Hello all -
I’m looking at gathering host processes that make connections to the network/internet. When trying out bro-osquery I’m getting the following error.
1536590781.935421 error: Bad IP address: fe80::b22f:47fa:b41f:7ce8%em1
1536590781.935421 error: Bad IP address: fe80::b22f:47fa:b41f:7ce8%em1
Here is my scirpt:
event host_socket_event(resultInfo: osquery::ResultInfo, action: string, pid: int, path: string, family: int, protocol: int, local_address: string, remote_address: string, local_port: int, remote_port: int, start_time: int, success: int)
{
print “host_socket_event”;
}
When looking at socket_events table I’m not seeing any data. I am receiving the following error from auditd.
I0910 10:57:12.063364 1615 auditdnetlink.cpp:613] Failed to set the netlink owner
I0910 10:57:17.063714 1615 auditdnetlink.cpp:613] Failed to set the netlink owner
That is what I’m seeing while trying to run osqueryi.
Has anyone run into this before? Looks like there’s an open ticket from the iBigQ guys stating that they cannot upgrade their version of OSQuery yet.
https://github.com/facebook/osquery/issues/4145
N