-
Notifications
You must be signed in to change notification settings - Fork 1
/
osquery.conf
74 lines (73 loc) · 8.25 KB
/
osquery.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
{
"options": {
"utc": "true"
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"snapshot": true,
"interval": 60
},
"logcial_drives_snapshot": {
"query": "SELECT boot_partition, description, device_id, file_system, size, type FROM logical_drives;",
"snapshot": true,
"interval": 60
},
"interfaces_snapshot": {
"query": "SELECT ia.interface, ia.address, ia.mask, id.mac, id.description, id.type, id.mtu, id.metric, id.flags, id.link_speed, id.connection_id FROM interface_addresses AS ia INNER JOIN interface_details AS id ON ia.interface = id.interface;",
"snapshot": true,
"interval": 60
},
"system_uptime": {
"query": "SELECT * FROM uptime;",
"snapshot": true,
"interval": 300
},
"logged_in_users_snapshot": {
"query": "SELECT type, user, tty, host, time, pid FROM logged_in_users;",
"snapshot": true,
"interval": 60
},
"users_snapshot": {
"query": "SELECT uid, gid, uid_signed, gid_signed, username, description, directory, shell, uuid FROM users;",
"snapshot": true,
"interval": 60
},
"os_snapshot" : {
"query": "SELECT * FROM os_version;",
"snapshot": true,
"interval": 60
},
"process_hash_snapshot": {
"query": "SELECT DISTINCT h.sha256, p.name, u.username FROM processes AS p INNER JOIN hash as h ON h.path = p.path INNER JOIN users AS u ON u.uid = p.uid ORDER BY start_time DESC;",
"snapshot": true,
"interval": 60
},
"process_netports_snapshot": {
"query": "SELECT lp.pid, p.name, lp.port, lp.address FROM listening_ports AS lp INNER JOIN processes AS p ON lp.pid = p.pid WHERE lp.port != 0 AND lp.address != \"127.0.0.1\" ORDER BY p.start_time DESC;",
"snapshot": true,
"interval": 60
},
// Network Connection has options - Uncomment a single query line and comment all others
"process_netconns_snapshot": {
// MINIMAL FILTERING
"query": "SELECT (CASE family WHEN 2 THEN 'IP4' WHEN 10 THEN 'IP6' ELSE family END) AS family, (CASE protocol WHEN 6 THEN 'TCP' WHEN 17 THEN 'UDP' ELSE protocol END) AS protocol, local_address, local_port, remote_address, remote_port FROM process_open_sockets WHERE family IN (2, 10) AND protocol IN (6, 17) AND local_address != \"0.0.0.0\" AND remote_address != \"0.0.0.0\" AND remote_port != 0;",
// FILTERS RESERVED AND BOGON IPV4 ADDRESSES
// "query": "SELECT (CASE family WHEN 2 THEN 'IP4' WHEN 10 THEN 'IP6' ELSE family END) AS family, (CASE protocol WHEN 6 THEN 'TCP' WHEN 17 THEN 'UDP' ELSE protocol END) AS protocol, local_address, local_port, remote_address, remote_port FROM process_open_sockets WHERE family IN (2, 10) AND protocol IN (6, 17) AND remote_port != 0 AND regex_match(local_address,\"^0\\.0\\.\",0) is null AND regex_match(remote_address,\"^0\\.0\\.\",0) is null AND regex_match(local_address,\"^127\\.\",0) is null AND regex_match(remote_address,\"^127\\.\",0) is null AND regex_match(local_address,\"^169\\.254\\.\",0) is null AND regex_match(remote_address,\"^169\\.254\\.\",0) is null AND regex_match(local_address,\"^192\\.0\\.0\\.\",0) is null AND regex_match(remote_address,\"^192\\.0\\.0\\.\",0) is null AND regex_match(local_address,\"^192\\.0\\.2\\.\",0) is null AND regex_match(remote_address,\"^192\\.0\\.2\\.\",0) is null AND regex_match(local_address,\"^198\\.1[89]\\.\",0) is null AND regex_match(remote_address,\"^198\\.1[89]\\.\",0) is null AND regex_match(local_address,\"^198\\.51\\.100\\.\",0) is null AND regex_match(remote_address,\"^198\\.51\\.100\\.\",0) is null AND regex_match(local_address,\"^203\\.0\\.113\\.\",0) is null AND regex_match(remote_address,\"^203\\.0\\.113\\.\",0) is null AND regex_match(local_address,\"^22[456789]\\.\",0) is null AND regex_match(remote_address,\"^22[456789]\\.\",0) is null AND regex_match(local_address,\"^2[345]\\.\",0) is null AND regex_match(remote_address,\"^2[345]\\.\",0) is null;",
// FILTERS RESERVED AND BOGON IPV4 ADDRESSES, FILTERS REMOTE PRIVATE IPV4 ADDRESSES
