Quick hack to get the external IP of an endpoint: ...
# generalw
wtheaker
01/28/2021, 8:11 PMQuick hack to get the external IP of an endpoint:
select result from curl where url = '<http://ipaddr.io>';z
zwass
01/28/2021, 8:18 PM
Nice! I took a similar concept with https://dactiv.llc/blog/locate-assets-with-osquery/.
w
wtheaker
01/28/2021, 8:20 PMAh that's much better 🙂 Good to learn about JSON_EXTRACT too
z
zwass
01/28/2021, 8:23 PM
Yeah json parsing in sqlite is very handy, though it can get quite verbose.
t
terracatta
01/28/2021, 8:29 PM
Just a heads up, if your employees run Little Snitch it will show osquery communicating with this domain
terracatta
01/28/2021, 8:30 PM
and might raise questions
😅 1
g
Gavin
01/28/2021, 8:34 PMLonger term solution if you have a TLS server is to take it from the inbound connection.
a
allister
01/29/2021, 4:06 AMI'd also think sending this across country boundaries for public services you don't own could get you into privacy issues
allister
01/29/2021, 4:11 AMyour Acceptable Use Policy may or may not cover you for that case, even as an employer
d
defensivedepth
01/29/2021, 1:25 PMAlso, your network security monitoring team will probably see alerts generated, as public IP checks are really common for malware (also get an alert for the
curlw
wtheaker
01/29/2021, 5:38 PMDoes osquery send a user agent for the curl table?
r
Rodrigo Hidalgo
06/15/2023, 8:43 PMHi everyone. how are you?
Reviewing this documentation https://fleetdm.com/guides/locate-assets-with-osquery and playing around a bit I have not been able to get the results as shown in the post.
The result of the query is that the json is badly formatted, but I have no way to format it, anyone who has tried this method or another and that returns the geolocation of a device?
2 Views