groob
theopolis
2.11.0
, will be at 3.2.4
in several minutesclippy
05/09/2018, 3:42 AMkyle
05/10/2018, 10:06 AMrule hello:world {
meta:
author = "kyle"
description = "an example rule for nNipsx"
reference = "7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069"
strings:
$h1 = "Hello"
$w1 = "World"
condition:
all of them
}
harveywells
05/11/2018, 4:22 PMmarpaia
05/11/2018, 4:37 PM5twenty9
05/14/2018, 11:18 AMDavid Rojas
05/14/2018, 4:43 PMclong
05/14/2018, 8:23 PMNo, this means that all events will expire when the table is queriedWhat happens if it never gets queried? would it just hold events until
events_max
got reached?clong
05/14/2018, 8:25 PMevents only expire when the table is queriedDo events which are considered “expired” get logged to results?
Isaac
05/14/2018, 9:28 PMWe can't seem to find a happy place where we can exclude specific directories/files and get a guaranteed output of events to be logged based on the 120 second interval setup in the FIM conf.
We have a lot of very active and/or large files (10+GB) coming in and out and OSquery seems to be lagging when trying to analyze the files at service start. The behavior we are seeing is that the FIM query never gets executed or will not be reliable as to when it may report back.
Please let me know if there is a better way to report this type of stuff Ill be happy to go deep in details if neededclong
05/14/2018, 10:35 PMpirxthepilot
05/17/2018, 6:28 PMsetuid_bin
table also show setgid binaries?JCL
05/21/2018, 12:20 PMclippy
05/22/2018, 8:52 PMMustafa
05/23/2018, 9:04 PMKenneth Van Mele
05/25/2018, 10:37 AMThrift message: TPipe ::GetOverlappedResult errored GLE=errno = 109
and Thrift message: TConnectedClient died: TPipe: GetOverlappedResult failed
. I tried removing osquery.results.log and then I get Thrift message: TPipe::open ::CreateFile errored GLE=errno = 2
again. Linux is fine.shed7
05/29/2018, 4:09 PMsteffen
06/14/2018, 8:12 AMMustafa
05/30/2018, 8:12 AMSrikanth Suresh
05/30/2018, 9:57 AMjkriss
05/30/2018, 8:39 PMvaar
05/31/2018, 11:23 AMrmcvey
06/03/2018, 1:59 AMmarpaia
06/04/2018, 5:36 PMMustafa
06/05/2018, 10:30 AMmarpaia
06/05/2018, 8:07 PMgroob
fmanco
06/07/2018, 12:34 AM