Ahsan Sheraz
10/29/2019, 7:46 AMEva
10/29/2019, 8:19 AMException when calling "RemoveAccessRule" with arguments "1": "Some or all identity references could not be converted."
Jishan Shaikh
10/30/2019, 7:54 AMmyfoxtail
10/30/2019, 8:59 AMDustin M
10/30/2019, 2:57 PMCannot read TLS server certificate(s): /var/osquery/certs/certs.pem
as well as Exception making HTTP request to URL (<https://kinesis.us-east-2.amazonaws.com>): certificate verify failed
does anyone have any idea how to resolve this? (A lot of the github posts are not relevant to osquery -> kinesis. I followed the docs while setting up the config)coffee
10/30/2019, 6:22 PMosquery::Killswitch::IsEnabledError 1
is and what does that affect? Getting it after every querysean.cavanaugh
10/31/2019, 5:12 PMprocesses
table returning incorrect data on 3.4.0.
with the conhost.exe_incorrect_path
query in the windows attack pack.
The query SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\\windows\\system32\\conhost.exe' AND path!='';
returned conhost.exe
for the name
field, but it returned C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
for the path
value with a cmdline
value for the chrome.exe
entry listed in path
.timb
10/31/2019, 6:35 PMEoin Miller
10/31/2019, 10:04 PMpath
and maybe some signing information to the kernel_modules
table? It looks like table currently is very similar to output from lsmod
, but if we could also get some of the items from modinfo
(like filename and signing info) then you could do things like JOIN hash USING (path)
to get hashes of the modules to find unique ones and do hash lookups for known bad.
user@ubuntu:~$ lsmod | grep intel_rapl_perf
intel_rapl_perf 16384 0
user@ubuntu:~$ sudo modinfo intel_rapl_perf
filename: /lib/modules/4.15.0-66-generic/kernel/arch/x86/events/intel/intel-rapl-perf.ko
license: GPL
srcversion: F7ACBF921FF58C3A9F81470
...
signat: PKCS#7
signer:
sig_key:
sig_hashalgo: md4
hubert dulay
11/03/2019, 1:38 PMAoS
11/05/2019, 9:44 AMpacketzero
11/05/2019, 9:03 PMpacketzero
11/06/2019, 12:57 AMChris B
11/08/2019, 12:15 AMalessandrogario
Jerome
11/08/2019, 2:14 PMCannot read TLS server certificate(s):
. The permissions seems good and I test several possibilities. Do you know what's wrong ?milans100
11/08/2019, 5:16 PMChris B
11/08/2019, 7:32 PMMario De Tore
11/11/2019, 9:08 AMdefensivedepth
11/11/2019, 9:25 PMregistry
). I need to do some quick comparisons to look for some known values - I would typically generate a hash of the value for easier comparisons and long-term storage, but am not finding any sqlite hashing function. Any ideas?GaneshK
11/12/2019, 4:59 AMAoS
11/12/2019, 8:42 AMnyanshak
11/12/2019, 10:07 PMosqueryd worker respawning too quickly: 3 times
^ I keep seeing that in a short time span, followed by osqueryd exiting, but I'm having trouble understanding why. I've got --verbose
flag, but I still don't see anything to really help in diagnosing further.Jerome
11/13/2019, 9:04 AMosquery.conf
seems ignored. I'm on Linux and I used the default conf file from /usr/share/osquery/osquery.example.conf
and I just set up the parameter "disable_tables": "chrome_extensions",
but when I start osqueryi
or osqueryd
the table is still available. Same if I explicitely provide the conf file osqueryi --config_path=/etc/osquery/osquery.conf
I don't understand what I do wrongRyan
11/14/2019, 8:30 PMException making HTTP request to URL (<http://169.254.169.254/latest/meta-data/iam/security-credentials>): Invalid URL
Chris B
11/14/2019, 11:14 PMAustin Burnett
11/15/2019, 4:05 PM--events_expiry
to the frequency of that query (or 1
- but in this case we might have multiple queries pulling from process_events
)?David Payne
11/15/2019, 7:50 PMvaar
11/17/2019, 3:43 PMJams
11/18/2019, 6:55 PMosquery_info
& osquery_flags
JSON. However, I’m not seeing the POST to $ENDPOINT/[DISTRIBUTED-WRITE]. How can I debug this further?