https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
u

钢铁侠

12/03/2018, 1:00 PM
socket_events can't get data when it left join process_events I encountered strange things.I record my computer's some info with socket_events and process_events.here is my sql.
Copy code
sql
select * from process_events
select socket_events.*,process_events.cmdline,process_events.cwd,process_events.pid as pepid from socket_events left join process_events  on socket_events.pid=process_events.pid;
but I found that the 
cmdline
,
cwd
,
pepid
are all empty in 
socket_events
.for eaxmple
Copy code
cmd:  curl <https://osquery.io>

name": "process_events",
    "@version": "1",
    "columns": {
      "parent": "21451",
      "cwd": "\"/root\"",
      "btime": "0",
      "auid": "1001",
      "egid": "0",
      "atime": "1448209686",
      "owner_gid": "0",
      "owner_uid": "0",
      "path": "/usr/bin/curl",
      "cmdline": "curl <https://osquery.io>",
      "gid": "0",
      "pid": "21923",
      "ctime": "1461222192",
      "time": "1543840554",
      "uptime": "28088276",
      "mode": "0100755",
      "mtime": "1448209686",
      "uid": "0",
      "euid": "0"
    },


"name": "socket_events",
"@version": "1",
"columns": {
    "pepid": "",
    "local_port": "0",
    "cwd": "",
    "status": "unknown",
    "auid": "1001",
    "path": "/usr/bin/curl",
    "action": "connect",
    "cmdline": "",
    "family": "2",
    "fd": "3",
    "pid": "21923",
    "local_address": "",
    "remote_port": "443",
    "time": "1543840554",
    "uptime": "28088276",
    "remote_address": "54.193.126.242"
},
as you can see,the 
socket_events
row has the same pid with the 
process_events
row,but the 
cwd
,
cmdline
,
pepid
are all empty in 
socket_events
table. it it very strange. this Scenario has happened in all my 10 host.
anyone encounter this?
p

packetzero

12/04/2018, 4:25 PM
Sorry, I have not come across this. It's not a query we use. From your description, it looks like a bug in osquery.
The FB team is working on the build changes in the 'experimental' branch, which may explain the lack of response on this and other tickets. Expect a bit of a delay before any fix is realized.
u

钢铁侠

12/05/2018, 3:48 AM
OK,It seems that I must wait.Do you have an clue what is the root cause?I think maybe the problem is the sqlite parser,but I can't find the sqlite parse code in osquery.
@packetzero
p

packetzero

12/05/2018, 3:02 PM
I haven't had time to look. If you haven't filed an issue for this on github, I recommend you do so.
BTW, if you did not specify events_optimize=false in your config, give it a try and see if results are different. By default, events_optimize=true, which may result in queries being changed internally. Worth a try.
u

钢铁侠

12/06/2018, 11:17 AM
events_optimize=false
is useless
s

seek3r

12/06/2018, 8:04 PM
Hey @钢铁侠 for your security related activities, are you able to parse the windows events source or just with the windows event ids is enough to address your needs
My reasoning is that the source provide further information but at least for lateral movements detection the event ids should be sufficient.
u

钢铁侠

12/07/2018, 12:21 PM
we just osquery to record the linux infos.but if we can join socket_events and process_events with pid,we can have the full info about one process.so we nedd left join.
what I wan to konw is that the left join is not effective is the bug of the osquery?or osquery doesn't afford the this function
does anybody come across this?It have been five days passed when I open the issue
9 Views
Powered by