#sql - Hi, Is there a query I can use

Home Docs

Join the conversation Join Slack

Channels

d
Divya
5 months ago
Hi, Is there a query I can use to list all the externally open sockets along with processes using them?
k
koo
5 months ago
Hey Divya. Mind elaborating a bit on what ‘externally open sockets’ mean to you?
d
Divya
5 months ago
a port which can be accessed outside the host.
s
seph
5 months ago
Are you looking for the
```
process_open_sockets
```
table? https://osquery.io/schema/5.0.1#process_open_sockets
d
Divya
5 months ago
I am looking for o/p of
```
netstat -ntlp | grep -vEe "\s+127[.]|::1"
```
This command give me only 15 ports, while the tables listening_ports or process_open_sockets give me a 106 entries.
s
seph
5 months ago
Well that's interesting. What's an example missing one? Are you running osquery as root?

Divya

5 months ago

Yes I am running osquery as root.

Here is the o.p of the netstat command for me:

netstat -ntlp | grep -vEe "\s+127[.]|::1"
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3943            0.0.0.0:*               LISTEN      12080/nginx: master
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      984/sshd
tcp        0      0 0.0.0.0:6002            0.0.0.0:*               LISTEN      2414/X
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2796/sshd
tcp        0      0 0.0.0.0:3939            0.0.0.0:*               LISTEN      12080/nginx: master
tcp        0      0 0.0.0.0:3940            0.0.0.0:*               LISTEN      12080/nginx: master
tcp        0      0 0.0.0.0:3942            0.0.0.0:*               LISTEN      12080/nginx: master
tcp6       0      0 :::3944                 :::*                    LISTEN      12027/till-discover
tcp6       0      0 :::31337                :::*                    LISTEN      7746/docker-proxy
tcp6       0      0 :::2222                 :::*                    LISTEN      984/sshd
tcp6       0      0 :::6002                 :::*                    LISTEN      2414/X
tcp6       0      0 :::22                   :::*                    LISTEN      2796/sshd
tcp6       0      0 :::8087                 :::*                    LISTEN      7498/docker-proxy
tcp6       0      0 :::8888                 :::*                    LISTEN      27851/docker-proxy
tcp6       0      0 :::9369                 :::*                    LISTEN      12051/pushprox-clie
tcp6       0      0 :::8093                 :::*                    LISTEN      10615/docker-proxy
tcp6       0      0 :::8095                 :::*                    LISTEN      15096/docker-proxy
tcp6       0      0 :::3941                 :::*                    LISTEN      12066/prometheus

But when I fire a query

select distinct port from listening_ports where address='0.0.0.0' and protocol=6;

I see 106 and ports. An example is port 3000. I am wondering if it is blocked at the iptables level and is there a way I can filter using that table

s
seph
5 months ago
Those should both be using the same underlying api. I'm surprised if they're different. But it's not clear to me if your various options and filters are the same.
I think you should identify one discrepancy, and then understand.
Osquery can read the ip tables rules, but correlating is likely difficult.
Osquery is not doing anything like sending tcp probes.

Divya

5 months ago

Here is a sample response: 2222 is an open port while 6127 is not. I see no difference in the entries for both of them:

osquery> select * from listening_ports where port=2222;
+-----+------+----------+--------+---------+----+--------+------+---------------+
| pid | port | protocol | family | address | fd | socket | path | net_namespace |
+-----+------+----------+--------+---------+----+--------+------+---------------+
| 971 | 2222 | 6        | 2      | 0.0.0.0 | 3  | 24323  |      | 4026531956    |
| 971 | 2222 | 6        | 10     | ::      | 4  | 24325  |      | 4026531956    |
+-----+------+----------+--------+---------+----+--------+------+---------------+
osquery> select * from listening_ports where port=6127;
+------+------+----------+--------+-----------+----+--------+------+---------------+
| pid  | port | protocol | family | address   | fd | socket | path | net_namespace |
+------+------+----------+--------+-----------+----+--------+------+---------------+
| 5946 | 6127 | 6        | 2      | 127.0.0.1 | 4  | 56796  |      | 4026531956    |
| 7186 | 6127 | 6        | 2      | 0.0.0.0   | 19 | 112366 |      | 4026534232    |
+------+------+----------+--------+-----------+----+--------+------+---------------+

s
seph
5 months ago
Does netstat report those differently? Is iptables in the mix?
d
Divya
5 months ago
netstat does not consider 6127 as an exposed open port. Looks like there is someone else blocking these. I assumed iptables is the place. Will see if I can dig out something
s
seph
5 months ago
Netstat should show the ports regardless of ip tables.
I would expect netstat and osquery to be in agreement
d
Divya
5 months ago
I would be glad if that was the case, its not

Join thread in Slack

View count: 5