Channels
  • d

    Divya

    5 months ago
    Hi, Is there a query I can use to list all the externally open sockets along with processes using them?
  • k

    koo

    5 months ago
    Hey Divya. Mind elaborating a bit on what ‘externally open sockets’ mean to you?
  • d

    Divya

    5 months ago
    a port which can be accessed outside the host.
  • s

    seph

    5 months ago
    Are you looking for the
    process_open_sockets
    table? https://osquery.io/schema/5.0.1#process_open_sockets
  • d

    Divya

    5 months ago
    I am looking for o/p of
    netstat -ntlp | grep -vEe "\s+127[.]|::1"

    This command give me only 15 ports, while the tables listening_ports or process_open_sockets give me a 106 entries.
  • s

    seph

    5 months ago
    Well that's interesting. What's an example missing one? Are you running osquery as root?
  • d

    Divya

    5 months ago
    Yes I am running osquery as root.
    Here is the o.p of the netstat command for me:
    netstat -ntlp | grep -vEe "\s+127[.]|::1"
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 0.0.0.0:3943            0.0.0.0:*               LISTEN      12080/nginx: master
    tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      984/sshd
    tcp        0      0 0.0.0.0:6002            0.0.0.0:*               LISTEN      2414/X
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2796/sshd
    tcp        0      0 0.0.0.0:3939            0.0.0.0:*               LISTEN      12080/nginx: master
    tcp        0      0 0.0.0.0:3940            0.0.0.0:*               LISTEN      12080/nginx: master
    tcp        0      0 0.0.0.0:3942            0.0.0.0:*               LISTEN      12080/nginx: master
    tcp6       0      0 :::3944                 :::*                    LISTEN      12027/till-discover
    tcp6       0      0 :::31337                :::*                    LISTEN      7746/docker-proxy
    tcp6       0      0 :::2222                 :::*                    LISTEN      984/sshd
    tcp6       0      0 :::6002                 :::*                    LISTEN      2414/X
    tcp6       0      0 :::22                   :::*                    LISTEN      2796/sshd
    tcp6       0      0 :::8087                 :::*                    LISTEN      7498/docker-proxy
    tcp6       0      0 :::8888                 :::*                    LISTEN      27851/docker-proxy
    tcp6       0      0 :::9369                 :::*                    LISTEN      12051/pushprox-clie
    tcp6       0      0 :::8093                 :::*                    LISTEN      10615/docker-proxy
    tcp6       0      0 :::8095                 :::*                    LISTEN      15096/docker-proxy
    tcp6       0      0 :::3941                 :::*                    LISTEN      12066/prometheus

    But when I fire a query
    select distinct port from listening_ports where address='0.0.0.0' and protocol=6;
    I see 106 and ports. An example is port 3000. I am wondering if it is blocked at the iptables level and is there a way I can filter using that table
  • s

    seph

    5 months ago
    Those should both be using the same underlying api. I'm surprised if they're different. But it's not clear to me if your various options and filters are the same.
    I think you should identify one discrepancy, and then understand.
    Osquery can read the ip tables rules, but correlating is likely difficult.
    Osquery is not doing anything like sending tcp probes.
  • d

    Divya

    5 months ago
    Here is a sample response: 2222 is an open port while 6127 is not. I see no difference in the entries for both of them:
    osquery> select * from listening_ports where port=2222;
    +-----+------+----------+--------+---------+----+--------+------+---------------+
    | pid | port | protocol | family | address | fd | socket | path | net_namespace |
    +-----+------+----------+--------+---------+----+--------+------+---------------+
    | 971 | 2222 | 6        | 2      | 0.0.0.0 | 3  | 24323  |      | 4026531956    |
    | 971 | 2222 | 6        | 10     | ::      | 4  | 24325  |      | 4026531956    |
    +-----+------+----------+--------+---------+----+--------+------+---------------+
    osquery> select * from listening_ports where port=6127;
    +------+------+----------+--------+-----------+----+--------+------+---------------+
    | pid  | port | protocol | family | address   | fd | socket | path | net_namespace |
    +------+------+----------+--------+-----------+----+--------+------+---------------+
    | 5946 | 6127 | 6        | 2      | 127.0.0.1 | 4  | 56796  |      | 4026531956    |
    | 7186 | 6127 | 6        | 2      | 0.0.0.0   | 19 | 112366 |      | 4026534232    |
    +------+------+----------+--------+-----------+----+--------+------+---------------+
  • s

    seph

    5 months ago
    Does netstat report those differently? Is iptables in the mix?
  • d

    Divya

    5 months ago
    netstat does not consider 6127 as an exposed open port. Looks like there is someone else blocking these. I assumed iptables is the place. Will see if I can dig out something
  • s

    seph

    5 months ago
    Netstat should show the ports regardless of ip tables.
    I would expect netstat and osquery to be in agreement
  • d

    Divya

    5 months ago
    I would be glad if that was the case, its not