Hi everyone. Is this possible to use some sort of ...
# generals
slevchenko
01/31/2023, 1:38 PMHi everyone. Is this possible to use some sort of library (preferably Go based) to connect to socket and read results? I'm trying to figure out if it's possible to get rid of additional steps required to build and configure plugin.
s
sharvil
01/31/2023, 3:26 PMs
slevchenko
01/31/2023, 3:49 PMThanks, but I'm trying to figure out if there's such possibility from Osquery API side.
s
seph
01/31/2023, 4:54 PM
Yes, the osquery API supports that, as does the go sdk
seph
01/31/2023, 4:56 PM
Coincidentally, I just wrote this into a stack overflow answer. https://stackoverflow.com/questions/75207924/how-to-fetch-information-from-process-events-and-file-events-tables-from-osquery/75210749#75210749
s
slevchenko
01/31/2023, 4:56 PM@seph: So if I'll connect to a socket, I'll be able to read result strings ?
s
seph
01/31/2023, 4:58 PM
Sorta — I don’t think you can query the results of a scheduled query. That’s the domain of logging plugins.
But you can run ad hoc queries and get responses over the socket. See https://pkg.go.dev/github.com/osquery/osquery-go?#ExtensionManagerClient
s
slevchenko
01/31/2023, 4:59 PMUnderstood, unfortunately I need scheduled queries results
s
seph
01/31/2023, 4:59 PM
I don’t think the socket helps you.
seph
01/31/2023, 4:59 PM
Use a logging plugin, Write to the filesystem and read it. Or write to some other kind of data store
s
slevchenko
01/31/2023, 5:00 PMYeah, looks like I'll have to stay with plugin, plugin I wrote, until proper DNSevents table appear
slevchenko
01/31/2023, 5:01 PMLogger plugin I wrote works, but I was worried that at some point compatibility will break so I've started to think about alternatives
slevchenko
01/31/2023, 5:01 PMBut thanks for help.
slevchenko
01/31/2023, 5:02 PMI hope some time BPFbased DNSevents table for linux will be added, and I'll just replace all my stuff with something out of the box
s
seph
01/31/2023, 5:03 PM
I don’t think osquery has plans on changing anything in the logging plugin stuff. At least not at the socket level.
s
slevchenko
01/31/2023, 5:04 PMit's not the socket or logging I need the most, I'm tracking DNS events through my stuff and using osquery to match it against process and socket events
slevchenko
01/31/2023, 5:05 PMOnce\if DNSevents table will be added 90% of what I'm using now will not be needed
slevchenko
01/31/2023, 5:06 PManyway thanks again
s
seph
01/31/2023, 5:08 PM
ah
seph
01/31/2023, 5:08 PM
And I’m not sure osquery supports events through plugins, otherwise I’d suggest that direction. 😐
s
slevchenko
01/31/2023, 5:09 PMAlthough I'm calling it events. I just mean DNS Questions\Answers monitoring
slevchenko
01/31/2023, 5:09 PMAre there any plans regarding that ?
s
seph
01/31/2023, 5:10 PM
I’d end up writing that as a custom table in a plugin, and keeping all the correlation logic in osquery. But I have some bias, so if what you have works it may not be worth change.
seph
01/31/2023, 5:11 PM
There’s been discussion of how to add dns events using the bpf framework. I don’t remember where we landed
s
slevchenko
01/31/2023, 5:11 PMAlessandro had some PoC back in like 2019 or 2020, and that's all
s
seph
01/31/2023, 5:11 PM
Yes. Alessandro has been generally doing a lot of BPF work. The underlying libraries are totally different now. But more expandable.
seph
01/31/2023, 5:12 PM
We’ve talked about whether we should allow site configurable BPF driven tables. Or publish a dns events one.
s
slevchenko
01/31/2023, 5:22 PMEither of these would be great