osquery-defense-kit/detection/c2/unexpected-talkers-linux.sql

SELECT
  s.family,
  protocol,
  s.local_port,
  s.remote_port,
  s.local_address,
  s.remote_address,
  p.name,
  p.path,
  p.cmdline AS child_cmd,
  p.cwd,
  s.pid,
  s.net_namespace,
  pp.path AS parent_path,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd,
  hash.sha256,
  CONCAT (
    MIN(s.remote_port, 32768),
    ",",
    protocol,
    ",",
    MIN(p.uid, 500),
    ",",
    p.name
  ) AS exception_key
FROM
  process_open_sockets s
  LEFT JOIN processes p ON s.pid = p.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN hash ON p.path = hash.path
WHERE
  protocol > 0
  AND s.remote_port > 0
  AND s.remote_address NOT IN ("127.0.0.1", "::ffff:127.0.0.1", "::1")
  AND s.remote_address NOT LIKE "fe80:%"
  AND s.remote_address NOT LIKE "127.%"
  AND s.remote_address NOT LIKE "192.168.%"
  AND s.remote_address NOT LIKE "172.1%"
  AND s.remote_address NOT LIKE "172.2%"
  AND s.remote_address NOT LIKE "172.30.%"
  AND s.remote_address NOT LIKE "172.31.%"
  AND s.remote_address NOT LIKE "::ffff:172.%"
  AND s.remote_address NOT LIKE "10.%"
  AND s.remote_address NOT LIKE "::ffff:10.%"
  AND s.remote_address NOT LIKE "fc00:%"
  AND s.state != "LISTEN" -- DNS clients
  AND NOT (
    remote_port = 53
    AND protocol IN (6, 17)
    AND p.name IN (
      "1password",
      "apt",
      "apt-get",
      "Brackets",
      "chainctl",
      "chrome",
      "chronyd",
      "cloud_sql_proxy",
      "code",
      "containerd",
      "controlplane",
      "crc",
      "curl",
      "dig",
      "dnf",
      "electron",
      "firefox",
      ".firefox-wrappe",
      "flameshot",
      "gh",
      "git-remote-http",
      "gitsign",
      "gnome-software",
      "go",
      "grafana-server",
      "grype",
      "host",
      "htop",
      "istioctl",
      "jcef_helper",
      "k6",
      "k9s",
      "ko",
      "kolide-pipeline",
      "launcher",
      "NetworkManager",
      "ngrok",
      "nix",
      "node",
      "nscd",
      "obs",
      "obs-browser-page",
      "obs-ffmpeg-mux",
      "obsidian",
      "opera",
      "pacman",
      "ping",
      "podman",
      "prometheus",
      "rootlessport",
      "signal-desktop",
      "slack",
      "slirp4netns",
      "snapd",
      "snap-store",
      "Socket Process",
      "spotify",
      "ssh",
      "steam",
      "steamwebhelper",
      "syncthing",
      "systemd-resolve",
      "tailscaled",
      ".tailscaled-wra",
      "terraform",
      "terraform-provi",
      "tkn",
      "traceroute",
      "vcluster",
      "wget",
      "whois",
      "xmobar",
      "yay",
      "zoom"
    )
  ) -- General exceptions
  AND NOT exception_key IN (
    "123,17,,",
    "123,17,500,chronyd",
    "22067,6,500,syncthing",
    "22,6,,",
    "22,6,500,ssh",
    "27024,6,500,steam",
    "3100,6,500,firefox",
    "3100,6,500,k6",
    "32768,6,0,tailscaled",
    "3307,6,500,cloud_sql_proxy",
    "4070,6,500,spotify",
    "443,17,500,chrome",
    "443,17,500,electron",
    "443,17,500,jcef_helper",
    "443,17,500,slack",
    "443,17,500,spotify",
    "443,6,0,apk",
    "443,6,0,containerd",
    "443,6,0,depmod",
    "443,6,0,dirmngr",
    "443,6,0,dnf",
    "443,6,0,dockerd",
    "443,6,0,influxd",
    "443,6,0,launcher",
    "443,6,0,nix",
    "443,6,0,nix-daemon",
    "443,6,0,packagekitd",
    "443,6,0,pacman",
    "443,6,0,snapd",
    "443,6,0,systemctl",
    "443,6,0,tailscaled",
    "443,6,0,.tailscaled-wra",
    "443,6,0,yum",
    "443,6,105,https",
    "443,6,472,grafana-server",
    "443,6,500,1password",
    "443,6,500,authentik-proxy",
    "443,6,500,aws",
    "443,6,500,Brackets",
    "443,6,500,celery",
    "443,6,500,chainctl",
    "443,6,500,chrome",
    "443,6,500,cloud_sql_proxy",
    "443,6,500,code",
    "443,6,500,containerd",
    "443,6,500,controlplane",
    "443,6,500,cosign",
    "443,6,500,crane",
    "443,6,500,CrBrowserMain",
    "443,6,500,crc",
    "443,6,500,CrUtilityMain",
    "443,6,500,curl",
    "443,6,500,Discord",
    "443,6,500,electron",
    "443,6,500,emacs",
    "443,6,500,firefox",
    "443,6,500,.firefox-wrappe",
    "443,6,500,flameshot",
    "443,6,500,geoclue",
    "443,6,500,gh",
    "443,6,500,git-remote-http",
    "443,6,500,gitsign",
    "443,6,500,gnome-shell",
    "443,6,500,gnome-software",
    "443,6,500,go",
    "443,6,500,___go_build_github_com_anchore_grype,a.out,",
    "443,6,500,grafana-server",
    "443,6,500,grype",
    "443,6,500,gunicorn",
    "443,6,500,gvfsd-http",
    "443,6,500,htop",
    "443,6,500,influxd",
    "443,6,500,istioctl",
    "443,6,500,java",
    "443,6,500,jcef_helper",
    "443,6,500,jetbrains-toolb",
    "443,6,500,k6",
    "443,6,500,k9s",
    "443,6,500,ko",
    "443,6,500,kolide-pipeline",
    "443,6,500,kubectl",
    "443,6,500,minicli",
    "443,6,500,ngrok",
    "443,6,500,nix",
    "443,6,500,node",
    "443,6,500,obs",
    "443,6,500,obs-browser-page",
    "443,6,500,obs-ffmpeg-mux",
    "443,6,500,obsidian",
    "443,6,500,pingsender",
    "443,6,500,pip",
    "443,6,500,podman",
    "443,6,500,signal-desktop",
    "443,6,500,slack",
    "443,6,500,slirp4netns",
    "443,6,500,snap-store",
    "443,6,500,Socket Process",
    "443,6,500,spotify",
    "443,6,500,steamwebhelper",
    "443,6,500,teams",
    "443,6,500,terraform",
    "443,6,500,terraform-provi",
    "443,6,500,tkn",
    "443,6,500,.tox-wrapped",
    "443,6,500,trivy",
    "443,6,500,vcluster",
    "443,6,500,vim",
    "443,6,500,WebKitNetworkPr",
    "443,6,500,wget",
    "443,6,500,wineserver",
    "443,6,500,x11-ssh-askpass",
    "443,6,500,xmobar",
    "443,6,500,yay",
    "443,6,500,zoom",
    "5228,6,500,chrome",
    "6000,6,500,ssh",
    "80,6,0,mkinitcpio",
    "67,17,0,NetworkManager",
    "7903,6,500,syncthing",
    "8006,6,500,chrome",
    "80,6,0,dnf",
    "80,6,0,gdk-pixbuf-quer",
    "80,6,0,NetworkManager",
    "80,6,0,pacman",
    "80,6,0,tailscaled",
    "80,6,0,.tailscaled-wra",
    "443,6,0,yay",
    "80,6,0,yum",
    "443,6,500,rustup",
    "443,6,500,cargo",
    "80,6,500,thunderbird",
    "80,6,105,http",
    "80,6,500,curl",
    "80,6,500,firefox",
    "80,6,500,.firefox-wrappe",
    "80,6,500,gitsign",
    "80,6,500,slack",
    "80,6,500,spotify",
    "80,6,500,steam",
    "80,6,500,steamwebhelper",
    "80,6,500,syncthing",
    "8801,17,500,zoom",
    "9090,6,500,firefox",
    "9090,6,500,k6",
    "9090,6,500,prometheus",
    "9090,6,500,rootlessport"
  ) -- These programs would normally never make an outgoing connection, but thanks to Nix, it can happen.
  AND NOT (
    (
      remote_address LIKE "151.101.%"
      OR remote_address LIKE "140.82.%"
    )
    AND remote_port = 443
    AND protocol = 6
    AND (
      parent_path LIKE "/nix/%/bin/bash"
      OR parent_path LIKE "/nix/%/bin/zsh"
      OR parent_path LIKE "%/bin/nix"
      OR p.path LIKE "/nix/store/%"
    )
  )
  AND NOT p.cmdline LIKE "bash --rcfile /tmp/nix-shell.%" -- Other more complicated situations
  AND NOT (
    p.name = "rootlessport"
    AND remote_port > 1024
  )
  AND NOT (
    p.name = "syncthing"
    AND (
      remote_port IN (53, 80, 88, 110, 443, 587, 993, 3306, 7451)
      OR remote_port > 1024
    )
  )
  AND NOT (
    p.name IN (
      "chrome",
      "Google Chrome Helper",
      "Brave Browser Helper",
      "Chromium Helper",
      "Opera Helper"
    )
    AND remote_port IN (
      53,
      3100,
      443,
      80,
      8006,
      9000,
      5004,
      8009,
      8080,
      8888,
      8443,
      5228,
      32211,
      53,
      10001,
      3478,
      19305,
      19306,
      19307,
      19308,
      19309
    )
  )
  AND NOT (
    p.name IN ("thunderbird")
    AND remote_port IN (53, 143, 443, 587, 465, 585, 993)
  )
  AND NOT (
    p.name IN ("spotify", "Spotify Helper", "Spotify")
    AND remote_port IN (53, 443, 8009, 4070, 32211)
  )
  AND NOT (
    remote_port IN (443, 53)
    AND p.name LIKE "terraform-provider-%"
  )
  AND NOT (
    remote_port IN (443, 53)
    AND p.name LIKE "npm exec %"
  )
  AND NOT (
    remote_port iN (443, 53)
    AND p.name LIKE "kubectl.%"
  )
  AND NOT (
    p.cmdline LIKE "%google-cloud-sdk/lib/gcloud.py%"
    AND remote_port IN (80, 53, 443)
  )
GROUP BY
  p.cmdline
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`SELECT`
			`s.family,`
More whitelisting 2022-09-22 09:18:03 +00:00			`protocol,`
			`s.local_port,`
			`s.remote_port,`
			`s.local_address,`
			`s.remote_address,`
			`p.name,`
			`p.path,`
			`p.cmdline AS child_cmd,`
			`p.cwd,`
			`s.pid,`
			`s.net_namespace,`
Launch day fixes 2022-09-22 17:18:16 +00:00			`pp.path AS parent_path,`
More whitelisting 2022-09-22 09:18:03 +00:00			`p.parent AS parent_pid,`
			`pp.cmdline AS parent_cmd,`
			`hash.sha256,`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`CONCAT (`
More whitelisting 2022-09-22 09:18:03 +00:00			`MIN(s.remote_port, 32768),`
			`",",`
			`protocol,`
			`",",`
			`MIN(p.uid, 500),`
			`",",`
			`p.name`
			`) AS exception_key`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`FROM`
			`process_open_sockets s`
More whitelisting 2022-09-22 09:18:03 +00:00			`LEFT JOIN processes p ON s.pid = p.pid`
			`LEFT JOIN processes pp ON p.parent = pp.pid`
			`LEFT JOIN hash ON p.path = hash.path`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`WHERE`
			`protocol > 0`
More whitelisting 2022-09-22 09:18:03 +00:00			`AND s.remote_port > 0`
More false-positive removal 2022-09-23 17:03:11 +00:00			`AND s.remote_address NOT IN ("127.0.0.1", "::ffff:127.0.0.1", "::1")`
			`AND s.remote_address NOT LIKE "fe80:%"`
			`AND s.remote_address NOT LIKE "127.%"`
			`AND s.remote_address NOT LIKE "192.168.%"`
			`AND s.remote_address NOT LIKE "172.1%"`
			`AND s.remote_address NOT LIKE "172.2%"`
			`AND s.remote_address NOT LIKE "172.30.%"`
			`AND s.remote_address NOT LIKE "172.31.%"`
			`AND s.remote_address NOT LIKE "::ffff:172.%"`
			`AND s.remote_address NOT LIKE "10.%"`
			`AND s.remote_address NOT LIKE "::ffff:10.%"`
			`AND s.remote_address NOT LIKE "fc00:%"`
More false removal 2022-09-30 19:42:10 +00:00			`AND s.state != "LISTEN" -- DNS clients`
More whitelisting 2022-09-22 09:18:03 +00:00			`AND NOT (`
			`remote_port = 53`
			`AND protocol IN (6, 17)`
			`AND p.name IN (`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"1password",`
			`"apt",`
			`"apt-get",`
			`"Brackets",`
			`"chainctl",`
			`"chrome",`
			`"chronyd",`
			`"cloud_sql_proxy",`
			`"code",`
			`"containerd",`
			`"controlplane",`
			`"crc",`
			`"curl",`
			`"dig",`
			`"dnf",`
			`"electron",`
			`"firefox",`
			`".firefox-wrappe",`
			`"flameshot",`
			`"gh",`
			`"git-remote-http",`
			`"gitsign",`
			`"gnome-software",`
			`"go",`
			`"grafana-server",`
			`"grype",`
			`"host",`
			`"htop",`
			`"istioctl",`
			`"jcef_helper",`
			`"k6",`
			`"k9s",`
			`"ko",`
			`"kolide-pipeline",`
			`"launcher",`
			`"NetworkManager",`
			`"ngrok",`
			`"nix",`
			`"node",`
			`"nscd",`
			`"obs",`
			`"obs-browser-page",`
			`"obs-ffmpeg-mux",`
			`"obsidian",`
			`"opera",`
			`"pacman",`
			`"ping",`
			`"podman",`
			`"prometheus",`
			`"rootlessport",`
			`"signal-desktop",`
			`"slack",`
			`"slirp4netns",`
			`"snapd",`
			`"snap-store",`
			`"Socket Process",`
			`"spotify",`
			`"ssh",`
			`"steam",`
			`"steamwebhelper",`
			`"syncthing",`
			`"systemd-resolve",`
			`"tailscaled",`
			`".tailscaled-wra",`
			`"terraform",`
			`"terraform-provi",`
			`"tkn",`
			`"traceroute",`
			`"vcluster",`
			`"wget",`
			`"whois",`
			`"xmobar",`
			`"yay",`
			`"zoom"`
More whitelisting 2022-09-22 09:18:03 +00:00			`)`
More false removal 2022-09-30 19:42:10 +00:00			`) -- General exceptions`
More whitelisting 2022-09-22 09:18:03 +00:00			`AND NOT exception_key IN (`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"123,17,,",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"123,17,500,chronyd",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"22067,6,500,syncthing",`
More false removal 2022-09-30 19:42:10 +00:00			`"22,6,,",`
More false positive removal 2022-09-30 17:47:10 +00:00			`"22,6,500,ssh",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"27024,6,500,steam",`
			`"3100,6,500,firefox",`
			`"3100,6,500,k6",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"32768,6,0,tailscaled",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"3307,6,500,cloud_sql_proxy",`
			`"4070,6,500,spotify",`
			`"443,17,500,chrome",`
			`"443,17,500,electron",`
			`"443,17,500,jcef_helper",`
			`"443,17,500,slack",`
			`"443,17,500,spotify",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"443,6,0,apk",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,0,containerd",`
			`"443,6,0,depmod",`
			`"443,6,0,dirmngr",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,0,dnf",`
			`"443,6,0,dockerd",`
			`"443,6,0,influxd",`
			`"443,6,0,launcher",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"443,6,0,nix",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,0,nix-daemon",`
			`"443,6,0,packagekitd",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,0,pacman",`
			`"443,6,0,snapd",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"443,6,0,systemctl",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,0,tailscaled",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"443,6,0,.tailscaled-wra",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,0,yum",`
More false removal 2022-09-30 19:42:10 +00:00			`"443,6,105,https",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,472,grafana-server",`
			`"443,6,500,1password",`
			`"443,6,500,authentik-proxy",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,500,aws",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,Brackets",`
			`"443,6,500,celery",`
			`"443,6,500,chainctl",`
			`"443,6,500,chrome",`
			`"443,6,500,cloud_sql_proxy",`
			`"443,6,500,code",`
			`"443,6,500,containerd",`
			`"443,6,500,controlplane",`
			`"443,6,500,cosign",`
			`"443,6,500,crane",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,500,CrBrowserMain",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,crc",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,500,CrUtilityMain",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,curl",`
			`"443,6,500,Discord",`
			`"443,6,500,electron",`
More false positive removal 2022-09-30 17:47:10 +00:00			`"443,6,500,emacs",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,firefox",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"443,6,500,.firefox-wrappe",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,flameshot",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,500,geoclue",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,gh",`
			`"443,6,500,git-remote-http",`
			`"443,6,500,gitsign",`
			`"443,6,500,gnome-shell",`
			`"443,6,500,gnome-software",`
			`"443,6,500,go",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"443,6,500,___go_build_github_com_anchore_grype,a.out,",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,grafana-server",`
			`"443,6,500,grype",`
			`"443,6,500,gunicorn",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,500,gvfsd-http",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,htop",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,500,influxd",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,istioctl",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,500,java",`
			`"443,6,500,jcef_helper",`
			`"443,6,500,jetbrains-toolb",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,k6",`
			`"443,6,500,k9s",`
			`"443,6,500,ko",`
			`"443,6,500,kolide-pipeline",`
			`"443,6,500,kubectl",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"443,6,500,minicli",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,ngrok",`
			`"443,6,500,nix",`
			`"443,6,500,node",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"443,6,500,obs",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,obs-browser-page",`
			`"443,6,500,obs-ffmpeg-mux",`
			`"443,6,500,obsidian",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,500,pingsender",`
More false positive removal 2022-09-30 17:47:10 +00:00			`"443,6,500,pip",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,podman",`
			`"443,6,500,signal-desktop",`
			`"443,6,500,slack",`
			`"443,6,500,slirp4netns",`
			`"443,6,500,snap-store",`
			`"443,6,500,Socket Process",`
			`"443,6,500,spotify",`
			`"443,6,500,steamwebhelper",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,500,teams",`
More false positive removal 2022-09-30 17:47:10 +00:00			`"443,6,500,terraform",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"443,6,500,terraform-provi",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,tkn",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"443,6,500,.tox-wrapped",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,500,trivy",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,vcluster",`
Update exceptions for vim, tox, and nix 2022-09-30 18:12:45 +00:00			`"443,6,500,vim",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,500,WebKitNetworkPr",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,wget",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"443,6,500,wineserver",`
More false positive removal 2022-09-30 17:47:10 +00:00			`"443,6,500,x11-ssh-askpass",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"443,6,500,xmobar",`
			`"443,6,500,yay",`
			`"443,6,500,zoom",`
			`"5228,6,500,chrome",`
			`"6000,6,500,ssh",`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`"80,6,0,mkinitcpio",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"67,17,0,NetworkManager",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"7903,6,500,syncthing",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"8006,6,500,chrome",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"80,6,0,dnf",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"80,6,0,gdk-pixbuf-quer",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"80,6,0,NetworkManager",`
			`"80,6,0,pacman",`
			`"80,6,0,tailscaled",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"80,6,0,.tailscaled-wra",`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`"443,6,0,yay",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"80,6,0,yum",`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`"443,6,500,rustup",`
			`"443,6,500,cargo",`
			`"80,6,500,thunderbird",`
More false removal 2022-09-30 19:42:10 +00:00			`"80,6,105,http",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"80,6,500,curl",`
			`"80,6,500,firefox",`
Optimize queries for lower false positives 2022-10-07 20:19:18 +00:00			`"80,6,500,.firefox-wrappe",`
			`"80,6,500,gitsign",`
Overdue false positive removal 2022-09-29 19:42:27 +00:00			`"80,6,500,slack",`
			`"80,6,500,spotify",`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"80,6,500,steam",`
			`"80,6,500,steamwebhelper",`
			`"80,6,500,syncthing",`
			`"8801,17,500,zoom",`
			`"9090,6,500,firefox",`
			`"9090,6,500,k6",`
			`"9090,6,500,prometheus",`
			`"9090,6,500,rootlessport"`
More false removal 2022-09-30 19:42:10 +00:00			`) -- These programs would normally never make an outgoing connection, but thanks to Nix, it can happen.`
Launch day fixes 2022-09-22 17:18:16 +00:00			`AND NOT (`
More false removal 2022-09-30 19:42:10 +00:00			`(`
			`remote_address LIKE "151.101.%"`
			`OR remote_address LIKE "140.82.%"`
			`)`
Launch day fixes 2022-09-22 17:18:16 +00:00			`AND remote_port = 443`
			`AND protocol = 6`
			`AND (`
More false removal 2022-09-30 19:42:10 +00:00			`parent_path LIKE "/nix/%/bin/bash"`
			`OR parent_path LIKE "/nix/%/bin/zsh"`
New exfil detector, exception improvements 2022-09-30 16:10:18 +00:00			`OR parent_path LIKE "%/bin/nix"`
Update exceptions for vim, tox, and nix 2022-09-30 18:12:45 +00:00			`OR p.path LIKE "/nix/store/%"`
Launch day fixes 2022-09-22 17:18:16 +00:00			`)`
			`)`
More false removal 2022-09-30 19:42:10 +00:00			`AND NOT p.cmdline LIKE "bash --rcfile /tmp/nix-shell.%" -- Other more complicated situations`
More whitelisting 2022-09-22 09:18:03 +00:00			`AND NOT (`
More false-positive removal 2022-09-23 17:03:11 +00:00			`p.name = "rootlessport"`
More whitelisting 2022-09-22 09:18:03 +00:00			`AND remote_port > 1024`
			`)`
			`AND NOT (`
More false-positive removal 2022-09-23 17:03:11 +00:00			`p.name = "syncthing"`
More whitelisting 2022-09-22 09:18:03 +00:00			`AND (`
			`remote_port IN (53, 80, 88, 110, 443, 587, 993, 3306, 7451)`
Update exceptions for syncthing, geoclue, packagekitd, yum, aws, depmod, pingsender 2022-09-26 22:15:08 +00:00			`OR remote_port > 1024`
More whitelisting 2022-09-22 09:18:03 +00:00			`)`
			`)`
			`AND NOT (`
			`p.name IN (`
More false-positive removal 2022-09-23 17:03:11 +00:00			`"chrome",`
			`"Google Chrome Helper",`
			`"Brave Browser Helper",`
			`"Chromium Helper",`
			`"Opera Helper"`
More whitelisting 2022-09-22 09:18:03 +00:00			`)`
			`AND remote_port IN (`
			`53,`
			`3100,`
			`443,`
			`80,`
			`8006,`
			`9000,`
			`5004,`
			`8009,`
			`8080,`
			`8888,`
			`8443,`
			`5228,`
			`32211,`
			`53,`
			`10001,`
			`3478,`
			`19305,`
			`19306,`
			`19307,`
			`19308,`
			`19309`
			`)`
			`)`
			`AND NOT (`
More false-positive removal 2022-09-23 17:03:11 +00:00			`p.name IN ("thunderbird")`
More whitelisting 2022-09-22 09:18:03 +00:00			`AND remote_port IN (53, 143, 443, 587, 465, 585, 993)`
			`)`
			`AND NOT (`
More false-positive removal 2022-09-23 17:03:11 +00:00			`p.name IN ("spotify", "Spotify Helper", "Spotify")`
More whitelisting 2022-09-22 09:18:03 +00:00			`AND remote_port IN (53, 443, 8009, 4070, 32211)`
			`)`
			`AND NOT (`
			`remote_port IN (443, 53)`
More false-positive removal 2022-09-23 17:03:11 +00:00			`AND p.name LIKE "terraform-provider-%"`
More whitelisting 2022-09-22 09:18:03 +00:00			`)`
Weekend false-positive removal 2022-09-26 18:25:32 +00:00			`AND NOT (`
			`remote_port IN (443, 53)`
			`AND p.name LIKE "npm exec %"`
			`)`
More whitelisting 2022-09-22 09:18:03 +00:00			`AND NOT (`
			`remote_port iN (443, 53)`
More false-positive removal 2022-09-23 17:03:11 +00:00			`AND p.name LIKE "kubectl.%"`
More whitelisting 2022-09-22 09:18:03 +00:00			`)`
			`AND NOT (`
More false-positive removal 2022-09-23 17:03:11 +00:00			`p.cmdline LIKE "%google-cloud-sdk/lib/gcloud.py%"`
More whitelisting 2022-09-22 09:18:03 +00:00			`AND remote_port IN (80, 53, 443)`
			`)`
Initial re-organization around the MITRE ATT&CK framework 2022-10-12 01:53:36 +00:00			`GROUP BY`
			`p.cmdline`