// "query": "SELECT (CASE family WHEN 2 THEN 'IP4' WHEN 10 THEN 'IP6' ELSE family END) AS family, (CASE protocol WHEN 6 THEN 'TCP' WHEN 17 THEN 'UDP' ELSE protocol END) AS protocol, local_address, local_port, remote_address, remote_port FROM process_open_sockets WHERE family IN (2, 10) AND protocol IN (6, 17) AND remote_port != 0 AND regex_match(local_address,\"^0\\.0\\.\",0) is null AND regex_match(remote_address,\"^0\\.0\\.\",0) is null AND regex_match(remote_address,\"^10\\.\",0) is null AND regex_match(local_address,\"^127\\.\",0) is null AND regex_match(remote_address,\"^127\\.\",0) is null AND regex_match(local_address,\"^169\\.254\\.\",0) is null AND regex_match(remote_address,\"^169\\.254\\.\",0) is null AND regex_match(remote_address,\"^172\\.1[6-9]\\.\",0) is null AND regex_match(remote_address,\"^172\\.2[0-9]\\.\",0) is null AND regex_match(remote_address,\"^172\\.3[01]\\.\",0) is null AND regex_match(local_address,\"^192\\.0\\.0\\.\",0) is null AND regex_match(remote_address,\"^192\\.0\\.0\\.\",0) is null AND regex_match(local_address,\"^192\\.0\\.2\\.\",0) is null AND regex_match(remote_address,\"^192\\.0\\.2\\.\",0) is null AND regex_match(remote_address,\"^192\\.168\\.\",0) is null AND regex_match(local_address,\"^198\\.1[89]\\.\",0) is null AND regex_match(remote_address,\"^198\\.1[89]\\.\",0) is null AND regex_match(local_address,\"^198\\.51\\.100\\.\",0) is null AND regex_match(remote_address,\"^198\\.51\\.100\\.\",0) is null AND regex_match(local_address,\"^203\\.0\\.113\\.\",0) is null AND regex_match(remote_address,\"^203\\.0\\.113\\.\",0) is null AND regex_match(local_address,\"^22[456789]\\.\",0) is null AND regex_match(remote_address,\"^22[456789]\\.\",0) is null AND regex_match(local_address,\"^2[345]\\.\",0) is null AND regex_match(remote_address,\"^2[345]\\.\",0) is null;",
// FILTERS RESERVED AND BOGON IPV4 ADDRESSES, FILTERS ALL PRIVATE IPV4 ADDRESSES
// "query": "SELECT (CASE family WHEN 2 THEN 'IP4' WHEN 10 THEN 'IP6' ELSE family END) AS family, (CASE protocol WHEN 6 THEN 'TCP' WHEN 17 THEN 'UDP' ELSE protocol END) AS protocol, local_address, local_port, remote_address, remote_port FROM process_open_sockets WHERE family IN (2, 10) AND protocol IN (6, 17) AND remote_port != 0 AND regex_match(local_address,\"^0\\.0\\.\",0) is null AND regex_match(remote_address,\"^0\\.0\\.\",0) is null AND regex_match(local_address,\"^10\\.\",0) is null AND regex_match(remote_address,\"^10\\.\",0) is null AND regex_match(local_address,\"^127\\.\",0) is null AND regex_match(remote_address,\"^127\\.\",0) is null AND regex_match(local_address,\"^169\\.254\\.\",0) is null AND regex_match(remote_address,\"^169\\.254\\.\",0) is null AND regex_match(local_address,\"^172\\.1[6-9]\\.\",0) is null AND regex_match(remote_address,\"^172\\.1[6-9]\\.\",0) is null AND regex_match(local_address,\"^172\\.2[0-9]\\.\",0) is null AND regex_match(remote_address,\"^172\\.2[0-9]\\.\",0) is null AND regex_match(local_address,\"^172\\.3[01]\\.\",0) is null AND regex_match(remote_address,\"^172\\.3[01]\\.\",0) is null AND regex_match(local_address,\"^192\\.0\\.0\\.\",0) is null AND regex_match(remote_address,\"^192\\.0\\.0\\.\",0) is null AND regex_match(local_address,\"^192\\.0\\.2\\.\",0) is null AND regex_match(remote_address,\"^192\\.0\\.2\\.\",0) is null AND regex_match(local_address,\"^192\\.168\\.\",0) is null AND regex_match(remote_address,\"^192\\.168\\.\",0) is null AND regex_match(local_address,\"^198\\.1[89]\\.\",0) is null AND regex_match(remote_address,\"^198\\.1[89]\\.\",0) is null AND regex_match(local_address,\"^198\\.51\\.100\\.\",0) is null AND regex_match(remote_address,\"^198\\.51\\.100\\.\",0) is null AND regex_match(local_address,\"^203\\.0\\.113\\.\",0) is null AND regex_match(remote_address,\"^203\\.0\\.113\\.\",0) is null AND regex_match(local_address,\"^22[456789]\\.\",0) is null AND regex_match(remote_address,\"^22[456789]\\.\",0) is null AND regex_match(local_address,\"^2[345]\\.\",0) is null AND regex_match(remote_address,\"^2[345]\\.\",0) is null;",
"snapshot": true,
"interval": 60
}
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
"packs": {
}
}