osquery-defense-kit/net/unexpected-talkers-linux.sql

SELECT s.family,
  protocol,
  s.local_port,
  s.remote_port,
  s.local_address,
  s.remote_address,
  p.name,
  p.path,
  p.cmdline AS child_cmd,
  p.cwd,
  s.pid,
  s.net_namespace,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd,
  hash.sha256,
  CONCAT(
    MIN(s.remote_port, 32768),
    ",",
    protocol,
    ",",
    MIN(p.uid, 500),
    ",",
    p.name
  ) AS exception_key
FROM process_open_sockets s
  LEFT JOIN processes p ON s.pid = p.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN hash ON p.path = hash.path
WHERE protocol > 0
  AND s.remote_port > 0
  AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
  AND s.remote_address NOT LIKE 'fe80:%'
  AND s.remote_address NOT LIKE '127.%'
  AND s.remote_address NOT LIKE '192.168.%'
  AND s.remote_address NOT LIKE '172.1%'
  AND s.remote_address NOT LIKE '172.2%'
  AND s.remote_address NOT LIKE '172.30.%'
  AND s.remote_address NOT LIKE '172.31.%'
  AND s.remote_address NOT LIKE '::ffff:172.%'
  AND s.remote_address NOT LIKE '10.%'
  AND s.remote_address NOT LIKE '::ffff:10.%'
  AND s.remote_address NOT LIKE 'fc00:%'
  AND s.state != 'LISTEN'
  -- DNS clients
  AND NOT (
    remote_port = 53
    AND protocol IN (6, 17)
    AND p.name IN (
      '1password',
      'apt',
      'apt-get',
      'Brackets',
      'chainctl',
      'chrome',
      'chronyd',
      'cloud_sql_proxy',
      'code',
      'containerd',
      'controlplane',
      'crc',
      'curl',
      'dig',
      'dnf',
      'electron',
      'firefox',
      '.firefox-wrappe',
      'flameshot',
      'gh',
      'git-remote-http',
      'gitsign',
      'gnome-software',
      'go',
      'grafana-server',
      'grype',
      'host',
      'htop',
      'istioctl',
      'jcef_helper',
      'k6',
      'k9s',
      'ko',
      'kolide-pipeline',
      'launcher',
      'NetworkManager',
      'ngrok',
      'nix',
      'node',
      'nscd',
      'obs',
      'obs-browser-page',
      'obs-ffmpeg-mux',
      'obsidian',
      'opera',
      'pacman',
      'ping',
      'podman',
      'prometheus',
      'rootlessport',
      'signal-desktop',
      'slack',
      'slirp4netns',
      'snapd',
      'snap-store',
      'Socket Process',
      'spotify',
      'ssh',
      'steam',
      'steamwebhelper',
      'syncthing',
      'systemd-resolve',
      'tailscaled',
      '.tailscaled-wra',
      'terraform',
      'terraform-provi',
      'tkn',
      'traceroute',
      'vcluster',
      'wget',
      'whois',
      'xmobar',
      'yay',
      'zoom'
    )
  )

  -- General exceptions
  AND NOT exception_key IN (
    '123,17,500,chronyd',
    '22067,6,500,syncthing',
    '22,6,500,ssh',
    '22,6,,',
    -- shortlived SSH (git push)
    '27024,6,500,steam',
    '3100,6,500,firefox',
    '3307,6,500,cloud_sql_proxy',
    '4070,6,500,spotify',
    '443,17,500,chrome',
    '443,17,500,jcef_helper',
    '443,17,500,spotify',
    '443,6,0,dnf',
    '443,6,0,launcher',
    '443,6,0,pacman',
    '443,6,0,tailscaled',
    '443,6,0,.tailscaled-wra',
    '443,6,472,grafana-server',
    '443,6,500,1password',
    '443,6,500,Brackets',
    '443,6,500,chainctl',
    '443,6,500,chrome',
    '443,6,500,cloud_sql_proxy',
    '443,6,500,code',
    '443,6,500,containerd',
    '443,6,500,controlplane',
    '443,6,500,crc',
    '443,6,500,electron',
    '443,6,500,firefox',
    '443,6,500,.firefox-wrappe',
    '443,6,500,flameshot',
    '443,6,500,gh',
    '443,6,500,git-remote-http',
    '443,6,500,gitsign',
    '443,6,500,gnome-software',
    '443,6,500,go',
    '443,6,500,grafana-server',
    '443,6,500,grype',
    '443,6,500,htop',
    '443,6,500,istioctl',
    '443,6,500,k6',
    '443,6,500,k9s',
    '443,6,500,wget',
    '443,6,500,ko',
    '443,6,500,kolide-pipeline',
    '443,6,500,ngrok',
    '443,6,500,nix',
    '443,6,500,node',
    '443,6,500,obs',
    '443,6,500,obs-browser-page',
    '443,6,500,obs-ffmpeg-mux',
    '443,6,500,obsidian',
    '443,6,500,signal-desktop',
    '443,6,500,slack',
    '443,6,500,slirp4netns',
    '443,6,500,snap-store',
    '443,6,500,Socket Process',
    '443,6,500,spotify',
    '443,6,500,podman',
    '443,6,500,steamwebhelper',
    '443,6,500,terraform',
    '443,6,500,terraform-provi',
    '443,6,500,tkn',
    '443,6,500,vcluster',
    '443,6,500,xmobar',
    '443,6,500,yay',
    '443,6,500,zoom',
    '5228,6,500,chrome',
    '8006,6,500,chrome',
    '80,6,0,dnf',
    '6000,6,500,ssh',
    '443,6,0,influxd',
    '443,6,0,dockerd',
    '80,6,0,NetworkManager',
    '80,6,0,tailscaled',
    '80,6,0,.tailscaled-wra',
    '80,6,500,curl',
    '443,6,500,celery',
    '443,6,500,gunicorn',
    '80,6,500,firefox',
    '443,6,500,Discord',
    '443,6,500,authentik-proxy',
    '80,6,500,.firefox-wrappe',
    '80,6,500,steam',
    '80,6,500,steamwebhelper',
    '80,6,500,syncthing',
    '8801,17,500,zoom',
    '9090,6,500,k6',
    '9090,6,500,firefox',
    '9090,6,500,prometheus',
    '3100,6,500,k6',
    '443,6,0,snapd',
    '9090,6,500,rootlessport'
  )

  -- Other more complicated situations
  AND NOT (
    p.name = 'rootlessport'
    AND remote_port > 1024
  )
  AND NOT (
    p.name = 'syncthing'
    AND (
      remote_port IN (53, 80, 88, 110, 443, 587, 993, 3306, 7451)
      OR remote_port > 8000
    )
  )
  AND NOT (
    p.name IN (
      'chrome',
      'Google Chrome Helper',
      'Brave Browser Helper',
      'Chromium Helper',
      'Opera Helper'
    )
    AND remote_port IN (
      53,
      3100,
      443,
      80,
      8006,
      9000,
      5004,
      8009,
      8080,
      8888,
      8443,
      5228,
      32211,
      53,
      10001,
      3478,
      19305,
      19306,
      19307,
      19308,
      19309
    )
  )
  AND NOT (
    p.name IN ('thunderbird')
    AND remote_port IN (53, 143, 443, 587, 465, 585, 993)
  )
  AND NOT (
    p.name IN ('spotify', 'Spotify Helper', 'Spotify')
    AND remote_port IN (53, 443, 8009, 4070, 32211)
  )
  AND NOT (
    remote_port IN (443, 53)
    AND p.name LIKE 'terraform-provider-%'
  )
  AND NOT (
    remote_port iN (443, 53)
    AND p.name LIKE 'kubectl.%'
  )
  AND NOT (
    p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%'
    AND remote_port IN (80, 53, 443)
  )
GROUP BY s.pid
More whitelisting 2022-09-22 09:18:03 +00:00			`SELECT s.family,`
			`protocol,`
			`s.local_port,`
			`s.remote_port,`
			`s.local_address,`
			`s.remote_address,`
			`p.name,`
			`p.path,`
			`p.cmdline AS child_cmd,`
			`p.cwd,`
			`s.pid,`
			`s.net_namespace,`
			`p.parent AS parent_pid,`
			`pp.cmdline AS parent_cmd,`
			`hash.sha256,`
			`CONCAT(`
			`MIN(s.remote_port, 32768),`
			`",",`
			`protocol,`
			`",",`
			`MIN(p.uid, 500),`
			`",",`
			`p.name`
			`) AS exception_key`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`FROM process_open_sockets s`
More whitelisting 2022-09-22 09:18:03 +00:00			`LEFT JOIN processes p ON s.pid = p.pid`
			`LEFT JOIN processes pp ON p.parent = pp.pid`
			`LEFT JOIN hash ON p.path = hash.path`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`WHERE protocol > 0`
More whitelisting 2022-09-22 09:18:03 +00:00			`AND s.remote_port > 0`
			`AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')`
			`AND s.remote_address NOT LIKE 'fe80:%'`
			`AND s.remote_address NOT LIKE '127.%'`
			`AND s.remote_address NOT LIKE '192.168.%'`
			`AND s.remote_address NOT LIKE '172.1%'`
			`AND s.remote_address NOT LIKE '172.2%'`
			`AND s.remote_address NOT LIKE '172.30.%'`
			`AND s.remote_address NOT LIKE '172.31.%'`
			`AND s.remote_address NOT LIKE '::ffff:172.%'`
			`AND s.remote_address NOT LIKE '10.%'`
			`AND s.remote_address NOT LIKE '::ffff:10.%'`
			`AND s.remote_address NOT LIKE 'fc00:%'`
			`AND s.state != 'LISTEN'`
			`-- DNS clients`
			`AND NOT (`
