2022-10-13 18:59:32 +00:00
|
|
|
-- Programs communicating over the network in unexpected ways (state-based)
|
|
|
|
|
--
|
|
|
|
|
-- references:
|
2022-10-19 20:56:32 +00:00
|
|
|
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
|
2022-10-13 18:59:32 +00:00
|
|
|
--
|
2022-10-14 18:19:13 +00:00
|
|
|
-- tags: transient state net often
|
2022-10-21 21:38:47 +00:00
|
|
|
-- platform: darwin
|
|
|
|
|
SELECT
|
|
|
|
|
protocol,
|
2022-09-22 17:18:16 +00:00
|
|
|
s.local_port,
|
|
|
|
|
s.remote_port,
|
|
|
|
|
s.remote_address,
|
|
|
|
|
p.name,
|
|
|
|
|
p.path,
|
|
|
|
|
p.cmdline AS child_cmd,
|
|
|
|
|
p.cwd,
|
|
|
|
|
s.pid,
|
|
|
|
|
p.parent AS parent_pid,
|
|
|
|
|
pp.path AS parent_path,
|
|
|
|
|
pp.cmdline AS parent_cmd,
|
|
|
|
|
hash.sha256,
|
2022-09-24 15:12:23 +00:00
|
|
|
CONCAT (
|
2022-09-22 17:18:16 +00:00
|
|
|
MIN(s.remote_port, 32768),
|
2022-10-13 18:59:32 +00:00
|
|
|
',',
|
2022-09-22 17:18:16 +00:00
|
|
|
protocol,
|
2022-10-13 18:59:32 +00:00
|
|
|
',',
|
2022-09-22 17:18:16 +00:00
|
|
|
MIN(p.uid, 500),
|
2022-10-13 18:59:32 +00:00
|
|
|
',',
|
2022-09-22 17:18:16 +00:00
|
|
|
p.name,
|
2022-10-13 18:59:32 +00:00
|
|
|
',',
|
2022-09-22 17:18:16 +00:00
|
|
|
signature.identifier,
|
2022-10-13 18:59:32 +00:00
|
|
|
',',
|
2022-09-22 17:18:16 +00:00
|
|
|
signature.authority
|
|
|
|
|
) AS exception_key
|
2022-10-21 21:38:47 +00:00
|
|
|
FROM
|
|
|
|
|
process_open_sockets s
|
2022-09-22 17:18:16 +00:00
|
|
|
LEFT JOIN processes p ON s.pid = p.pid
|
|
|
|
|
LEFT JOIN processes pp ON pp.pid = p.parent
|
|
|
|
|
LEFT JOIN hash ON p.path = hash.path
|
|
|
|
|
LEFT JOIN signature ON p.path = signature.path
|
2022-10-21 21:38:47 +00:00
|
|
|
WHERE
|
|
|
|
|
protocol > 0
|
2022-09-22 17:18:16 +00:00
|
|
|
AND s.remote_port > 0
|
2022-10-13 18:59:32 +00:00
|
|
|
AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
|
|
|
|
|
AND s.remote_address NOT LIKE 'fe80:%'
|
|
|
|
|
AND s.remote_address NOT LIKE '127.%'
|
|
|
|
|
AND s.remote_address NOT LIKE '192.168.%'
|
|
|
|
|
AND s.remote_address NOT LIKE '172.1%'
|
|
|
|
|
AND s.remote_address NOT LIKE '172.2%'
|
|
|
|
|
AND s.remote_address NOT LIKE '172.30.%'
|
|
|
|
|
AND s.remote_address NOT LIKE '172.31.%'
|
|
|
|
|
AND s.remote_address NOT LIKE '::ffff:172.%'
|
|
|
|
|
AND s.remote_address NOT LIKE '10.%'
|
|
|
|
|
AND s.remote_address NOT LIKE '::ffff:10.%'
|
|
|
|
|
AND s.remote_address NOT LIKE 'fc00:%'
|
|
|
|
|
AND s.state != 'LISTEN' -- Ignore most common application paths
|
|
|
|
|
AND p.path NOT LIKE '/Applications/%.app/Contents/%'
|
|
|
|
|
AND p.path NOT LIKE '/Library/Apple/System/Library/%'
|
|
|
|
|
AND p.path NOT LIKE '/Library/Application Support/%/Contents/%'
|
|
|
|
|
AND p.path NOT LIKE '/System/Applications/%'
|
|
|
|
|
AND p.path NOT LIKE '/System/Library/%'
|
|
|
|
|
AND p.path NOT LIKE '/Users/%/Library/%.app/Contents/MacOS/%'
|
|
|
|
|
AND p.path NOT LIKE '/System/%'
|
|
|
|
|
AND p.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%'
|
|
|
|
|
AND p.path NOT LIKE '/usr/libexec/%'
|
|
|
|
|
AND p.path NOT LIKE '/usr/sbin/%'
|
|
|
|
|
AND p.path NOT LIKE '/private/var/folders/%/go-build%/%'
|
2022-09-22 17:18:16 +00:00
|
|
|
AND NOT (
|
|
|
|
|
remote_port = 53
|
|
|
|
|
AND protocol IN (6, 17)
|
|
|
|
|
AND p.name IN (
|
2022-10-13 18:59:32 +00:00
|
|
|
'1password',
|
|
|
|
|
'Acrobat Update Helper',
|
|
|
|
|
'chainctl',
|
|
|
|
|
'cloud_sql_proxy',
|
|
|
|
|
'Code Helper',
|
|
|
|
|
'com.apple.MobileSoftwareUpdate.UpdateBrainService',
|
|
|
|
|
'cosign',
|
|
|
|
|
'crc',
|
|
|
|
|
'curl',
|
|
|
|
|
'dig',
|
|
|
|
|
'Evernote Helper',
|
|
|
|
|
'figma_agent',
|
|
|
|
|
'gh',
|
|
|
|
|
'git-remote-http',
|
|
|
|
|
'gitsign',
|
|
|
|
|
'go',
|
|
|
|
|
'grafana-server',
|
|
|
|
|
'grype',
|
|
|
|
|
'host',
|
|
|
|
|
'htop',
|
|
|
|
|
'istioctl',
|
|
|
|
|
'k6',
|
|
|
|
|
'k9s',
|
|
|
|
|
'ko',
|
|
|
|
|
'launcher',
|
|
|
|
|
'ngrok',
|
|
|
|
|
'nix',
|
|
|
|
|
'node',
|
|
|
|
|
'obs',
|
|
|
|
|
'obs-browser-page',
|
|
|
|
|
'obs-ffmpeg-mux',
|
|
|
|
|
'obsidian',
|
|
|
|
|
'opera',
|
|
|
|
|
'ping',
|
|
|
|
|
'Python',
|
|
|
|
|
'python3.10',
|
|
|
|
|
'Reflect',
|
|
|
|
|
'Reflect Helper',
|
|
|
|
|
'ruby',
|
|
|
|
|
'sample',
|
|
|
|
|
'ssh',
|
|
|
|
|
'steam_osx',
|
|
|
|
|
'syncthing',
|
|
|
|
|
'tailscaled',
|
|
|
|
|
'terraform',
|
|
|
|
|
'tkn',
|
|
|
|
|
'traceroute',
|
|
|
|
|
'vcluster',
|
|
|
|
|
'wget',
|
|
|
|
|
'whois',
|
|
|
|
|
'zoom'
|
2022-09-22 17:18:16 +00:00
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
AND NOT exception_key IN (
|
2022-10-13 18:59:32 +00:00
|
|
|
'22,6,500,Cyberduck,ch.sudo.cyberduck,Developer ID Application: David Kocher (G69SCX94XU)',
|
|
|
|
|
'22,6,500,ssh,,',
|
|
|
|
|
'22,6,500,ssh,com.apple.openssh,Software Signing',
|
2022-10-26 01:27:41 +00:00
|
|
|
'22,6,500,ssh,com.apple.ssh,Software Signing',
|
2022-10-13 18:59:32 +00:00
|
|
|
'22,6,500,ssh,ssh,',
|
|
|
|
|
'22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
|
|
|
|
|
'30004,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
|
|
|
'30011,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
|
|
|
'32768,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
|
|
|
|
|
'3307,6,500,cloud_sql_proxy,a.out,',
|
|
|
|
|
'43,6,500,DropboxMacUpdate,com.dropbox.DropboxMacUpdate,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
|
|
|
|
|
'443,17,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
|
|
|
'443,17,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
|
2022-10-24 15:07:39 +00:00
|
|
|
'443,17,500,GitKraken Boards,com.axosoft.glo,Apple iPhone OS Application Signing',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
|
|
|
|
|
'443,17,500,Slack Helper,,',
|
|
|
|
|
'443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
|
|
|
|
|
'443,6,0,Install,com.adobe.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
|
|
|
|
'443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)',
|
|
|
|
|
'443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)',
|
|
|
|
|
'443,6,0,nix,nix,',
|
|
|
|
|
'443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
|
|
|
'443,6,0,Setup,com.adobe.acc.Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
|
|
|
|
'443,6,500,,,',
|
|
|
|
|
'443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
|
|
|
|
'443,6,500,bash,bash,',
|
|
|
|
|
'443,6,500,chainctl,,',
|
|
|
|
|
'443,6,500,chainctl,a.out,',
|
2022-10-21 15:26:50 +00:00
|
|
|
'443,6,500,chainctl,chainctl,',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,chainctl_Darwin_arm64,a.out,',
|
|
|
|
|
'443,6,500,civo,a.out,',
|
|
|
|
|
'443,6,500,cloud_sql_proxy,a.out,',
|
|
|
|
|
'443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
|
|
|
'443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
2022-10-27 20:55:00 +00:00
|
|
|
'443,6,500,com.docker.backend,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,cosign,,',
|
|
|
|
|
'443,6,500,cosign,a.out,',
|
2022-10-19 19:26:03 +00:00
|
|
|
'443,6,500,cosign,cosign,',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,crane,,',
|
|
|
|
|
'443,6,500,crane,a.out,',
|
2022-10-21 15:26:50 +00:00
|
|
|
'443,6,500,crane,crane,',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,ctclient,a.out,',
|
|
|
|
|
'443,6,500,curl,com.apple.curl,Software Signing',
|
2022-10-21 15:26:50 +00:00
|
|
|
'443,6,500,darkfiles,a.out,',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,docker-credential-gcr,a.out,',
|
|
|
|
|
'443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
|
|
|
'443,6,500,emacs-28.2,emacs-28.2,',
|
|
|
|
|
'443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
|
|
|
|
|
'443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
|
2022-10-21 15:26:50 +00:00
|
|
|
'443,6,500,FlyDelta,com.delta.iphone.ver1,Apple iPhone OS Application Signing',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,gh,a.out,',
|
|
|
|
|
'443,6,500,gh,gh,',
|
|
|
|
|
'443,6,500,git,com.apple.git,Software Signing',
|
|
|
|
|
'443,6,500,git,git,',
|
2022-10-21 15:26:50 +00:00
|
|
|
'443,6,500,GitHub.UI,GitHub,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
|
|
|
'443,6,500,GitKraken Boards,com.axosoft.glo,Apple iPhone OS Application Signing',
|
2022-10-20 17:12:46 +00:00
|
|
|
'443,6,500,git-remote-http,,',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,git-remote-http,com.apple.git-remote-http,Software Signing',
|
2022-10-21 15:26:50 +00:00
|
|
|
'443,6,500,git-remote-http,git-remote-http-555549448cff17dcad50330caee64c85205e6a99,',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,git-remote-http,git-remote-http-5555494493930c47f9d9385e94cdee8b19968153,',
|
|
|
|
|
'443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,',
|
2022-10-27 14:23:15 +00:00
|
|
|
'443,6,500,git-remote-http,git-remote-http-55554944e0748565fb2d356b9eb3edf61873140d,',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,git-remote-http,git-remote-http-55554944e5dca79a2b44332e941af547708b0c68,',
|
|
|
|
|
'443,6,500,gitsign,,',
|
|
|
|
|
'443,6,500,gitsign,a.out,',
|
|
|
|
|
'443,6,500,gitsign,gitsign,',
|
|
|
|
|
'443,6,500,go,a.out,',
|
|
|
|
|
'443,6,500,go,org.golang.go,Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
2022-10-21 15:26:50 +00:00
|
|
|
'443,6,500,grype,grype,',
|
|
|
|
|
'443,6,500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,helm,a.out,',
|
|
|
|
|
'443,6,500,istioctl,a.out,',
|
2022-10-21 15:26:50 +00:00
|
|
|
'443,6,500,java,net.java.openjdk.java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
|
|
|
'443,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
|
|
|
|
|
'443,6,500,ko,a.out,',
|
|
|
|
