could anyone help to explain what behavior occurs ...
# generalw
wennan.he
03/20/2024, 10:57 PMcould anyone help to explain what behavior occurs behind the query of "select * from routes where destination = '0.0.0.0'"? we are suffering from the issue when we are running it in osqueryi and it just stuck, even worse it will bring down the agent.
wennan.he
03/20/2024, 11:10 PMis there any action behind this query osquery will take to reach sth remotely?
s
Stefano Bonicatti
03/20/2024, 11:50 PMIs this on Linux? If the agent is brought down there's a crash; it would be useful to get a stack trace via gdb (or a core dump).
As for the table itself (if on Linux), it queries the kernel via a Netlink socket, getting how the routes are set up, but it's not communicating remotely with anything.
w
wennan.he
03/20/2024, 11:54 PMyes
wennan.he
03/20/2024, 11:55 PMthe agent is alive, but we lost it from server
wennan.he
03/20/2024, 11:56 PMok i know basically how it works. thank you for explaining.
s
Stefano Bonicatti
03/20/2024, 11:57 PMI see, still sounds like a bug; can't say right away but although it's using
pollStefano Bonicatti
03/20/2024, 11:57 PMI mean if you see this happening often and you can correlate it with querying that table, I would ask to open an issue
w
wennan.he
03/21/2024, 12:01 AMi saw osquery has a patch fixed some issue similar, i will try that patch first to see whether it can work. if not, i will come back to you. ty
j
John Speno
03/21/2024, 11:38 AMThere was a known bug fixed quite a while ago that caused this issue. I know it is fixed between 5.5.1 and 5.8.2. 🙂
John Speno
03/21/2024, 1:42 PMYeah, it was this one https://github.com/osquery/osquery/issues/5276
2 Views