Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
slevchenko
01/31/2023, 1:38 PMHi everyone. Is this possible to use some sort of library (preferably Go based) to connect to socket and read results? I'm trying to figure out if it's possible to get rid of additional steps required to build and configure plugin.
s
sharvil
01/31/2023, 3:26 PMs
slevchenko
01/31/2023, 3:49 PMThanks, but I'm trying to figure out if there's such possibility from Osquery API side.
s
seph
01/31/2023, 4:54 PMYes, the osquery API supports that, as does the go sdk
Coincidentally, I just wrote this into a stack overflow answer. https://stackoverflow.com/questions/75207924/how-to-fetch-information-from-process-events-and-file-events-tables-from-osquery/75210749#75210749
s
slevchenko
01/31/2023, 4:56 PM@seph: So if I'll connect to a socket, I'll be able to read result strings ?
s
seph
01/31/2023, 4:58 PMSorta — I don’t think you can query the results of a scheduled query. That’s the domain of logging plugins.
But you can run ad hoc queries and get responses over the socket. See https://pkg.go.dev/github.com/osquery/osquery-go?#ExtensionManagerClient
s
slevchenko
01/31/2023, 4:59 PMUnderstood, unfortunately I need scheduled queries results
s
seph
01/31/2023, 4:59 PMI don’t think the socket helps you.
Use a logging plugin, Write to the filesystem and read it. Or write to some other kind of data store
s
slevchenko
01/31/2023, 5:00 PMYeah, looks like I'll have to stay with plugin, plugin I wrote, until proper DNSevents table appear
Logger plugin I wrote works, but I was worried that at some point compatibility will break so I've started to think about alternatives
But thanks for help.
I hope some time BPFbased DNSevents table for linux will be added, and I'll just replace all my stuff with something out of the box
s
seph
01/31/2023, 5:03 PMI don’t think osquery has plans on changing anything in the logging plugin stuff. At least not at the socket level.
s
slevchenko
01/31/2023, 5:04 PMit's not the socket or logging I need the most, I'm tracking DNS events through my stuff and using osquery to match it against process and socket events
Once\if DNSevents table will be added 90% of what I'm using now will not be needed
anyway thanks again
s
seph
01/31/2023, 5:08 PMah
And I’m not sure osquery supports events through plugins, otherwise I’d suggest that direction. 😐
s
slevchenko
01/31/2023, 5:09 PMAlthough I'm calling it events. I just mean DNS Questions\Answers monitoring
Are there any plans regarding that ?
s
seph
01/31/2023, 5:10 PMI’d end up writing that as a custom table in a plugin, and keeping all the correlation logic in osquery. But I have some bias, so if what you have works it may not be worth change.
There’s been discussion of how to add dns events using the bpf framework. I don’t remember where we landed
s
slevchenko
01/31/2023, 5:11 PMAlessandro had some PoC back in like 2019 or 2020, and that's all
s
seph
01/31/2023, 5:11 PMYes. Alessandro has been generally doing a lot of BPF work. The underlying libraries are totally different now. But more expandable.
We’ve talked about whether we should allow site configurable BPF driven tables. Or publish a dns events one.
s
slevchenko
01/31/2023, 5:22 PMEither of these would be great