analysis.py: Add --pack flag to load queries from a pack file #7935

tstromberg · 2023-02-09T15:33:54Z

This adds a --pack flag so that analysis.py can pull queries from an osquery pack file.

For example:

./profile.py --shell /usr/bin/osqueryi --pack pack.conf
Profiling query: SELECT file.path, file.type, file.size, file.mtime, file.uid, file.ctime, file.gid, hash.sha256, magic.data FROM file LEFT JOIN hash ON file.path = hash.path LEFT JOIN users u ON file.uid = u.uid LEFT JOIN magic ON file.path = magic.path WHERE ( file.directory LIKE '/Users/%/Downloads/%' OR file.directory LIKE '/home/%/%' OR file.directory LIKE '/home/%/' OR file.directory LIKE '/home/%/.%' OR file.directory LIKE '/home/%/Downloads/%' OR file.directory LIKE '/tmp/%' OR file.directory LIKE '/tmp/' OR file.directory LIKE '/Users/%/%' OR file.directory LIKE '/Users/%/' OR file.directory LIKE '/Users/%/.%' OR file.directory LIKE '/var/tmp/%' OR file.directory LIKE '/var/tmp/' ) AND file.directory NOT LIKE "%/../%" AND file.directory NOT LIKE "%/./%" AND filename LIKE "%-%-%.json" AND size BETWEEN 2311 AND 2385 AND NOT INSTR(filename, CONCAT (u.username, "-")) == 1 AND NOT INSTR( filename, REPLACE(LOWER(TRIM(description)), " ", "-") ) == 1;

Add --pack flag to load queries from a pack file

a159680

tstromberg requested review from a team as code owners February 9, 2023 15:33

directionless approved these changes Feb 10, 2023

View reviewed changes

directionless merged commit ed1f839 into osquery:master Feb 10, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

analysis.py: Add --pack flag to load queries from a pack file #7935

analysis.py: Add --pack flag to load queries from a pack file #7935

tstromberg commented Feb 9, 2023

analysis.py: Add --pack flag to load queries from a pack file #7935

analysis.py: Add --pack flag to load queries from a pack file #7935

Conversation

tstromberg commented Feb 9, 2023