Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hey <@U0G92JDS6>, I'm happy to review and help-- interactive reverse shells/tunnels, large exfil, media type + extension mismatch + active thereafter, NACL variants + iptables/filter state, file extended attributes and where_from fields

theopolis: 
Regarding your proposed scenarios: 
* NACL variants + iptables/filter state: What do you mean here? I use Bro to detect the NACL variant used by an app, but for what purpose do I need the iptables/filter state here?
* file extended attributes and where_from: the intention would be to see where the files that are executed are coming from?

* Large Exfiltration: Why do I need a combination of Bro and osquery to detect this? Wouldn't be Bro already enough?

Use this: <https://github.com/blog/2224-change-the-base-branch-of-a-pull-request> to edit the branch from `master` to `bro-integration`.

So basically bro_integration is now a branch of the osquery repo. Is it still linked to the PR? Meaning, does it matter if I push to the PR or work on the bro-integration branch?

I think I got you wrong. So you first want to merge the PR into the `bro-integration` branch. We then can work together further on this branch. And once everything is save, it is merged into master

I'm not sure if it is going to work, since the Zeek Agent calls the table generate() directly

Ah okay well at least we'll have it in osquery core. Maybe Zeek can use the osquery core code once it's there.

Zeek Agent redefines osquery tables in its own sqlite db instance, so I'm not sure how to show non-table stuff outside osquery

Our priority right now is to get it implemented in osquery. Will be nice if Zeek can integrate somehow.

best approach is probaby to implement it directly within Zeek Agent so that it will work with both osquery and built-in tables

FYI, there’s a new community Slack for Zeek,  including a dedicated #zeek-agent channel: <https://zeekorg.slack.com/archives/CT7VDG82F>

<http://zeekorg.slack.com|zeekorg.slack.com>

We posted this yesterday: <https://zeek.org/2020/03/23/announcing-the-zeek-agent>. Many thanks to <@U6EFFT5FG> and Trail of Bits for their great work pulling this together!

Is this a fork of osquery built specifically to integrate with Zeek?

If there's anything that doesn't work with upstream binaries let us know and we'll open an issue :slightly_smiling_face:

yes, helps if i read the artcle first 'Eventually, this process evolved into a clean rewrite to produce an entirely new agent that can operate both in a standalone fashion and with osquery.' :slightly_smiling_face:

I'm definitely intrigued by this. Contextualizing and correlating network log sources is something i'm working on right now.

Is the idea behind this the same as the original bro-osquery project back in the day? Where Zeek can ask the endpoint for host (process/user) data to contextualize network logs? If so that is :fire::fire::fire:

Yes, something like that :slightly_smiling_face: