osquery-defense-kit/detection/c2/unexpected-https-client-lin...

-- Unexpected programs communicating over HTTPS (state-based)
--
-- This query is a bit awkward and hobbled due to the lack of osquery support
-- for looking up binary signatures in Linux.
--
-- references:
--   * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
--
-- tags: transient state net often
-- platform: linux
SELECT
  s.remote_address,
  p.name,
  p.cgroup_path,
  p.path,
  p.cmdline AS child_cmd,
  p.cwd,
  pp.path AS parent_path,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd,
  s.state,
  hash.sha256,
  -- This intentionally avoids file.path, as it won't join across mount namespaces
  CONCAT (
    MIN(p.euid, 500),
    ',',
    REPLACE(
      REPLACE(
        REGEX_MATCH (p.path, '(/.*?)/', 1),
        '/nix',
        '/usr'
      ),
      '/snap',
      '/opt'
    ),
    '/',
    REGEX_MATCH (p.path, '.*/(.*?)$', 1),
    ',',
    MIN(f.uid, 500),
    'u,',
    MIN(f.gid, 500),
    'g,',
    p.name
  ) AS exception_key
FROM
  process_open_sockets s
  LEFT JOIN processes p ON s.pid = p.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN hash ON p.path = hash.path
WHERE
  protocol IN (6, 17)
  AND s.remote_port = 443
  AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
  AND s.remote_address NOT LIKE 'fe80:%'
  AND s.remote_address NOT LIKE '127.%'
  AND s.remote_address NOT LIKE '192.168.%'
  AND s.remote_address NOT LIKE '172.1%'
  AND s.remote_address NOT LIKE '172.2%'
  AND s.remote_address NOT LIKE '172.30.%'
  AND s.remote_address NOT LIKE '172.31.%'
  AND s.remote_address NOT LIKE '::ffff:172.%'
  AND s.remote_address NOT LIKE '10.%'
  AND s.remote_address NOT LIKE '::ffff:10.%'
  AND s.remote_address NOT LIKE 'fc00:%'
  AND p.path != ''
  AND NOT exception_key IN (
    '0,/ko-app/fulcio,u,g,fulcio',
    '0,/opt/snapd,0u,0g,snapd',
    '0,/sbin/apk,u,g,apk',
    '0,/usr/applydeltarpm,0u,0g,applydeltarpm',
    '0,/usr/bash,0u,0g,mkinitcpio',
    '0,/usr/cmake,u,g,cmake',
    '0,/usr/containerd,u,g,containerd',
    '0,/usr/dockerd,0u,0g,dockerd',
    '0,/usr/flatpak-system-helper,0u,0g,flatpak-system-',
    '0,/usr/launcher,0u,0g,launcher',
    '0,/usr/nix,0u,0g,nix',
    '0,/usr/nix,0u,0g,nix-daemon',
    '0,/usr/packagekitd,0u,0g,packagekitd',
    '0,/usr/pacman,0u,0g,pacman',
    '0,/usr/python3.10,0u,0g,dnf',
    '0,/usr/python3.10,0u,0g,dnf-automatic',
    '0,/usr/python3.10,0u,0g,yum',
    '0,/usr/python3.11,0u,0g,dnf',
    '0,/usr/python3.11,0u,0g,dnf-automatic',
    '0,/usr/python3.11,0u,0g,yum',
    '0,/usr/rpi-imager,0u,0g,rpi-imager',
    '0,/usr/snapd,0u,0g,snapd',
    '0,/usr/tailscaled,0u,0g,tailscaled',
    '0,/usr/tailscaled,500u,500g,tailscaled',
    '500,/usr/chainctl,500u,500g,chainctl',
    '500,/usr/grype,0u,0g,grype',
    '500,/home/krel,500u,500g,krel',
    '500,/usr/cosign-linux-amd64,0u,0g,cosign',
    '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
    '105,/usr/http,0u,0g,https',
    '106,/usr/geoclue,0u,0g,geoclue',
    '500,/app/signal-desktop,u,g,signal-desktop',
    '500,/app/slack,u,g,slack',
    '500,/app/spotify,u,g,spotify',
    '500,/app/thunderbird,u,g,thunderbird',
    '500,/app/zoom.real,u,g,zoom.real',
    '500,/home/cargo,500u,500g,cargo',
    '500,/home/chainctl,500u,100g,chainctl',
    '500,/home/chainctl,500u,500g,chainctl',
    '500,/home/code,500u,500g,code',
    '500,/home/cosign,500u,500g,cosign',
    '500,/home/gitsign,500u,500g,gitsign',
    '500,/home/go,500u,500g,go',
    '500,/usr/obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
    '500,/home/grype,500u,500g,grype',
    '500,/home/java,500u,500g,java',
    '500,/home/jcef_helper,500u,500g,jcef_helper',
    '500,/home/ko,500u,500g,ko',
    '500,/home/promoter,500u,500g,promoter',
    '500,/home/python3,500u,500g,python3',
    '500,/home/steam,500u,100g,steam',
    '500,/home/steamwebhelper,500u,100g,steamwebhelper',
    '500,/home/terraform,500u,500g,terraform',
    '500,/home/WPILibInstaller,500u,500g,WPILibInstaller',
    '500,/ko-app/chainctl,u,g,chainctl',
    '500,/ko-app/controller,u,g,controller',
    '500,/ko-app/controlplane,u,g,controlplane',
    '500,/opt/1password,0u,0g,1password',
    '500,/opt/Brackets,0u,0g,Brackets',
    '500,/opt/brave,0u,0g,brave',
    '500,/opt/chrome,0u,0g,chrome',
    '500,/opt/Discord,0u,0g,Discord',
    '500,/opt/firefox,0u,0g,firefox',
    '500,/opt/firefox,0u,0g,Socket Process',
    '500,/opt/Keybase,0u,0g,Keybase',
    '500,/opt/kubectl,0u,0g,kubectl',
    '500,/opt/slack,0u,0g,slack',
    '500,/opt/snap-store,0u,0g,snap-store',
    '500,/opt/spotify,0u,0g,spotify',
    '500,/opt/todoist,0u,0g,todoist',
    '500,/opt/zoom,0u,0g,zoom',
    '500,/tmp/jetbrains-toolbox,u,g,jetbrains-toolb',
    '500,/tmp/obsidian,u,g,obsidian',
    '500,/tmp/terraform,500u,500g,terraform',
    '500,/usr/abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
    '500,/usr/bom,500u,500g,bom',
    '500,/usr/cargo,0u,0g,cargo',
    '500,/usr/chainctl,0u,0g,chainctl',
    '500,/usr/chrome,0u,0g,chrome',
    '500,/usr/code,0u,0g,code',
    '500,/usr/cosign,500u,500g,cosign',
    '500,/usr/curl,0u,0g,curl',
    '500,/usr/electron,0u,0g,electron',
    '500,/usr/evolution-addressbook-factory,0u,0g,evolution-addre',
    '500,/usr/evolution-calendar-factory,0u,0g,evolution-calen',
    '500,/usr/firefox,0u,0g,firefox',
    '500,/usr/firefox,0u,0g,.firefox-wrappe',
    '500,/usr/firefox,0u,0g,Socket Process',
    '500,/usr/flameshot,0u,0g,flameshot',
    '500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
    '500,/usr/geoclue,0u,0g,geoclue',
    '500,/usr/git,0u,0g,git',
    '500,/usr/git-remote-http,0u,0g,git-remote-http',
    '500,/usr/gitsign,0u,0g,gitsign',
    '500,/usr/gnome-recipes,0u,0g,gnome-recipes',
    '500,/usr/gnome-shell,0u,0g,gnome-shell',
    '500,/usr/gnome-software,0u,0g,gnome-software',
    '500,/usr/go,0u,0g,go',
    '500,/usr/go,500u,500g,go',
    '500,/usr/goa-daemon,0u,0g,goa-daemon',
    '500,/usr/gsd-datetime,0u,0g,gsd-datetime',
    '500,/usr/gvfsd-http,0u,0g,gvfsd-http',
    '500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a',
    '500,/usr/java,0u,0g,java',
    '500,/usr/java,u,g,java',
    '500,/usr/kbfsfuse,0u,0g,kbfsfuse',
    '500,/usr/keybase,0u,0g,keybase',
    '500,/usr/ko,u,g,ko',
    '500,/usr/node,0u,0g,node',
    '500,/usr/kubectl,500u,500g,kubectl',
    '500,/usr/lens,0u,0g,lens',
    '500,/usr/nautilus,0u,0g,nautilus',
    '500,/usr/nix,0u,0g,nix',
    '500,/usr/obs,0u,0g,obs',
    '500,/usr/pacman,0u,0g,pacman',
    '500,/usr/python3,0u,0g,python3',
    '500,/usr/python3.10,0u,0g,python3',
    '500,/usr/reporter-ureport,0u,0g,reporter-urepor',
    '500,/usr/rpi-imager,0u,0g,rpi-imager',
    '500,/usr/signal-desktop,0u,0g,signal-desktop',
    '500,/usr/signal-desktop,u,g,signal-desktop',
    '500,/usr/slack,0u,0g,slack',
    '500,/usr/spotify,0u,0g,spotify',
    '500,/usr/step,500u,500g,step',
    '500,/usr/syncthing,0u,0g,syncthing',
    '500,/usr/teams,0u,0g,teams',
    '500,/usr/terraform,0u,0g,terraform',
    '500,/usr/thunderbird,0u,0g,thunderbird',
    '500,/usr/trivy,0u,0g,trivy',
    '500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
    '500,/usr/xmobar,0u,0g,xmobar',
    '500,/usr/yay,0u,0g,yay'
  )
  -- Exceptions where we have to be more flexible for the process name
  AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm exec %'
  AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm install %'
  AND NOT exception_key LIKE '500,%/terraform-provider-%,500u,500g,terraform-provi'
  AND NOT exception_key LIKE '0,/ko-app/%,u,g,%'
  -- stay weird, NixOS (Fastly nix mirror)
  AND NOT (
    pp.cmdline = '/run/current-system/sw/bin/bash'
    AND p.path LIKE '/nix/store/%'
    AND s.remote_address LIKE '151.101.%'
    AND s.state = 'ESTABLISHED'
  )
  AND NOT (
    exception_key = '500,/tmp/main,500u,500g,main'
    AND p.path LIKE '/tmp/go-build%/exe/main'
  )
  -- Exclude processes running inside of Docker containers
  AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
GROUP BY
  p.cmdline
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`-- Unexpected programs communicating over HTTPS (state-based)`
			`--`
			`-- This query is a bit awkward and hobbled due to the lack of osquery support`
			`-- for looking up binary signatures in Linux.`
			`--`
			`-- references:`
			`-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)`
			`--`
Reduce query intervals for some higher overhead queries 2022-10-20 18:56:16 +00:00			`-- tags: transient state net often`
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`-- platform: linux`
Run 'make reformat' 2022-10-20 18:01:34 +00:00			`SELECT`
			`s.remote_address,`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`p.name,`
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 21:51:58 +00:00			`p.cgroup_path,`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`p.path,`
			`p.cmdline AS child_cmd,`
			`p.cwd,`
			`pp.path AS parent_path,`
			`p.parent AS parent_pid,`
			`pp.cmdline AS parent_cmd,`
			`s.state,`
			`hash.sha256,`
			`-- This intentionally avoids file.path, as it won't join across mount namespaces`
			`CONCAT (`
			`MIN(p.euid, 500),`
			`',',`
			`REPLACE(`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`REPLACE(`
			`REGEX_MATCH (p.path, '(/.*?)/', 1),`
			`'/nix',`
			`'/usr'`
			`),`
			`'/snap',`
			`'/opt'`
Run 'make reformat' 2022-10-20 18:01:34 +00:00			`),`
			`'/',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`REGEX_MATCH (p.path, './(.?)$', 1),`
			`',',`
			`MIN(f.uid, 500),`
			`'u,',`
			`MIN(f.gid, 500),`
			`'g,',`
			`p.name`
			`) AS exception_key`
Run 'make reformat' 2022-10-20 18:01:34 +00:00			`FROM`
			`process_open_sockets s`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`LEFT JOIN processes p ON s.pid = p.pid`
			`LEFT JOIN processes pp ON p.parent = pp.pid`
			`LEFT JOIN file f ON p.path = f.path`
			`LEFT JOIN hash ON p.path = hash.path`
Run 'make reformat' 2022-10-20 18:01:34 +00:00			`WHERE`
			`protocol IN (6, 17)`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`AND s.remote_port = 443`
			`AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')`
			`AND s.remote_address NOT LIKE 'fe80:%'`
			`AND s.remote_address NOT LIKE '127.%'`
			`AND s.remote_address NOT LIKE '192.168.%'`
			`AND s.remote_address NOT LIKE '172.1%'`
			`AND s.remote_address NOT LIKE '172.2%'`
			`AND s.remote_address NOT LIKE '172.30.%'`
			`AND s.remote_address NOT LIKE '172.31.%'`
			`AND s.remote_address NOT LIKE '::ffff:172.%'`
			`AND s.remote_address NOT LIKE '10.%'`
			`AND s.remote_address NOT LIKE '::ffff:10.%'`
			`AND s.remote_address NOT LIKE 'fc00:%'`
			`AND p.path != ''`
			`AND NOT exception_key IN (`
Complete cleanup phase 1 2022-11-16 16:18:45 +00:00			`'0,/ko-app/fulcio,u,g,fulcio',`
detection: Reduce Linux desktop false positives 2022-10-25 15:39:51 +00:00			`'0,/opt/snapd,0u,0g,snapd',`
Add exception for Discord 2022-11-03 20:02:45 +00:00			`'0,/sbin/apk,u,g,apk',`
Split parent-missing-from-disk, address false positives 2022-11-23 12:10:03 +00:00			`'0,/usr/applydeltarpm,0u,0g,applydeltarpm',`
detection: Reduce Linux desktop false positives 2022-10-25 15:39:51 +00:00			`'0,/usr/bash,0u,0g,mkinitcpio',`
Add exception for Discord 2022-11-03 20:02:45 +00:00			`'0,/usr/cmake,u,g,cmake',`
Merge another day worth of false positives 2022-10-27 14:23:15 +00:00			`'0,/usr/containerd,u,g,containerd',`
Add exception for gitsign 2022-10-20 17:17:52 +00:00			`'0,/usr/dockerd,0u,0g,dockerd',`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`'0,/usr/flatpak-system-helper,0u,0g,flatpak-system-',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'0,/usr/launcher,0u,0g,launcher',`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`'0,/usr/nix,0u,0g,nix',`
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 21:51:58 +00:00			`'0,/usr/nix,0u,0g,nix-daemon',`
Add more real-world exceptions to unexpected-talkers 2022-10-20 17:03:46 +00:00			`'0,/usr/packagekitd,0u,0g,packagekitd',`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`'0,/usr/pacman,0u,0g,pacman',`
Add another firefox & chainctl exception 2022-10-21 21:44:53 +00:00			`'0,/usr/python3.10,0u,0g,dnf',`
Remove more false positives: kind, gopls, docker.socket, etc 2022-12-15 15:20:16 +00:00			`'0,/usr/python3.10,0u,0g,dnf-automatic',`
Loads of fresh new false-positives removal 2022-10-31 21:40:37 +00:00			`'0,/usr/python3.10,0u,0g,yum',`
Add dnf with python 3.11 2022-11-22 21:29:52 +00:00			`'0,/usr/python3.11,0u,0g,dnf',`
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 21:51:58 +00:00			`'0,/usr/python3.11,0u,0g,dnf-automatic',`
			`'0,/usr/python3.11,0u,0g,yum',`
Loads of fresh new false-positives removal 2022-10-31 21:40:37 +00:00			`'0,/usr/rpi-imager,0u,0g,rpi-imager',`
False-positive updates: tailscale, snapd, WPILib, darkfiles 2022-11-01 11:15:10 +00:00			`'0,/usr/snapd,0u,0g,snapd',`
Add more real-world exceptions to unexpected-talkers 2022-10-20 17:03:46 +00:00			`'0,/usr/tailscaled,0u,0g,tailscaled',`
Pre-Thanksgiving False Positive cleanup, including Pop!OS support 2022-11-22 14:21:03 +00:00			`'0,/usr/tailscaled,500u,500g,tailscaled',`
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 21:51:58 +00:00			`'500,/usr/chainctl,500u,500g,chainctl',`
			`'500,/usr/grype,0u,0g,grype',`
			`'500,/home/krel,500u,500g,krel',`
			`'500,/usr/cosign-linux-amd64,0u,0g,cosign',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',`
Merge another day worth of false positives 2022-10-27 14:23:15 +00:00			`'105,/usr/http,0u,0g,https',`
Pre-Thanksgiving False Positive cleanup, including Pop!OS support 2022-11-22 14:21:03 +00:00			`'106,/usr/geoclue,0u,0g,geoclue',`
Remove more false positives: kind, gopls, docker.socket, etc 2022-12-15 15:20:16 +00:00			`'500,/app/signal-desktop,u,g,signal-desktop',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/app/slack,u,g,slack',`
Complete cleanup phase 1 2022-11-16 16:18:45 +00:00			`'500,/app/spotify,u,g,spotify',`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`'500,/app/thunderbird,u,g,thunderbird',`
Add exception for gitsign 2022-10-20 17:17:52 +00:00			`'500,/app/zoom.real,u,g,zoom.real',`
Complete cleanup phase 1 2022-11-16 16:18:45 +00:00			`'500,/home/cargo,500u,500g,cargo',`
Add another firefox & chainctl exception 2022-10-21 21:44:53 +00:00			`'500,/home/chainctl,500u,100g,chainctl',`
Add more real-world exceptions to unexpected-talkers 2022-10-20 17:03:46 +00:00			`'500,/home/chainctl,500u,500g,chainctl',`
False-positive updates: tailscale, snapd, WPILib, darkfiles 2022-11-01 11:15:10 +00:00			`'500,/home/code,500u,500g,code',`
Address false positives: nginx-ingress-controller, dbus, etc 2022-11-10 16:04:48 +00:00			`'500,/home/cosign,500u,500g,cosign',`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`'500,/home/gitsign,500u,500g,gitsign',`
			`'500,/home/go,500u,500g,go',`
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 21:51:58 +00:00			`'500,/usr/obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',`
Remove more in-the-wild false positives 2022-10-27 20:55:00 +00:00			`'500,/home/grype,500u,500g,grype',`
False-positive updates: tailscale, snapd, WPILib, darkfiles 2022-11-01 11:15:10 +00:00			`'500,/home/java,500u,500g,java',`
detection: Reduce Linux desktop false positives 2022-10-25 15:39:51 +00:00			`'500,/home/jcef_helper,500u,500g,jcef_helper',`
Refactor execdir, remove false positives 2022-11-08 01:36:37 +00:00			`'500,/home/ko,500u,500g,ko',`
Remove more false positives: kind, gopls, docker.socket, etc 2022-12-15 15:20:16 +00:00			`'500,/home/promoter,500u,500g,promoter',`
Add exceptions for Microsoft teams, ldconfig, fix go build paths 2022-11-17 12:20:19 +00:00			`'500,/home/python3,500u,500g,python3',`
Loads of fresh new false-positives removal 2022-10-31 21:40:37 +00:00			`'500,/home/steam,500u,100g,steam',`
Add exceptions for Steam on Linux 2022-10-30 14:19:33 +00:00			`'500,/home/steamwebhelper,500u,100g,steamwebhelper',`
Add exceptions for Microsoft teams, ldconfig, fix go build paths 2022-11-17 12:20:19 +00:00			`'500,/home/terraform,500u,500g,terraform',`
False-positive updates: tailscale, snapd, WPILib, darkfiles 2022-11-01 11:15:10 +00:00			`'500,/home/WPILibInstaller,500u,500g,WPILibInstaller',`
Add more real-world exceptions to unexpected-talkers 2022-10-20 17:03:46 +00:00			`'500,/ko-app/chainctl,u,g,chainctl',`
Add exceptions for Microsoft teams, ldconfig, fix go build paths 2022-11-17 12:20:19 +00:00			`'500,/ko-app/controller,u,g,controller',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/ko-app/controlplane,u,g,controlplane',`
linux https client: Add 1password 2022-10-21 15:28:31 +00:00			`'500,/opt/1password,0u,0g,1password',`
Remove more in-the-wild false positives 2022-10-27 20:55:00 +00:00			`'500,/opt/Brackets,0u,0g,Brackets',`
Remove more false positives: kind, gopls, docker.socket, etc 2022-12-15 15:20:16 +00:00			`'500,/opt/brave,0u,0g,brave',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/opt/chrome,0u,0g,chrome',`
Add exception for Discord 2022-11-03 20:02:45 +00:00			`'500,/opt/Discord,0u,0g,Discord',`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`'500,/opt/firefox,0u,0g,firefox',`
detection: Reduce Linux desktop false positives 2022-10-25 15:39:51 +00:00			`'500,/opt/firefox,0u,0g,Socket Process',`
Add exceptions for Microsoft teams, ldconfig, fix go build paths 2022-11-17 12:20:19 +00:00			`'500,/opt/Keybase,0u,0g,Keybase',`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`'500,/opt/kubectl,0u,0g,kubectl',`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`'500,/opt/slack,0u,0g,slack',`
Address false positives: nginx-ingress-controller, dbus, etc 2022-11-10 16:04:48 +00:00			`'500,/opt/snap-store,0u,0g,snap-store',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/opt/spotify,0u,0g,spotify',`
Address false positives: nginx-ingress-controller, dbus, etc 2022-11-10 16:04:48 +00:00			`'500,/opt/todoist,0u,0g,todoist',`
			`'500,/opt/zoom,0u,0g,zoom',`
Add exception for Discord 2022-11-03 20:02:45 +00:00			`'500,/tmp/jetbrains-toolbox,u,g,jetbrains-toolb',`
Add exceptions for Microsoft teams, ldconfig, fix go build paths 2022-11-17 12:20:19 +00:00			`'500,/tmp/obsidian,u,g,obsidian',`
			`'500,/tmp/terraform,500u,500g,terraform',`
False-positive removal: grype, gedit, mov, abrt-action, dnf 2022-10-21 18:13:29 +00:00			`'500,/usr/abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',`
Add exception for Discord 2022-11-03 20:02:45 +00:00			`'500,/usr/bom,500u,500g,bom',`
Merge another day worth of false positives 2022-10-27 14:23:15 +00:00			`'500,/usr/cargo,0u,0g,cargo',`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`'500,/usr/chainctl,0u,0g,chainctl',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/usr/chrome,0u,0g,chrome',`
			`'500,/usr/code,0u,0g,code',`
Loads of fresh new false-positives removal 2022-10-31 21:40:37 +00:00			`'500,/usr/cosign,500u,500g,cosign',`
Add exception for gitsign 2022-10-20 17:17:52 +00:00			`'500,/usr/curl,0u,0g,curl',`
Linux: Add electron as an HTTPS client 2022-10-20 17:53:18 +00:00			`'500,/usr/electron,0u,0g,electron',`
False positives: melange, ~/dev, debian-sa1, AdBlock, cover, kubelr, etc 2022-11-18 15:27:43 +00:00			`'500,/usr/evolution-addressbook-factory,0u,0g,evolution-addre',`
Address false positives: nginx-ingress-controller, dbus, etc 2022-11-10 16:04:48 +00:00			`'500,/usr/evolution-calendar-factory,0u,0g,evolution-calen',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/usr/firefox,0u,0g,firefox',`
			`'500,/usr/firefox,0u,0g,.firefox-wrappe',`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`'500,/usr/firefox,0u,0g,Socket Process',`
Loads of fresh new false-positives removal 2022-10-31 21:40:37 +00:00			`'500,/usr/flameshot,0u,0g,flameshot',`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`'500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/usr/geoclue,0u,0g,geoclue',`
Complete cleanup phase 1 2022-11-16 16:18:45 +00:00			`'500,/usr/git,0u,0g,git',`
Remove more in-the-wild false positives 2022-10-27 20:55:00 +00:00			`'500,/usr/git-remote-http,0u,0g,git-remote-http',`
Add exception for gitsign 2022-10-20 17:17:52 +00:00			`'500,/usr/gitsign,0u,0g,gitsign',`
Reduce more false positives found on macOS and Linux 2022-10-26 01:27:41 +00:00			`'500,/usr/gnome-recipes,0u,0g,gnome-recipes',`
Loads of fresh new false-positives removal 2022-10-31 21:40:37 +00:00			`'500,/usr/gnome-shell,0u,0g,gnome-shell',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/usr/gnome-software,0u,0g,gnome-software',`
Reduce more false positives found on macOS and Linux 2022-10-26 01:27:41 +00:00			`'500,/usr/go,0u,0g,go',`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`'500,/usr/go,500u,500g,go',`
Add goa-daemon exception (sends telemetry to Google) 2022-11-17 15:17:45 +00:00			`'500,/usr/goa-daemon,0u,0g,goa-daemon',`
Loads of fresh new false-positives removal 2022-10-31 21:40:37 +00:00			`'500,/usr/gsd-datetime,0u,0g,gsd-datetime',`
detection: Reduce Linux desktop false positives 2022-10-25 15:39:51 +00:00			`'500,/usr/gvfsd-http,0u,0g,gvfsd-http',`
Remove more false positives: kind, gopls, docker.socket, etc 2022-12-15 15:20:16 +00:00			`'500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a',`
Add exceptions for java, yay 2022-10-24 15:07:20 +00:00			`'500,/usr/java,0u,0g,java',`
Address false positives: nginx-ingress-controller, dbus, etc 2022-11-10 16:04:48 +00:00			`'500,/usr/java,u,g,java',`
Complete cleanup phase 1 2022-11-16 16:18:45 +00:00			`'500,/usr/kbfsfuse,0u,0g,kbfsfuse',`
			`'500,/usr/keybase,0u,0g,keybase',`
Add exceptions for Microsoft teams, ldconfig, fix go build paths 2022-11-17 12:20:19 +00:00			`'500,/usr/ko,u,g,ko',`
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 21:51:58 +00:00			`'500,/usr/node,0u,0g,node',`
Add more real-world exceptions to unexpected-talkers 2022-10-20 17:03:46 +00:00			`'500,/usr/kubectl,500u,500g,kubectl',`
Address false positives: nginx-ingress-controller, dbus, etc 2022-11-10 16:04:48 +00:00			`'500,/usr/lens,0u,0g,lens',`
Complete cleanup phase 1 2022-11-16 16:18:45 +00:00			`'500,/usr/nautilus,0u,0g,nautilus',`
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 21:51:58 +00:00			`'500,/usr/nix,0u,0g,nix',`
Address false positives: nginx-ingress-controller, dbus, etc 2022-11-10 16:04:48 +00:00			`'500,/usr/obs,0u,0g,obs',`
Remove more false positives: kind, gopls, docker.socket, etc 2022-12-15 15:20:16 +00:00			`'500,/usr/pacman,0u,0g,pacman',`
False positives: melange, ~/dev, debian-sa1, AdBlock, cover, kubelr, etc 2022-11-18 15:27:43 +00:00			`'500,/usr/python3,0u,0g,python3',`
Remove more false positives: kind, gopls, docker.socket, etc 2022-12-15 15:20:16 +00:00			`'500,/usr/python3.10,0u,0g,python3',`
Address false positives: nginx-ingress-controller, dbus, etc 2022-11-10 16:04:48 +00:00			`'500,/usr/reporter-ureport,0u,0g,reporter-urepor',`
Loads of fresh new false-positives removal 2022-10-31 21:40:37 +00:00			`'500,/usr/rpi-imager,0u,0g,rpi-imager',`
Merge another day worth of false positives 2022-10-27 14:23:15 +00:00			`'500,/usr/signal-desktop,0u,0g,signal-desktop',`
Add exceptions for Microsoft teams, ldconfig, fix go build paths 2022-11-17 12:20:19 +00:00			`'500,/usr/signal-desktop,u,g,signal-desktop',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`'500,/usr/slack,0u,0g,slack',`
Refactor execdir, remove false positives 2022-11-08 01:36:37 +00:00			`'500,/usr/spotify,0u,0g,spotify',`
Pre-Thanksgiving False Positive cleanup, including Pop!OS support 2022-11-22 14:21:03 +00:00			`'500,/usr/step,500u,500g,step',`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`'500,/usr/syncthing,0u,0g,syncthing',`
Add exceptions for Microsoft teams, ldconfig, fix go build paths 2022-11-17 12:20:19 +00:00			`'500,/usr/teams,0u,0g,teams',`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`'500,/usr/terraform,0u,0g,terraform',`
False positives: melange, ~/dev, debian-sa1, AdBlock, cover, kubelr, etc 2022-11-18 15:27:43 +00:00			`'500,/usr/thunderbird,0u,0g,thunderbird',`
Merge another day worth of false positives 2022-10-27 14:23:15 +00:00			`'500,/usr/trivy,0u,0g,trivy',`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`'500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',`
Add exceptions for java, yay 2022-10-24 15:07:20 +00:00			`'500,/usr/xmobar,0u,0g,xmobar',`
			`'500,/usr/yay,0u,0g,yay'`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`)`
			`-- Exceptions where we have to be more flexible for the process name`
linux https clients: Add exception for npm exec 2022-10-20 18:15:57 +00:00			`AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm exec %'`
False positives: melange, ~/dev, debian-sa1, AdBlock, cover, kubelr, etc 2022-11-18 15:27:43 +00:00			`AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm install %'`
Begin making use of cgroup_paths, clear more false positives 2022-11-16 21:52:39 +00:00			`AND NOT exception_key LIKE '500,%/terraform-provider-%,500u,500g,terraform-provi'`
Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc 2022-12-15 21:51:58 +00:00			`AND NOT exception_key LIKE '0,/ko-app/%,u,g,%'`
linux https clients: add nix, pacman, thunderbird, chainctl, kubectl, socket process, go, tf, webkit, xmobar 2022-10-21 15:12:44 +00:00			`-- stay weird, NixOS (Fastly nix mirror)`
			`AND NOT (`
			`pp.cmdline = '/run/current-system/sw/bin/bash'`
			`AND p.path LIKE '/nix/store/%'`
			`AND s.remote_address LIKE '151.101.%'`
			`AND s.state = 'ESTABLISHED'`
			`)`
Add exception for 'go run' 2022-10-30 13:39:48 +00:00			`AND NOT (`
			`exception_key = '500,/tmp/main,500u,500g,main'`
			`AND p.path LIKE '/tmp/go-build%/exe/main'`
			`)`
Begin making use of cgroup_paths, clear more false positives 2022-11-16 21:52:39 +00:00			`-- Exclude processes running inside of Docker containers`
			`AND NOT p.cgroup_path LIKE '/system.slice/docker-%'`
Run 'make reformat' 2022-10-20 18:01:34 +00:00			`GROUP BY`
			`p.cmdline`