I’m new to osquery and would like some help. I have two computers that appear to be attempting to send beacons as ICMP queries. They are blocked by the router firewall. The process is attemptin to send the packets to addresses in the same network on a rotating basis. I have the destination ip addresses but finding the originating process escapes me. Can someone show me how to do this. The interval between beacons are sent at approx 1 minute interval. I would have to use the daemon to monitor. Thanks in advance.

If the connection is not persistent, you'd want to use the socket_events table (or

bpf_socket_events

on Linux). https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ may help.

FWIW, I've not found a definite way to pinpoint ICMP messages using bpf_socket_events (e.g. ping appears to use type 2 (SOCK_DGRAM), while nmap uses type 3 (SOCK_RAW)). Both are listed with protocol = 0, though. Maybe that can narrow it down enough, especially if you know the destination IP.

@alessandrogario may have some ideas on this

it really depends on how the socket is opened; we are currently not monitoring the socket() syscall so some operations may later decide to use AF_UNSPEC and we have to attempt to guess the sockaddr structure