Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
theopolis
05/01/2017, 3:40 PMHey @mathias, I'm happy to review and help-- interactive reverse shells/tunnels, large exfil, media type + extension mismatch + active thereafter, NACL variants + iptables/filter state, file extended attributes and where_from fields
m
mathias
05/15/2017, 3:22 PMtheopolis:
Regarding your proposed scenarios:
* NACL variants + iptables/filter state: What do you mean here? I use Bro to detect the NACL variant used by an app, but for what purpose do I need the iptables/filter state here?
* file extended attributes and where_from: the intention would be to see where the files that are executed are coming from?
* Large Exfiltration: Why do I need a combination of Bro and osquery to detect this? Wouldn't be Bro already enough?