slevchenko
12/02/2021, 5:08 PMseph
slevchenko
12/03/2021, 10:14 AMfritz
12/03/2021, 2:01 PMNOT LIKE... AND NOT LIKE... AND NOT LIKE
slevchenko
12/03/2021, 2:02 PMfritz
12/03/2021, 2:03 PMslevchenko
12/03/2021, 2:03 PMNOT IN table_name
but that works either with exising tables, or extensionsseph
slevchenko
12/03/2021, 2:04 PMfritz
12/03/2021, 2:05 PMslevchenko
12/03/2021, 2:06 PMseph
slevchenko
12/03/2021, 2:06 PMfritz
12/03/2021, 2:06 PMslevchenko
12/03/2021, 2:09 PMfritz
12/03/2021, 2:10 PMslevchenko
12/03/2021, 2:12 PMfritz
12/03/2021, 2:15 PMslevchenko
12/03/2021, 2:20 PMSELECT process_memory_map.*, pid as mpid from process_memory_map LEFT JOIN processes USING (pid) WHERE process_memory_map.path LIKE '/%' and process_memory_map.pseudo != 1 AND process_memory_map.path NOT LIKE '/lib/%' AND process_memory_map.path NOT LIKE '/usr/lib%' AND process_memory_map.path NOT LIKE '/snap/%' AND process_memory_map.path NOT LIKE '/usr/local/lib/%' AND process_memory_map.path NOT LIKE '/home/%%/snap/%' AND process_memory_map.path NOT LIKE '/var/lib/snapd/%' AND process_memory_map.path NOT LIKE '/opt/bitnami/%%' AND process_memory_map.path NOT LIKE '/opt/java/%%' AND process_memory_map.path NOT LIKE '/opt/java/%%' AND process_memory_map.path NOT LIKE '/usr/glibc-compat/%%' AND process_memory_map.path NOT LIKE '/run/user/1000/%%' AND process_memory_map.path NOT LIKE '/memfd:/.glXXXXXX' AND process_memory_map.path != processes.path AND process_memory_map.permissions LIKE '%x%';
seph
LIKE IN (...)
structure%%
in those LIKEs. That's not going to do what you think -- %%
is an osquery construct, not a sql one. So in a SQL comparison, it's the same as a single %
and it will match anything. slack or notslevchenko
12/06/2021, 1:49 PM