|
'443,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
|
|
|
|
'443,6,500,kubectl,,',
|
|
|
|
|
'443,6,500,kubectl,a.out,',
|
|
|
|
|
'443,6,500,limactl,,',
|
|
|
|
|
'443,6,500,main,a.out,',
|
|
|
|
|
'443,6,500,melange,a.out,',
|
|
|
|
|
'443,6,500,minikube,,',
|
|
|
|
|
'443,6,500,ngrok,darwin_amd64,Developer ID Application: ngrok LLC (TEX8MHRDQ9)',
|
|
|
|
|
'443,6,500,nix,nix,',
|
|
|
|
|
'443,6,500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX)',
|
|
|
|
|
'443,6,500,OneDriveStandaloneUpdater,com.microsoft.OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
|
|
|
'443,6,500,prober,a.out,',
|
2022-10-21 15:26:50 +00:00
|
|
|
'443,6,500,provisio,,',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,pulumi-resource-gcp,a.out,',
|
|
|
|
|
'443,6,500,pulumi-resource-github,a.out,',
|
|
|
|
|
'443,6,500,python2.7,python2.7,',
|
|
|
|
|
'443,6,500,python3.10,python3.10,',
|
|
|
|
|
'443,6,500,Python,com.apple.python3,Software Signing',
|
|
|
|
|
'443,6,500,Python,org.python.python,',
|
|
|
|
|
'443,6,500,Python,Python,',
|
|
|
|
|
'443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
|
|
|
|
|
'443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
|
|
|
|
|
'443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing',
|
|
|
|
|
'443,6,500,scorecard-darwin-amd64,,',
|
|
|
|
|
'443,6,500,Slack Helper,,',
|
|
|
|
|
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
|
2022-10-14 14:26:25 +00:00
|
|
|
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
|
2022-10-27 14:23:15 +00:00
|
|
|
'443,6,500,snyk,snyk_darwin_amd64,Developer ID Application: Snyk Limited (97QYW7LHSF)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
|
|
|
|
'443,6,500,step,step,',
|
2022-10-21 15:26:50 +00:00
|
|
|
'443,6,500,sublime_text,com.sublimetext.4,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
|
|
|
|
|
'443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
|
|
|
|
|
'443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
|
|
|
|
|
'443,6,500,vegeta,a.out,',
|
|
|
|
|
'443,6,500,vim,vim,',
|
|
|
|
|
'443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
|
|
|
|
|
'443,6,500,zsh,com.apple.zsh,Software Signing',
|
|
|
|
|
'53,17,500,docker-credential-gcr,a.out,',
|
2022-10-21 15:26:50 +00:00
|
|
|
'53,17,500,trivy,,',
|
2022-10-13 18:59:32 +00:00
|
|
|
'6000,6,500,ssh,,',
|
|
|
|
|
'6000,6,500,ssh,com.apple.openssh,Software Signing',
|
|
|
|
|
'6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
|
|
|
|
|
'80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
|
|
|
|
|
'80,6,500,curl,com.apple.curl,Software Signing',
|
|
|
|
|
'80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
|
|
|
|
'80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
|
|
|
|
'80,6,500,webhook.test,a.out,'
|
2022-09-30 16:10:18 +00:00
|
|
|
) -- nix-shell infects children with open connections
|
2022-09-22 17:18:16 +00:00
|
|
|
AND NOT (
|
2022-10-13 18:59:32 +00:00
|
|
|
parent_cmd LIKE '%/tmp/nix-shell%'
|
2022-09-22 17:18:16 +00:00
|
|
|
AND remote_port = 443
|
|
|
|
|
AND protocol = 6
|
2022-09-30 16:10:18 +00:00
|
|
|
) -- These programs would normally never make an outgoing connection, but thanks to Nix, it can happen.
