[Bro] bro-osquery - socket_events
Neslog
neslog at gmail.com
Mon Sep 10 08:25:22 PDT 2018
Hello all -
I'm looking at gathering host processes that make connections to the
network/internet. When trying out bro-osquery I'm getting the following
error.
1536590781.935421 error: Bad IP address: fe80::b22f:47fa:b41f:7ce8%em1
1536590781.935421 error: Bad IP address: fe80::b22f:47fa:b41f:7ce8%em1
Here is my scirpt:
event host_socket_event(resultInfo: osquery::ResultInfo, action: string,
pid: int, path: string, family: int, protocol: int, local_address: string,
remote_address: string, local_port: int, remote_port: int, start_time: int,
success: int)
{
print "host_socket_event";
}
When looking at socket_events table I'm not seeing any data. I am
receiving the following error from auditd.
I0910 10:57:12.063364 1615 auditdnetlink.cpp:613] Failed to set the
netlink owner
I0910 10:57:17.063714 1615 auditdnetlink.cpp:613] Failed to set the
netlink owner
That is what I'm seeing while trying to run osqueryi.
Has anyone run into this before? Looks like there's an open ticket
from the iBigQ guys stating that they cannot upgrade their version of
OSQuery yet.
https://github.com/facebook/osquery/issues/4145
N
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180910/12c97ab9/attachment.html
More information about the Bro
mailing list