-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does feed delta merge remove correlations? #7305
Comments
As part of my continued PHP learning curve :-), I am amending my hypothesis above, and certainly would like feedback as we do need to understand root cause to these orphans and how to prevent. Revised Hypothesis: Perhaps the call to the cakePHP If that is true, then I'd appreciate help in devising another reason why we have correlation orphans across many delta-merge feeds. Issues with these orphans include:
Please advise. Thanks!! |
Hello, One hypothesis that I have: The line you were referring to d022b0f actually fixed the issue you are experiencing (it's fixed in 2.4.127 and onward). Would you mind checking if the dates of the orphaned correlations you noticed and the 2.4.127 fix align? One way to do it (even though, unreliable..) would be to check what is the latest orphaned correlation Thanks in advance! |
I pushed a way to clean orphaned correlations on an instance (b86af24). |
Thanks a lot for your reply! As you will see below, I believe these orphans have occurred after 2.4.127; hence, root cause is a mystery. We can recorrelate to clean house, but we do need to prevent these from recurring as they present many false impressions to our data consumers. I'm eager to see what you suggest next. Thx again. Here's some "evidence"... Here''s the upgrades on this MISP instance:
Please refer to my 2021-Jan issue #6931. At that point we were already on 2.4.133, and I recorrelated our MISP instance. So, I believe I can deduce that these orphans occurred after 2.4.127, i.e. on 2.4.133 or 2.4.137. I cannot pinpoint the latest orhpan timestamp as at one point last year our db was totally over correlated so we recorrelated, and you can see the huge disparity between
|
We are now on 2.4.143, and still are getting correlations orphans.
|
MISP 2.4.137
Not sure if this is my misunderstanding or possibly a bug... Looking forward to an education. Thank you.
I have detected correlation orphans in our
correlations
db table, i.e. for a given correlations row either theattribute_id
or the1_attribute_id
no longer exists in theattributes
table. In our instance that's about 9k orphans out of a total 13.6M correlations.I then performed this mysql query and found that in all cases the MISP event was a MISP feed which had delta merge enabled.
I'm not well versed with PHP, so bear with me please as I may be missing how this all fits together; however, It seems to my naive eye like correlations might not be deleted during the feed delta merge process.
When I look at the
saveFreetextFeedData
function inModel/Feed.php
wheredelta_merge
is processed, it's not clear if this line triggers any calls to remove the deleted attributes from correlations.What I'm not seeing, perhaps due to my lacking knowledge, is similar pruning of the correlations that I see in
Model/Attribute.php
with theafterSave
function call to the__beforeSaveCorrelation
function which callsCorrelation->deleteAll
.The text was updated successfully, but these errors were encountered: