Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add community_id_v1 hash function to SQLite #6211

Merged
merged 12 commits into from
Feb 8, 2020
Merged

Add community_id_v1 hash function to SQLite #6211

merged 12 commits into from
Feb 8, 2020

Conversation

zwass
Copy link
Member

@zwass zwass commented Jan 29, 2020
edited

Implements the Community ID hash that will allow correlating network connections detected by osquery with other tools that support the standard (Zeek, Suricata, etc.).

  • Add Boost Endian library
  • Refactor core hashing utility to allow base64 encoding (backwards compatible)
  • Implement community ID
  • Tests

Thanks to @Security-Onion-Solutions for supporting development of this feature.

theopolis
theopolis approved these changes Feb 5, 2020
View reviewed changes
Copy link
Member

@theopolis theopolis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@directionless directionless merged commit c296693 into osquery:master Feb 8, 2020
zwass added a commit to zwass/osquery that referenced this pull request Feb 14, 2020
@zwass
Add community_id_v1 (osquery#6211) to changelog
eadd959
directionless pushed a commit that referenced this pull request Feb 14, 2020
@zwass
Add community_id_v1 (#6211) to changelog (#6240)
6334fee
Agile86
Agile86 reviewed Feb 18, 2020
View reviewed changes
osquery/sql/sqlite_hashing.cpp

// seed . saddr . daddr . proto . 0 . sport . dport
std::stringstream bytes;
bytes.write(seed.data(), 2);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

linux build:
stderr: osquery/sql/sqlite_hashing.cpp:179:15: error: cannot initialize a parameter of type 'const std::__1::basic_ostream<char, std::__1::char_traits >::char_type *' (aka 'const char *') with an rvalue of type 'unsigned char *'

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This builds with Buck and CMake in our CI. Maybe you can open a new issue with more details about your environment and/or hop in osquery Slack to debug?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Agile86 Agile86 Agile86 left review comments

@theopolis theopolis theopolis approved these changes

@Smjert Smjert Awaiting requested review from Smjert

@alessandrogario alessandrogario Awaiting requested review from alessandrogario

Assignees
No one assigned
Labels
feature networking SQL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@zwass @theopolis @Agile86 @directionless