Title
#general
s

slevchenko

10/19/2022, 11:58 AM
Hi everyone. Can someone advise me what can be wrong with this queue is not detecting nc(netcat) connections to external IP addresses? My goal is to get IP and SHA256 of a
/proc/${PID/exe}
belongs to corresponding process
SELECT DISTINCT processes.path, (SELECT sha256 FROM hash WHERE path = concat('/proc/', socket.pid, '/exe')) AS sha256, socket.remote_address, socket.remote_port FROM bpf_socket_events socket LEFT JOIN bpf_process_events processes ON socket.pid = processes.pid WHERE socket.remote_port NOT IN (0, 443, 993, 4172, 4195) AND socket.remote_address NOT LIKE '127.0.%.%';
s

seph

10/19/2022, 12:42 PM
Is the
nc
process short lived?
s

slevchenko

10/19/2022, 12:52 PM
For tests I'm setting up listener on remote machine
nc -l 8983
12:53 PM
And then I'm trying to connect from local one
nc -v 8983 <http://XXX.XXX.XXX.XXX|XXX.XXX.XXX.XXX>
s

seph

10/19/2022, 12:54 PM
Sounds like it’s not short lived then?
12:55 PM
I’m not really sure, but I’m asking more details,
s

slevchenko

10/19/2022, 12:55 PM
Final goal is to detect malware on early bootstrap phases when potential malware tries to contact C2 point, or download site
12:58 PM
that's why I'm trying to simulate this behavior with nc get sha256 from process procfs handle and ipaddress.
12:59 PM
If there's any better way to do this, I would gladly use it
3:15 PM
@seph Hi. Is there any reason why query can work in
osqueryi
but not from config ? Query always rerturns non-empty result when executed interactively, but never appears in results file if executed by daemon
s

seph

10/19/2022, 3:15 PM
Not that I can think of.
3:16 PM
The thing I was asking about short lived earlier — if the query executes when nc isn’t running, obviously you won’t see it. I don’t know if you’d want to look at the process_events table instead
s

slevchenko

10/19/2022, 3:23 PM
I'm trying to write a logger_extension which reacts on presence of certain columns in query string. If logger finds sha256 or IP it sends them to certain rest API.
s

seph

10/19/2022, 3:24 PM
Sounds interesting, but unrelated to the thing you’re asking about
s

slevchenko

10/19/2022, 3:25 PM
As of now I'm seeking a way to debug my extension, to understand what extension actually gets. @seph Do you know if I can somehow check what comes from osquery to my extension ?
s

seph

10/19/2022, 3:25 PM
(Depending, you could also switch off the query name)
3:26 PM
mmmm, I’m not sure what simple debug routes there are. I don’t know that you can use a logger from osqueryi. When I do this, I add a bunch of printf or logging to my extension, and debug via that.
s

slevchenko

10/19/2022, 3:27 PM
Sorry if I've consfused you. It's directly related. So I've wrote an extension which is being registered as a logger, once it up I'm trying to establish test connections to external host Amazon AWS machine, and then checking if my extension detects it. The result is negative I can't see nc connection not in results file nor in osqueryi.
3:29 PM
But my query detects bunch of ther things like browser connections, and messenger connections via
osqueryi
while extension registered such test connection only once or twice
s

seph

10/19/2022, 3:30 PM
You started this discussion how you’re not seeing results in your logs. Are you sending those logs to a file? That seems weird. I’d debug the query and the behavior using plain osquery. Separately, you’re talking about a logging extension that does some clever routing. This is pretty cool! But feels separate to debug. Does your query work? Does it produce the logs you expect locally? And does your extension work as expected? These should not be coupled.
s

slevchenko

10/19/2022, 3:30 PM
That's why I'm searching for ways to hook up into data osquery <-> extension interaction, and check what's actually happens
s

seph

10/19/2022, 3:31 PM
1. You can have osquery log to the filesystem and your extension. 2. Use printf or other logging from the extension. (I find it easiest to log to a file)
s

