Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
k
K
11/02/2022, 9:53 PMAny idea why I get no column
dataSELECT l.port, group_concat(DISTINCT l.port) AS 'data'
FROM listening_ports AS l
WHERE l.address != "127.0.0.1"z
zwass
11/02/2022, 10:36 PMfwiw I get a bunch of results:
osquery> SELECT l.port, group_concat(DISTINCT l.port) AS 'data'
...> FROM listening_ports AS l
...> WHERE l.address != "127.0.0.1"
...> ;
+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| port | data |
+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 0 | 0,8021,137,138,49154,49155,49156,49157,49158,49159,49160,49161,49162,49163,57088,5353,56647,3722,7000,5000,55285,7579,16587,62912,60499,60538,59334,3308,8412,7003,7002,6379,3307,7004,7005,9000,9001,1025,8025,3306,7001,7006,9080,9090,9443,4566,4571,1337,57621,50853,1900,60351,56723,49738,631 |
+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+a
Aleksandr Maus
11/05/2022, 2:01 PMLooks like it is a defect in the osquerybeat approach specifically. It relies on the column datatype to attempt to convert the resulting data from string into concrete type.
In this case it gets BIGINT as a data type but the value itself is a string of comma separated numbers that can’t be parses into one number
BEFORE RESOLVE TYPES: HITS: []map[string]string{map[string]string{"data":"0,22,137,138,49154,49155,49156,49157,49158,49159,49160,49161,49162,49163,54923,5353,705,984,1023,1022,2049,623,849,1021,1019,111,962,1015,1017,1012,726,688,813,999,996,7000,5000,52547,53846,56430,50635,58907,50055", "port":"0"}}, COLTYPES: map[string]string{"data":"BIGINT", "port":"INTEGER"}@zwass don’t know what is involved on osqueryd side. should osquery report a string/text data type for that column that is returned from the
group_concatIt’s possibly a defect in osquery. For example for this query
SELECT cast(pid as text) text_pid from osquery_infoBEFORE RESOLVE TYPES: HITS: []map[string]string{map[string]string{"text_pid":"5551"}}, COLTYPES: map[string]string{"text_pid":"TEXT"}Should the osquery for the query above with
group_concatthe workaround for this defect for now
SELECT cast(group_concat(DISTINCT port) as text) as data FROM listening_ports