Hi all I ve got a quick question about what exactly is captu osquery #general

Hi all! I’ve got a quick question about what exact...

Franklin Pezzuti Dyer

07/27/2023, 1:34 AM

Hi all! I’ve got a quick question about what exactly is captured in the

socket_events

table. I’m running osqueryi on MacOS with admin privileges and the following command-line options:

Copy code

--audit_allow_config=true 
--audit_allow_sockets=true 
--disable_audit=false 
--events_expiry=100 
--events_max=50000 
--logger_plugin=filesystem  
--disable_events=false

When I select

distinct path

from

socket_events

, I see a handful of processes (Spotify, Spotify Helper, Slack Helper, Mail, give or take one or two others) undergoing socket events. But in the Activity Monitor of my Mac, I’m seeing several other apps (most notable Safari) with plenty of network activity. Can you think of any reason why these processes’ socket activity wouldn’t appear in the

socket_events

table?

Stefano Bonicatti

07/27/2023, 10:55 AM

Hello! The implementation for the table is here: https://github.com/osquery/osquery/blob/4a51894db77510df21a1e4cc2d9a80f900251591/osquery/tables/events/darwin/socket_events.cpp As you can see it only shows

AUE_CONNECT

and

AUE_BIND

events, so only on new connections or servers preparing to listen on a port.

Stefano Bonicatti

07/27/2023, 10:57 AM

This is normally because the other events would be really too chatty (send and recv for instance); the activity monitor though shows activity from those too.

Franklin Pezzuti Dyer

07/27/2023, 5:37 PM

I see - thanks!

2 Views

Open in Slack

Previous Next