581577    $ref = $sql2->fetchall_arrayref(); 
    582578    foreach $foo(@$ref){ 
     
    586582    
    587583    #----- get number of flows / events in last 1 hours 
    588     $sql2->execute(1) or die; 
     584    $sql2->execute(0,1) or die; 
    589585    $ref = $sql2->fetchall_arrayref(); 
    590586    foreach $foo(@$ref){ 
  • walleye/trunk/walleye/walleye.spec

    r53 r54  
    11Summary:  Walleye Honeynet data analysis  
    22Name: walleye 
    3 Version: 1.2.6 
     3Version: 1.2.7 
    44Release: 1 
    55License: GPL