			`remote_port = 53`
			`AND protocol IN (6, 17)`
			`AND p.name IN (`
			`'1password',`
			`'apt',`
			`'apt-get',`
			`'Brackets',`
			`'chainctl',`
			`'chrome',`
			`'chronyd',`
			`'cloud_sql_proxy',`
			`'code',`
			`'containerd',`
			`'controlplane',`
			`'crc',`
			`'curl',`
			`'dig',`
			`'dnf',`
			`'electron',`
			`'firefox',`
			`'.firefox-wrappe',`
			`'flameshot',`
			`'gh',`
			`'git-remote-http',`
			`'gitsign',`
			`'gnome-software',`
			`'go',`
			`'grafana-server',`
			`'grype',`
			`'host',`
			`'htop',`
			`'istioctl',`
			`'jcef_helper',`
			`'k6',`
			`'k9s',`
			`'ko',`
			`'kolide-pipeline',`
			`'launcher',`
			`'NetworkManager',`
			`'ngrok',`
			`'nix',`
			`'node',`
			`'nscd',`
			`'obs',`
			`'obs-browser-page',`
			`'obs-ffmpeg-mux',`
			`'obsidian',`
			`'opera',`
			`'pacman',`
			`'ping',`
			`'podman',`
			`'prometheus',`
			`'rootlessport',`
			`'signal-desktop',`
			`'slack',`
			`'slirp4netns',`
			`'snapd',`
			`'snap-store',`
			`'Socket Process',`
			`'spotify',`
			`'ssh',`
			`'steam',`
			`'steamwebhelper',`
			`'syncthing',`
			`'systemd-resolve',`
			`'tailscaled',`
			`'.tailscaled-wra',`
			`'terraform',`
			`'terraform-provi',`
			`'tkn',`
			`'traceroute',`
			`'vcluster',`
			`'wget',`
			`'whois',`
			`'xmobar',`
			`'yay',`
			`'zoom'`
			`)`
More tuning, more queries 2022-09-21 11:42:51 +00:00			`)`
More whitelisting 2022-09-22 09:18:03 +00:00
			`-- General exceptions`
			`AND NOT exception_key IN (`
More tuning, more queries 2022-09-21 11:42:51 +00:00			`'123,17,500,chronyd',`
			`'22067,6,500,syncthing',`
More tuning, quiet deaths 2022-09-21 17:34:10 +00:00			`'22,6,500,ssh',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'22,6,,',`
			`-- shortlived SSH (git push)`
Every day I'm tuning it 2022-09-21 01:56:01 +00:00			`'27024,6,500,steam',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'3100,6,500,firefox',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'3307,6,500,cloud_sql_proxy',`
			`'4070,6,500,spotify',`
			`'443,17,500,chrome',`
More tuning, quiet deaths 2022-09-21 17:34:10 +00:00			`'443,17,500,jcef_helper',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'443,17,500,spotify',`
Every day I'm tuning it 2022-09-21 01:56:01 +00:00			`'443,6,0,dnf',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'443,6,0,launcher',`
			`'443,6,0,pacman',`
Every day I'm tuning it 2022-09-21 01:56:01 +00:00			`'443,6,0,tailscaled',`
More tuning, quiet deaths 2022-09-21 17:34:10 +00:00			`'443,6,0,.tailscaled-wra',`
Every day I'm tuning it 2022-09-21 01:56:01 +00:00			`'443,6,472,grafana-server',`
			`'443,6,500,1password',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'443,6,500,Brackets',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'443,6,500,chainctl',`
			`'443,6,500,chrome',`
			`'443,6,500,cloud_sql_proxy',`
			`'443,6,500,code',`
			`'443,6,500,containerd',`
Every day I'm tuning it 2022-09-21 01:56:01 +00:00			`'443,6,500,controlplane',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'443,6,500,crc',`
			`'443,6,500,electron',`
			`'443,6,500,firefox',`
More tuning, quiet deaths 2022-09-21 17:34:10 +00:00			`'443,6,500,.firefox-wrappe',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'443,6,500,flameshot',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'443,6,500,gh',`
			`'443,6,500,git-remote-http',`
			`'443,6,500,gitsign',`
			`'443,6,500,gnome-software',`
			`'443,6,500,go',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'443,6,500,grafana-server',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'443,6,500,grype',`
			`'443,6,500,htop',`
			`'443,6,500,istioctl',`
			`'443,6,500,k6',`
			`'443,6,500,k9s',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'443,6,500,wget',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'443,6,500,ko',`
			`'443,6,500,kolide-pipeline',`
			`'443,6,500,ngrok',`
			`'443,6,500,nix',`
			`'443,6,500,node',`
More tuning, quiet deaths 2022-09-21 17:34:10 +00:00			`'443,6,500,obs',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'443,6,500,obs-browser-page',`
			`'443,6,500,obs-ffmpeg-mux',`
			`'443,6,500,obsidian',`
Every day I'm tuning it 2022-09-21 01:56:01 +00:00			`'443,6,500,signal-desktop',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'443,6,500,slack',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'443,6,500,slirp4netns',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'443,6,500,snap-store',`
More tuning, quiet deaths 2022-09-21 17:34:10 +00:00			`'443,6,500,Socket Process',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'443,6,500,spotify',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'443,6,500,podman',`
Every day I'm tuning it 2022-09-21 01:56:01 +00:00			`'443,6,500,steamwebhelper',`
More tuning, more queries 2022-09-21 11:42:51 +00:00			`'443,6,500,terraform',`
More tuning, quiet deaths 2022-09-21 17:34:10 +00:00			`'443,6,500,terraform-provi',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'443,6,500,tkn',`
			`'443,6,500,vcluster',`
			`'443,6,500,xmobar',`
			`'443,6,500,yay',`
			`'443,6,500,zoom',`
			`'5228,6,500,chrome',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'8006,6,500,chrome',`
Every day I'm tuning it 2022-09-21 01:56:01 +00:00			`'80,6,0,dnf',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'6000,6,500,ssh',`
			`'443,6,0,influxd',`
			`'443,6,0,dockerd',`
Every day I'm tuning it 2022-09-21 01:56:01 +00:00			`'80,6,0,NetworkManager',`
More tuning, quiet deaths 2022-09-21 17:34:10 +00:00			`'80,6,0,tailscaled',`
			`'80,6,0,.tailscaled-wra',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'80,6,500,curl',`
			`'443,6,500,celery',`
			`'443,6,500,gunicorn',`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`'80,6,500,firefox',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'443,6,500,Discord',`
			`'443,6,500,authentik-proxy',`
More tuning, quiet deaths 2022-09-21 17:34:10 +00:00			`'80,6,500,.firefox-wrappe',`
Every day I'm tuning it 2022-09-21 01:56:01 +00:00			`'80,6,500,steam',`
More tuning, more queries 2022-09-21 11:42:51 +00:00			`'80,6,500,steamwebhelper',`
More whitelisting 2022-09-22 09:18:03 +00:00			`'80,6,500,syncthing',`
			`'8801,17,500,zoom',`
			`'9090,6,500,k6',`
			`'9090,6,500,firefox',`
			`'9090,6,500,prometheus',`
			`'3100,6,500,k6',`
			`'443,6,0,snapd',`
			`'9090,6,500,rootlessport'`
			`)`
More tuning, more queries 2022-09-21 11:42:51 +00:00
More whitelisting 2022-09-22 09:18:03 +00:00			`-- Other more complicated situations`
			`AND NOT (`
			`p.name = 'rootlessport'`
			`AND remote_port > 1024`
			`)`
			`AND NOT (`
			`p.name = 'syncthing'`
			`AND (`
			`remote_port IN (53, 80, 88, 110, 443, 587, 993, 3306, 7451)`
			`OR remote_port > 8000`
			`)`
			`)`
			`AND NOT (`
			`p.name IN (`
			`'chrome',`
			`'Google Chrome Helper',`
			`'Brave Browser Helper',`
			`'Chromium Helper',`
			`'Opera Helper'`
			`)`
			`AND remote_port IN (`
			`53,`
			`3100,`
			`443,`
			`80,`
			`8006,`
			`9000,`
			`5004,`
			`8009,`
			`8080,`
			`8888,`
			`8443,`
			`5228,`
			`32211,`
			`53,`
			`10001,`
			`3478,`
			`19305,`
			`19306,`
			`19307,`
			`19308,`
			`19309`
			`)`
			`)`
			`AND NOT (`
			`p.name IN ('thunderbird')`
			`AND remote_port IN (53, 143, 443, 587, 465, 585, 993)`
			`)`
			`AND NOT (`
			`p.name IN ('spotify', 'Spotify Helper', 'Spotify')`
			`AND remote_port IN (53, 443, 8009, 4070, 32211)`
			`)`
			`AND NOT (`
			`remote_port IN (443, 53)`
			`AND p.name LIKE 'terraform-provider-%'`
			`)`
			`AND NOT (`
			`remote_port iN (443, 53)`
			`AND p.name LIKE 'kubectl.%'`
			`)`
			`AND NOT (`
			`p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%'`
			`AND remote_port IN (80, 53, 443)`
			`)`
More Linux/macOS splits to get signature support 2022-09-20 21:46:47 +00:00			`GROUP BY s.pid`