Zach Zeid
06/02/2020, 2:54 PMosquery> select distinct lp.pid, p.name, lp.port, lp.protocol, lp.family from listening_ports lp cross join processes p where lp.family <> '' and lp.port > 0 and lp.port not in ("80", "443");
looking at getting process name for anything in listening_ports
that's not 80 or 443?fritz
06/02/2020, 3:12 PMosquery> select COUNT(*) from listening_ports lp cross join processes p where lp.family <> '' and lp.port > 0 and lp.port not in ("80", "443");
+----------+
| COUNT(*) |
+----------+
| 58968 |
+----------+
osquery> select COUNT(*) from listening_ports;
+----------+
| COUNT(*) |
+----------+
| 955 |
+----------+
osquery> select COUNT(*) from processes;
+----------+
| COUNT(*) |
+----------+
| 758 |
+----------+
osquery> select COUNT(*) from listening_ports, processes USING (pid);
+----------+
| COUNT(*) |
+----------+
| 956 |
+----------+
Zach Zeid
06/02/2020, 3:14 PMosquery> select * from listening_ports lp join processes using (pid) where lp.pid = processes.pid;
As it only returns the osqueryd processes.sudo osqueryi
osquery> SELECT processes.pid, processes.name, address, port FROM listening_ports LEFT JOIN processes ON processes.pid = listening_ports.pid WHERE address <> '' AND port <> 443;