osquery-extensions icon indicating copy to clipboard operation
osquery-extensions copied to clipboard

Published 20 hours ago verified publisher icon trailofbits

Network_monitor does not terminate after osquery does

Open mike-myers-tob opened this issue 4 years ago • 8 comments

A user reports that the network_monitor extension continues to run after quitting osqueryi and it has to be manually terminated.

When quitting osquery, he sees: Thrift: Wed Nov 11 07:15:12 2020 TSocket::open() connect() <Host: Port: 0>No such file or directory

and continued output like: I1111 07:16:53.047338 27998 extensions.cpp:298] Extension watcher ending: osquery core has gone away

mike-myers-tob avatar Nov 13 '20 02:11 mike-myers-tob

Fixed in #64

mike-myers-tob avatar Nov 17 '20 17:11 mike-myers-tob

Hi, I'm trying running osqueryi with the extension network_monitor.ext. But it isn't working, and I just see this 3 lines constantly: I0107 19:46:23.604136 3068 pcapreaderservice.cpp:238] Listening on the following IPv4 addresses: X.X.X.X/255.255.255.0 I0107 19:46:23.604218 3068 pcapreaderservice.cpp:250] Listening on the following IPv6 addresses: X I0107 19:46:26.565457 3061 extensions.cpp:298] Extension watcher ending: osquery core has gone away I know that the two first lines refeers where is listening, but they don't stop showing (like the last one). I look on network_monitor/src/main.cpp and it is updated with runner.waitForShutdown() as it said above. If someone could help me please

LorenaM22 avatar Jan 07 '21 19:01 LorenaM22

Hiya LorenaM22 -- I'm having trouble recreating the issue; can you give us more details? Specifically:

  1. which version of osquery are you building against?
  2. how are you invoking the network monitor extension? e.g., are you starting it up on the command line with osqueryi, or are you invoking it later?
  3. what version of ubuntu are you on?
  4. has the network monitor extension worked for you in the past?

GarretReece avatar Jan 28 '21 16:01 GarretReece

Hi GarretReece,

The osquery version is 4.6.0 and I'm starting it up on the command line with osqueryi.This is the command line I am writting: osqueryi --extension /home/lorena/dir1/dir2/dir3/osquery/build/external/extension_trailofbits/extensions/network_monitor/network_monitor.ext

I'm not using ubuntu, I'm using Debain GNU/Linux 10

And the answer for the last cuestion is no, it has never worked. All I did was built osquery with the instructions that appears here https://githubz.com/trailofbits/osquery-extensions/blob/master/README.md And I can say that the other tables of extensions seems to work properly.

Thanks for the comment :)

LorenaM22 avatar Jan 28 '21 16:01 LorenaM22

4.6.0 works on my ubuntu vm, so I'll set up a debian 10 VM and see about running on that platform.

please forgive all the questions, I'm trying to run through all the possible sources of problems :-)

are you running via sudo with a user specified to drop privileges correctly? and have you set the dns interface correctly in the json configuration file?

GarretReece avatar Jan 28 '21 17:01 GarretReece

I'm running as root, should I create a new user and run via sudo? Would it make a the difference? This is my jsnon configuration file { "user": "tob_network_monitor_ext",

"dns_events": { "interface": "ens192", "promiscuous": false,

"max_tcp_conversation_length": 10240,
"max_tcp_conversation_idle_time": 300

}

I just changed de interface from eth0 to ens192 because it is the name of the interface where my ip address is.

LorenaM22 avatar Jan 28 '21 19:01 LorenaM22

you'll need to at some point, yes, because the network_monitor extension drops permissions deliberately. That said, I can recreate the issue you're seeing just fine on my debian VM, so I'll dig in and see what the cause is. At first glance it seems like a permissions error of some sort, but I'll post when I know more.

GarretReece avatar Jan 28 '21 20:01 GarretReece

Hi. I got an issue in running: sudo osqueryi --extension ./network_monitor.ext

extensions.cpp:298] Extension watcher ending: osquery core has gone away pcapreaderservice.cpp:238] Listening on the following IPv4 addresses: 192.168.42.193/255.255.255.0 I0924 19:59:10.037341 35993 pcapreaderservice.cpp:250] Listening on the following IPv6 addresses: ::2402:9d80:24c:3d6a:51a9:a2a3/::ffff:ffff:ffff:ffff:0:0 ::2402:9d80:24c:3d6a:2741:d274/::ffff:ffff:ffff:ffff:0:0 0:0:fe80::170b:51e4/::ffff:ffff:ffff:ffff:0:0 I0924 19:59:12.995213 35986 extensions.cpp:298] Extension watcher ending: osquery core has gone away

Those lines repeat again and again :)) Then, as I do select * from dns_events; Sometimes It returns empty, sometimes it tells me there is no dns_events tables.

I'm using osqueryi version 5.0.1 and I build network_monitor.ext from source code, and it is Ubuntu 20

Could you tell me know what is my problem ???

kingbenkyo avatar Sep 24 '21 13:09 kingbenkyo