Note (Mac OS): If you’re running Mac OS you’ll need to ensure that openbsm is correctly configured. Otherwise, you’ll get this error: W1115 virtual_table.cpp:967 Table socket_events is event-based but events are disabled W1115 virtual_table.cpp:974] Please see the table documentation: There are however, a few additional command line arguments you need to add in order for the socket_events table to work. Unfortunately, as of 4.5.1 the socket_events table only works with Linux and Mac OS. This is the most relevant table for tracking system network connections to and from the system. If however, you’re looking for a quicker insight into what connections processes are marking then listening_ports and process_open_ports require no additional configuration and work across all platforms. However, the socket_events table does require some additional configuration which we’ll dive into. First and foremost is the socket_events table which will give you a complete audit of connections for both Linux and Mac OS as of Osquery 4.5.1. There are a few key tables used to give you access to the socket events being created on your computer. osquery> SELECT ( CASE family WHEN 2 THEN 'IP4' WHEN 10 THEN 'IP6' ELSE family END ) AS family, ( CASE protocol WHEN 6 THEN 'TCP' WHEN 17 THEN 'UDP' ELSE protocol END ) AS protocol, local_address, local_port, remote_address, remote_port FROM process_open_sockets WHERE family IN (2, 10) AND protocol IN (6, 17) LIMIT 4 +-+-+-+-+-+-+ | family | protocol | local_addr | l_port | remote_addr | r_port | +-+-+-+-+-+-+ | IP4 | TCP | 192.168. As storing them numerically will give you better performance for searching and sorting. However, I’d recommend converting the numbers in code post query. Armed with these two references we can actually convert these values on the fly with SQL.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |