{"id":36704302,"url":"https://github.com/hejcman/go-flows-osquery","last_synced_at":"2026-01-12T11:41:13.461Z","repository":{"id":43826245,"uuid":"457265926","full_name":"hejcman/go-flows-osquery","owner":"hejcman","description":"A plugin for go-flows using OSQuery.","archived":false,"fork":false,"pushed_at":"2022-03-18T17:03:56.000Z","size":49,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-12T05:47:05.941Z","etag":null,"topics":["go-flow","golang","osquery"],"latest_commit_sha":null,"homepage":"https://github.com/CN-TU/go-flows","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hejcman.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-02-09T08:10:34.000Z","updated_at":"2022-04-15T08:07:02.000Z","dependencies_parsed_at":"2022-09-12T11:01:20.456Z","dependency_job_id":null,"html_url":"https://github.com/hejcman/go-flows-osquery","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/hejcman/go-flows-osquery","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hejcman%2Fgo-flows-osquery","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hejcman%2Fgo-flows-osquery/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hejcman%2Fgo-flows-osquery/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hejcman%2Fgo-flows-osquery/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hejcman","download_url":"https://codeload.github.com/hejcman/go-flows-osquery/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hejcman%2Fgo-flows-osquery/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28338972,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T10:58:46.209Z","status":"ssl_error","status_checked_at":"2026-01-12T10:58:42.742Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go-flow","golang","osquery"],"created_at":"2026-01-12T11:41:12.767Z","updated_at":"2026-01-12T11:41:13.440Z","avatar_url":"https://github.com/hejcman.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# go-flows-osquery\n\nModules for the flow exporter [go-flows](https://github.com/CN-TU/go-flows) which add support\nfor annotating packets and flows with information from [OSQuery](https://www.osquery.io).\n\nSpecifically, this repository implements two modules, the [label](/label) for labeling individual\npackets with process information, and the [features](/features) which are used to annotate the final flows\nwith system information.\n\nNote: using the labels plugin is not tested yet.\n\n## Supported features\n\nThe CESNET features are designed so that they are compatible with the definitions in [libfds](https://github.com/CESNET/libfds), including the name, PEN, ID, and type.\n\n| CESNET feature name     | Description                                     |\n|-------------------------|-------------------------------------------------|\n| `OSQueryProgramName`    | the process which created the flow              |\n| `OSQueryKernelVersion`  | kernel version                                  |\n| `OSQueryOSName`         | distribution or product name                    |\n| ---                     | pretty, suitable for representation, os version |\n| `OSQueryOSMajor`        | major release version                           |\n| `OSQueryOSMinor`        | minor release version                           |\n| ---                     | optional patch release                          |\n| `OSQueryOSBuild`        | optional build-specific or variant string       |\n| `OSQueryOSPlatform`     | os platform or id                               |\n| `OSQueryOSPlatformLike` | closely related platforms                       |\n| ---                     | os version codename                             |\n| `OSQueryOSArch`         | os architecture                                 |\n\n## Running\n\nCompile go-flows based on the instructions in the [Compile section](#compiling).\n\nThe files `features.json` and `osquery.yaml` must be in the same directory as `go-flows`, and they can be found in the\n[docs](/docs) folder. To use osquery features, you need to set the osquery socket correctly in the `osquery.yaml` file.\nOfcourse, you need to have osquery installed and running (instructions [here](https://osquery.readthedocs.io/en/stable/)).\n\n```shell\nsudo ./go-flows run features features.json export csv test.csv source libpcap -live \u003cifc\u003e\n```\n\n## Compiling\n### Compiling on Linux or macOS\n\nCompiling on Linux or macOS is quite straightforward:\n\n```shell\ngit clone https://github.com/CN-TU/go-flows.git\ncd go-flows/modules\ngit clone https://github.com/hejcman/go-flows-osquery.git\ncd ../go-flows-build\ngo build\ngo get github.com/osquery/osquery-go\n./go-flows-build +go-flows-osquery.label +go-flows-osquery.features -features.staging build\n```\n\nThis will build a binary `go-flows`  in the `go-flows-build` directory.\n\n### Compiling on Windows\n\nFor some reason, using `go-flows-build` doesn't work on Windows. To work around this, you need to\nmodify the `builtin.go` file in the root directory of `go-flows` by appending the following two lines to the imports:\n\n```\n_ \"github.com/hejcman/go-flows-osquery/features\"\n_ \"github.com/hejcman/go-flows-osquery/label\"\n```\n\nTo download the packages, you need to execute `go get github.com/hejcman/go-flows-osquery`. Finally, building the\nexporter can be done by executing `go build .`, which creates a `go-flows.exe` binary file in the root directory.\n\n#### Getting the interface name\n\nSince getting a libpcap compatible interface name is not straightforward on Windows, I prepared a simple program called\n`ifcNames`, which outputs all the libpcap usable interface names along with their description. This can be found in the\n[ifcNames](/docs/ifcNames) folder. To see the interfaces, execute `go run .` in the ifcNames folder. The interface names\nto be used with `go-flows` are in the format `\\Device\\NPF_{...}`. Whilst this program works on Linux and MacOS as well,\nthere is no reason to use it as the interfaces names outputed by `ifconfig` work with libpcap.\n\n#### osquery socket name\n\nOn Windows, the osquery socket uses backwards slashes for the path. This is not parsable by go-flows, and should be\nreplaces by forward slashes. For example, `\\\\.\\pipe\\shell.em` should be `//./pipe/shell.em`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhejcman%2Fgo-flows-osquery","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhejcman%2Fgo-flows-osquery","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhejcman%2Fgo-flows-osquery/lists"}