slevchenko

10/19/2022, 3:32 PM
Yes. I did
logger_plugin="threat_logger,filesystem"
and it works
3:33 PM
My issue is, my query detects bunch of my laptop connections, but not my test connection
3:33 PM
while extension detects nothing at all
3:34 PM
completelly nothing
s

seph

10/19/2022, 3:34 PM
Which should be totally unrelated to your extension, right?
3:35 PM
And thus question about process length, and whether you should be using the evented tables
s

slevchenko

10/19/2022, 3:35 PM
Yes. So first of all I;m trying to understand what's wrong with query or my test approach. Maybe nc is wrong tool for this test
s

seph

10/19/2022, 3:36 PM
Though I guess
bpf_socket_events
is evented
3:36 PM
nc should be fine. I’m not sure. Query doesn’t look wrong
s

slevchenko

10/19/2022, 3:37 PM
Since malware tends to hide itself ASAP, I hoped to detect short living connections at bootstrap stages.
3:37 PM
Was I wrong assuming that's possible ?
3:39 PM
That's what puzzles me too, query registers DNS requests, NTP requests, which also have to be pretty short living
s

seph

10/19/2022, 3:39 PM
I think you’re correct — you’re using the bpf events. So I’m puzzled why it’s not working
s

slevchenko

10/19/2022, 3:40 PM
More than that I;ve conducted like a dozen of tests, and twice my test connection was registered... which blew my mind.
3:41 PM
I even have this query result in
osqueryd.results.log
s

seph

10/19/2022, 3:42 PM
A couple of places to investigate… If you make it simpler, just the
bpf_socket_events
is it reliable? I wonder if that subselect is being weird.
s

slevchenko

10/19/2022, 3:50 PM
1130:2022/10/19 11:48:25 string: {"name":"pack_osquery-process-ioc_process_unknown_outbound_connection","hostIdentifier":"HP-Spectre-x360-Convertible-13-aw0xxx","calendarTime":"Wed Oct 19 08:48:25 2022 UTC","unixTime":1666169305,"epoch":0,"counter":0,"numerics":false,"columns":{"path":"","remote_address":"<http://XXX.XXX.XXX.XXX|XXX.XXX.XXX.XXX>","remote_port":"53","sha256":"1a2b9a41d835898601a4778921c2504ab2e74f1cd76a4c48fcfda43[REDATED]"},"action":"added"}
2022/10/19 11:48:27 INFO: VirusTotal client API sucessfully created with daily request limit:  500
2022/10/19 11:48:27 ERROR: Unable to canonicalize url
2022/10/19 11:49:00 deregistering extension: write unix @->/var/osquery/osquery.em: write: broken pipe
3:51 PM
This is actual case when it worked as expected
s

seph

10/19/2022, 3:53 PM
Those last couple lines seem notable:
2022/10/19 11:48:27 ERROR: Unable to canonicalize url
2022/10/19 11:49:00 deregistering extension: write unix @->/var/osquery/osquery.em: write: broken pipe
s

slevchenko

10/19/2022, 3:54 PM
@seph Yes they are but I don't know how to interpret them
s

seph

10/19/2022, 3:54 PM
Sounds like maybe your extension crashed
s

slevchenko

10/19/2022, 3:55 PM
In particular I don't know how to investigate which url it tried to canonicalize, or why socket was closed
3:56 PM
maybe so. Are there any examples of how multi-result json strings look like ?
s

seph

10/19/2022, 3:56 PM
I can’t dig too much into this. I would recommend adding debugging to your extension. Via whatever means you like
s

slevchenko

10/19/2022, 3:58 PM
Are there any examples of multi-row json strings ? I mean cases when query returns more then one result
3:59 PM
Anyway, thanks for your time.
s

seph

10/19/2022, 4:01 PM
I’d dig through the go code for the object definitions. Or add a printf to the extension
s

slevchenko

10/19/2022, 4:02 PM
thank you very much