Title
#general
e

Eoin Miller

02/13/2020, 12:41 AM
Ran into something that may be worth review. The inability to hash a file with md5/sha1/sha256 doesnt throw a line to stderr, but ssdeep appears to do that.
users-Mac:~ user$ sudo osqueryi 'SELECT * FROM hash WHERE path = "/private/var/db/dslocal/nodes/Default/sqlindex"' --json
W0212 16:33:37.699832 448591296 hash.cpp:195] ssdeep failed: /private/var/db/dslocal/nodes/Default/sqlindex
[
  {"directory":"/private/var/db/dslocal/nodes/Default","md5":"","path":"/private/var/db/dslocal/nodes/Default/sqlindex","sha1":"","sha256":"","ssdeep":"-1"}
]
Returning a
-1
and putting that to the ssdeep value instead of an empty string also seems out of the ordinary. https://github.com/osquery/osquery/blob/master/osquery/tables/system/hash.cpp#L194-L196
theopolis

theopolis

02/13/2020, 2:43 PM
Can you open a GitHub issue for this so we can fix it. I think the columns should be consistent
👍 1
e

Eoin Miller

02/13/2020, 8:25 PM
Will do!