|
2022-09-22 17:18:16 +00:00
|
|
|
AND NOT (
|
2022-09-30 18:22:01 +00:00
|
|
|
(
|
2022-10-13 18:59:32 +00:00
|
|
|
remote_address LIKE '151.101.%'
|
|
|
|
|
OR remote_address LIKE '140.82.%'
|
2022-10-21 15:26:50 +00:00
|
|
|
OR remote_address LIKE '199.232.%'
|
2022-09-30 18:22:01 +00:00
|
|
|
)
|
2022-09-22 17:18:16 +00:00
|
|
|
AND remote_port = 443
|
|
|
|
|
AND protocol = 6
|
2022-10-21 15:26:50 +00:00
|
|
|
AND (
|
|
|
|
|
pp.path LIKE '/nix/store/%'
|
|
|
|
|
OR p.path LIKE '/nix/store/%'
|
|
|
|
|
)
|
2022-09-30 16:10:18 +00:00
|
|
|
) -- More complicated patterns go here
|
2022-09-22 17:18:16 +00:00
|
|
|
AND NOT (
|
2022-10-13 18:59:32 +00:00
|
|
|
p.name = 'syncthing'
|
2022-09-22 17:18:16 +00:00
|
|
|
AND (
|
2022-09-30 21:45:45 +00:00
|
|
|
remote_port IN (53, 80, 88, 110, 443, 587, 993)
|
|
|
|
|
OR remote_port > 1024
|
2022-09-22 17:18:16 +00:00
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
p.name IN (
|
2022-10-13 18:59:32 +00:00
|
|
|
'Google Chrome Helper',
|
|
|
|
|
'Brave Browser Helper',
|
|
|
|
|
'Chromium Helper',
|
|
|
|
|
'Opera Helper'
|
2022-09-22 17:18:16 +00:00
|
|
|
)
|
|
|
|
|
AND remote_port IN (
|
|
|
|
|
53,
|
|
|
|
|
443,
|
|
|
|
|
80,
|
|
|
|
|
8009,
|
|
|
|
|
8080,
|
|
|
|
|
8888,
|
|
|
|
|
8443,
|
|
|
|
|
5228,
|
|
|
|
|
32211,
|
|
|
|
|
53,
|
|
|
|
|
10001,
|
|
|
|
|
3478,
|
|
|
|
|
19305,
|
|
|
|
|
19306,
|
|
|
|
|
5004,
|
|
|
|
|
9000,
|
|
|
|
|
19307,
|
|
|
|
|
19308,
|
|
|
|
|
19309
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
2022-10-13 18:59:32 +00:00
|
|
|
p.name IN ('Mail', 'thunderbird', 'Spark', 'Notes')
|
2022-09-22 17:18:16 +00:00
|
|
|
AND remote_port IN (53, 143, 443, 587, 465, 585, 993)
|
|
|
|
|
)
|
2022-10-03 20:27:56 +00:00
|
|
|
AND NOT (
|
2022-10-13 18:59:32 +00:00
|
|
|
parent_path = '/Applications/Minecraft.app/Contents/MacOS/launcher'
|
2022-10-03 20:27:56 +00:00
|
|
|
AND remote_port > 30000
|
|
|
|
|
)
|
2022-09-22 17:18:16 +00:00
|
|
|
AND NOT (
|
2022-10-13 18:59:32 +00:00
|
|
|
p.name IN ('Spotify Helper', 'Spotify')
|
2022-09-22 17:18:16 +00:00
|
|
|
AND remote_port IN (53, 443, 8009, 4070, 32211)
|
|
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
remote_port IN (53, 443)
|
2022-10-13 18:59:32 +00:00
|
|
|
AND p.name LIKE 'terraform-provider-%'
|
2022-09-22 17:18:16 +00:00
|
|
|
)
|
|
|
|
|
AND NOT (
|
|
|
|
|
remote_port IN (53, 443)
|
2022-10-13 18:59:32 +00:00
|
|
|
AND p.name LIKE 'kubectl.%'
|
2022-09-22 17:18:16 +00:00
|
|
|
)
|
|
|
|
|
AND NOT (
|
2022-10-13 18:59:32 +00:00
|
|
|
p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%'
|
2022-09-30 21:45:45 +00:00
|
|
|
AND remote_port IN (80, 443, 53)
|
2022-09-30 16:10:18 +00:00
|
|
|
) -- Slack update?
|
2022-09-22 23:50:49 +00:00
|
|
|
AND NOT (
|
2022-10-13 18:59:32 +00:00
|
|
|
p.path = ''
|
|
|
|
|
AND pp.cmdline LIKE '%/Slack'
|
2022-09-30 16:10:18 +00:00
|
|
|
) -- Process name is sometimes empty here?
|
2022-09-24 15:07:34 +00:00
|
|
|
AND NOT (
|
2022-10-13 18:59:32 +00:00
|
|
|
p.cmdline = '/Applications/Craft.app/Contents/MacOS/Craft'
|
2022-09-24 15:07:34 +00:00
|
|
|
AND remote_port = 443
|
|
|
|
|
AND protocol = 6
|
|
|
|
|
)
|
2022-09-30 19:42:10 +00:00
|
|
|
AND NOT (
|
|
|
|
|
remote_port IN (53, 443)
|
2022-10-13 18:59:32 +00:00
|
|
|
AND p.path LIKE '/private/var/folders/%/T/GoLand/%'
|
2022-09-30 19:42:10 +00:00
|
|
|
)
|
2022-10-21 21:38:47 +00:00
|
|
|
GROUP BY
|
|
|
|
|
s.pid
|
