https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
z

Zlexis

02/17/2020, 8:52 PM
I have a task to monitor outbound connections from production environments. One item that keeps showing up is 
sudo ls /proc/12345/fd
where 12345 is a process ID. Why is this command considered an outbound connection?
s

seph

02/17/2020, 9:04 PM
What query are you running?
z

Zlexis

02/17/2020, 9:18 PM
SELECT user.username, proc.name, hash.md5, socket.pid, proc.path, proc.cmdline, socket.local_port, socket.remote_port, socket.remote_address FROM process_open_sockets as socket, processes as proc, users as user, hash as hash where socket.local_port not in (select port from listening_ports) and socket.local_port != 0 and socket.pid = proc.pid and user.uid = proc.uid and hash.path = proc.path;
s

seph

02/17/2020, 9:27 PM
It would not surprise me if sudo did something that looked like a socket. That table is more than just network sockets. If things change fast, you'll see a race condition for pid reuse.
z

Zlexis

02/17/2020, 10:37 PM
Is there a qualifier in the process_open_sockets table that indicates whether it is a network socket? I don't have access to the box to manually query it.
s

seph

02/18/2020, 3:06 AM
Both 
process_open_sockets
and 
listening_ports
have columns for family. The meaning there is os dependent.
2 Views
Powered by