Ticket #19 (closed defect: fixed)

Opened 11 years ago

Last modified 11 years ago

Walleye:flow counters do not zero after data purge

Reported by: DaveH Owned by: [email protected]
Priority: major Milestone: roo-1.4
Component: Walleye Version: 1.4b3
Keywords: flow counters Cc:

Description

All of the flow counter values on the Data Analysis tab of Walleye remain after a data purge. The pcap directory is cleared and no error is reported. A reboot of Honeywall zeros the 1 hour count only.

Change History

  Changed 11 years ago by rmcmillen

How are you initiating the data purge?

  Changed 11 years ago by DaveH

Data purge initiated within Walleye: System Admin Tab>>Honeywall Configuration>>Data Management Tick box:"Apply Data purge NOW?" click:"Configure" button

  Changed 11 years ago by rmcmillen

Did you have anything in the Number of Days to keep PCAP data or Number of Days to keep DB data fields?

  Changed 11 years ago by DaveH

The default values of 45 and 180 were left in the Number of days to keep PCAP data: and Number of days to keep DB data: respectively. Previously applying a data purge now with these default values left in place zeroed all counters

follow-up: ↓ 6   Changed 11 years ago by rmcmillen

  • component changed from Honeywall to Walleye

in reply to: ↑ 5   Changed 11 years ago by david

  • priority changed from minor to major

Replying to rmcmillen:

I've just retested this on the latest v1.4 code and got the same error. Hitting reset with the default configuration returns:

Stopping hflow: [ OK ] Stopping pcap: [ OK ] Stopping snort-inline: [ OK ] Starting pcap: [ OK ] Initializing Inline mode building cached link layer reset packets Starting snort-inline: [ OK ] Starting hflow[ OK ]

But never completes (web interface still waiting for data).

Entries in /var/log/messages are:

Apr 11 10:08:02 localhost logger: hwdaemons: deactivating honeywall for log cleanout Apr 11 10:08:02 localhost logger: hwdaemons: honeywall deactivated fro log cleanout Apr 11 10:08:02 localhost logger: hwdaemons: activating honeywall post log cleanout Apr 11 10:08:06 localhost snort-inline: Reading from iptables Apr 11 10:08:06 localhost snort[7012]: Var 'any_ADDRESS' defined, value len = 15 chars Apr 11 10:08:06 localhost snort[7012]: , value = 0.0.0.0/0.0.0.0 <snipped normal snort output with no errors> Apr 11 10:08:14 localhost snort[7014]: Snort initialization completed successfully (pid=7014) Apr 11 10:08:14 localhost snort[7014]: Not Using PCAP_FRAMES Apr 11 10:08:14 localhost logger: hwdaemons: honeywall activated

Are we missing a process step (or is something failing)?

Database shows:

mysql> select count(*) from flow; +----------+ | count(*) | +----------+ | 1462 | +----------+

So clearly not being cleared down properly.

  Changed 11 years ago by rmcmillen

  • status changed from new to closed
  • resolution set to fixed

The purgeDB.pl script was not completing. This would cause the browser to time out and the data to not be deleted. Changeset [44] has a new version that uses new db calls to mark data for deletion and actually delete the data. This should be faster (thanks Camilo). This script will be in the next roo-base version 5.25.

This said, if there is a lot of data to purge, the browser may still timeout.

Note: See TracTickets for help on using tickets.