lvferdi
05/17/2022, 12:03 PMhimanshu
05/18/2022, 5:12 AM<programfiles>\plgx_osquery\
OpenPlgx
05/18/2022, 9:15 AMlvferdi
05/18/2022, 1:12 PMplgx_tls.cpp:192: tls_server_certs is: \Program Files\osquery\certs\cert.pem
When I navigate to that directory there is a cert there which I did not install. If I monitor the socket connections (using the extension itself) I can see attempted connections with these 4 IP addresses in the past 48 hours:
208.111.179.129
72.21.81.240
8.253.38.248
104.18.20.226
himanshu
05/18/2022, 4:33 PM\Program Files\osquery\certs\cert.pem
. extension just enumerates certain osquery flags including tls_server_certs
when it is launched but doesn't try to make any connection to any server. for osquery\extension to communicate to a server, tls_hostname
has to be provided in osquery.flags file. since the default flags provided with extension dont have any server related flag, it wont attempt to connect to any server.OpenPlgx
05/18/2022, 4:44 PMlvferdi
05/18/2022, 6:35 PMOpenPlgx
05/19/2022, 6:32 AMlvferdi
05/19/2022, 1:30 PMhimanshu
05/20/2022, 8:58 AMOpenPlgx
05/20/2022, 9:33 AMlvferdi
05/20/2022, 3:40 PMhimanshu
05/20/2022, 6:54 PM