Title
#general
a

Allen

01/03/2022, 10:33 PM
I’m new to osquery and would like some help. I have two computers that appear to be attempting to send beacons as ICMP queries. They are blocked by the router firewall. The process is attemptin to send the packets to addresses in the same network on a rotating basis. I have the destination ip addresses but finding the originating process escapes me. Can someone show me how to do this. The interval between beacons are sent at approx 1 minute interval. I would have to use the daemon to monitor. Thanks in advance.
zwass

zwass

01/03/2022, 11:11 PM
If the connection is not persistent, you'd want to use the socket_events table (or
bpf_socket_events
on Linux). https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ may help.
t

Tor Houghton

01/04/2022, 12:45 PM
FWIW, I've not found a definite way to pinpoint ICMP messages using bpf_socket_events (e.g. ping appears to use type 2 (SOCK_DGRAM), while nmap uses type 3 (SOCK_RAW)). Both are listed with protocol = 0, though. Maybe that can narrow it down enough, especially if you know the destination IP.
zwass

zwass

01/04/2022, 5:33 PM
@alessandrogario may have some ideas on this
a

alessandrogario

01/04/2022, 5:42 PM
it really depends on how the socket is opened; we are currently not monitoring the socket() syscall so some operations may later decide to use AF_UNSPEC and we have to attempt to guess the sockaddr structure
5:42 PM
we also don't currently support non-blocking sockets (but we do with Audit)
5:42 PM
it's something we are going to fix though