https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi everyone. Can someone advise me what can be wro...
# general
s
Hi everyone. Can someone advise me what can be wrong with this queue is not detecting nc(netcat) connections to external IP addresses? My goal is to get IP and SHA256 of a 
/proc/${PID/exe}
belongs to corresponding process
Copy code
SELECT DISTINCT processes.path, (SELECT sha256 FROM hash WHERE path = concat('/proc/', socket.pid, '/exe')) AS sha256, socket.remote_address, socket.remote_port FROM bpf_socket_events socket LEFT JOIN bpf_process_events processes ON socket.pid = processes.pid WHERE socket.remote_port NOT IN (0, 443, 993, 4172, 4195) AND socket.remote_address NOT LIKE '127.0.%.%';
s
Is the 
nc
process short lived?
s
For tests I'm setting up listener on remote machine 
nc -l 8983
And then I'm trying to connect from local one 
nc -v 8983 <http://XXX.XXX.XXX.XXX|XXX.XXX.XXX.XXX>
s
Sounds like it’s not short lived then?
I’m not really sure, but I’m asking more details,
s
Final goal is to detect malware on early bootstrap phases when potential malware tries to contact C2 point, or download site
that's why I'm trying to simulate this behavior with nc get sha256 from process procfs handle and ipaddress.
If there's any better way to do this, I would gladly use it
@seph Hi. Is there any reason why query can work in 
osqueryi
but not from config ? Query always rerturns non-empty result when executed interactively, but never appears in results file if executed by daemon
s
Not that I can think of.
The thing I was asking about short lived earlier — if the query executes when nc isn’t running, obviously you won’t see it. I don’t know if you’d want to look at the process_events table instead
s
I'm trying to write a logger_extension which reacts on presence of certain columns in query string. If logger finds sha256 or IP it sends them to certain rest API.
s
Sounds interesting, but unrelated to the thing you’re asking about
s
As of now I'm seeking a way to debug my extension, to understand what extension actually gets. @seph Do you know if I can somehow check what comes from osquery to my extension ?
s
(Depending, you could also switch off the query name)
mmmm, I’m not sure what simple debug routes there are. I don’t know that you can use a logger from osqueryi. When I do this, I add a bunch of printf or logging to my extension, and debug via that.
s
Sorry if I've consfused you. It's directly related. So I've wrote an extension which is being registered as a logger, once it up I'm trying to establish test connections to external host Amazon AWS machine, and then checking if my extension detects it. The result is negative I can't see nc connection not in results file nor in osqueryi.
But my query detects bunch of ther things like browser connections, and messenger connections via 
osqueryi
while extension registered such test connection only once or twice
s
You started this discussion how you’re not seeing results in your logs. Are you sending those logs to a file? That seems weird. I’d debug the query and the behavior using plain osquery. Separately, you’re talking about a logging extension that does some clever routing. This is pretty cool! But feels separate to debug. Does your query work? Does it produce the logs you expect locally? And does your extension work as expected? These should not be coupled.
s
That's why I'm searching for ways to hook up into data osquery <-> extension interaction, and check what's actually happens
s
1. You can have osquery log to the filesystem and your extension. 2. Use printf or other logging from the extension. (I find it easiest to log to a file)
s
Yes. I did 
logger_plugin="threat_logger,filesystem"
and it works
My issue is, my query detects bunch of my laptop connections, but not my test connection
while extension detects nothing at all
completelly nothing
s
Which should be totally unrelated to your extension, right?
And thus question about process length, and whether you should be using the evented tables
s
Yes. So first of all I;m trying to understand what's wrong with query or my test approach. Maybe nc is wrong tool for this test
s
Though I guess 
bpf_socket_events
is evented
nc should be fine. I’m not sure. Query doesn’t look wrong
s
Since malware tends to hide itself ASAP, I hoped to detect short living connections at bootstrap stages.
Was I wrong assuming that's possible ?
That's what puzzles me too, query registers DNS requests, NTP requests, which also have to be pretty short living
s
I think you’re correct — you’re using the bpf events. So I’m puzzled why it’s not working
s
More than that I;ve conducted like a dozen of tests, and twice my test connection was registered... which blew my mind.
I even have this query result in 
osqueryd.results.log
s
A couple of places to investigate… If you make it simpler, just the 
bpf_socket_events
is it reliable? I wonder if that subselect is being weird.
s
Copy code
1130:2022/10/19 11:48:25 string: {"name":"pack_osquery-process-ioc_process_unknown_outbound_connection","hostIdentifier":"HP-Spectre-x360-Convertible-13-aw0xxx","calendarTime":"Wed Oct 19 08:48:25 2022 UTC","unixTime":1666169305,"epoch":0,"counter":0,"numerics":false,"columns":{"path":"","remote_address":"<http://XXX.XXX.XXX.XXX|XXX.XXX.XXX.XXX>","remote_port":"53","sha256":"1a2b9a41d835898601a4778921c2504ab2e74f1cd76a4c48fcfda43[REDATED]"},"action":"added"}
2022/10/19 11:48:27 INFO: VirusTotal client API sucessfully created with daily request limit:  500
2022/10/19 11:48:27 ERROR: Unable to canonicalize url
2022/10/19 11:49:00 deregistering extension: write unix @->/var/osquery/osquery.em: write: broken pipe
This is actual case when it worked as expected
s
Those last couple lines seem notable:
Copy code
2022/10/19 11:48:27 ERROR: Unable to canonicalize url
2022/10/19 11:49:00 deregistering extension: write unix @->/var/osquery/osquery.em: write: broken pipe
s
@seph Yes they are but I don't know how to interpret them
s
Sounds like maybe your extension crashed
s
In particular I don't know how to investigate which url it tried to canonicalize, or why socket was closed
maybe so. Are there any examples of how multi-result json strings look like ?
s
I can’t dig too much into this. I would recommend adding debugging to your extension. Via whatever means you like
s
Are there any examples of multi-row json strings ? I mean cases when query returns more then one result
Anyway, thanks for your time.
s
I’d dig through the go code for the object definitions. Or add a printf to the extension
s
thank you very much
6 Views
Open in Slack
PreviousNext
Powered by