osquery-defense-kit/detection/c2/unexpected-talkers-linux.sql

-- Unexpected programs communicating over non-HTTPS protocols (state-based)
--
-- This query is a bit awkward and hobbled due to the lack of osquery support
-- for looking up binary signatures in Linux.
--
-- references:
--   * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
--
-- tags: transient state net rapid
-- platform: linux
SELECT
  s.remote_address,
  s.remote_port,
  s.local_port,
  s.local_address,
  p.name,
  p.path,
  p.cmdline AS child_cmd,
  p.cwd,
  pp.path AS parent_path,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd,
  p.cgroup_path,
  s.state,
  hash.sha256,
  -- This intentionally avoids file.path, as it won't join across mount namespaces
  CONCAT (
    MIN(s.remote_port, 32768),
    ',',
    s.protocol,
    ',',
    MIN(p.euid, 500),
    ',',
    REGEX_MATCH (p.path, '.*/(.*?)$', 1),
    ',',
    MIN(f.uid, 500),
    'u,',
    MIN(f.gid, 500),
    'g,',
    p.name
  ) AS exception_key
FROM
  process_open_sockets s
  LEFT JOIN processes p ON s.pid = p.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN hash ON p.path = hash.path
WHERE
  protocol > 0
  AND s.remote_port > 0 -- See unexpected-https-client
  AND NOT (
    s.remote_port = 443
    AND protocol IN (6, 17)
  ) -- See unexpected-dns-traffic
  AND NOT (
    s.remote_port = 53
    AND protocol IN (6, 17)
  )
  AND s.remote_address NOT IN (
    '127.0.0.1',
    '::ffff:127.0.0.1',
    '::1',
    '::',
    '0.0.0.0'
  )
  AND s.remote_address NOT LIKE 'fe80:%'
  AND s.remote_address NOT LIKE '127.%'
  AND s.remote_address NOT LIKE '192.168.%'
  AND s.remote_address NOT LIKE '172.1%'
  AND s.remote_address NOT LIKE '172.2%'
  AND s.remote_address NOT LIKE '172.30.%'
  AND s.remote_address NOT LIKE '172.31.%'
  AND s.remote_address NOT LIKE '::ffff:172.%'
  AND s.remote_address NOT LIKE '10.%'
  AND s.remote_address NOT LIKE '::ffff:10.%'
  AND s.remote_address NOT LIKE '::ffff:192.168.%'
  AND s.remote_address NOT LIKE 'fc00:%'
  AND p.path != ''
  AND NOT exception_key IN (
    '123,17,114,chronyd,0u,0g,chronyd',
    '123,17,500,chronyd,0u,0g,chronyd',
    '143,6,500,thunderbird,0u,0g,thunderbird',
    '143,6,500,thunderbird,u,g,thunderbird',
    '19305,6,500,firefox,0u,0g,firefox',
    '19305,6,500,firefox,0u,0g,.firefox-wrappe',
    '22000,6,500,syncthing,0u,0g,syncthing',
    '22,6,0,ssh,0u,0g,ssh',
    '22,6,0,tailscaled,0u,0g,tailscaled',
    '22,6,500,cargo,0u,0g,cargo',
    '22,6,500,cargo,500u,500g,cargo',
    '22,6,500,netcat,0u,0g,nc',
    '22,6,500,ssh,0u,0g,ssh',
    '22,6,500,terraform,500u,500g,terraform',
    '3000,6,500,brave,0u,0g,brave',
    '3000,6,500,chrome,0u,0g,chrome',
    '32768,6,0,tailscaled,0u,0g,tailscaled',
    '32768,6,500,ssh,0u,0g,ssh',
    '3443,6,500,chrome,0u,0g,chrome',
    '3478,6,500,chrome,0u,0g,chrome',
    '3478,6,500,firefox,0u,0g,firefox',
    '4070,6,500,spotify,0u,0g,spotify',
    '4070,6,500,spotify,500u,500g,spotify',
    '4070,6,500,spotify,u,g,spotify',
    '43,6,500,whois,0u,0g,whois',
    '4460,6,114,chronyd,0u,0g,chronyd',
    '5004,6,500,brave,0u,0g,brave',
    '5006,6,500,brave,0u,0g,brave',
    '500,htop,0u,0g,htop',
    '80,6,500,qemu-system-x86_64,0u,0g,qemu-system-x86',
    '5228,6,500,chrome,0u,0g,chrome',
    '6443,6,500,kubectl,0u,0g,kubectl',
    '67,17,0,NetworkManager,0u,0g,NetworkManager',
    '8000,6,500,brave,0u,0g,brave',
    '8000,6,500,chrome,0u,0g,chrome',
    '465,6,500,thunderbird,0u,0g,thunderbird',
    '8000,6,500,firefox,0u,0g,firefox',
    '80,6,0,applydeltarpm,0u,0g,applydeltarpm',
    '80,6,0,appstreamcli,0u,0g,appstreamcli',
    '80,6,0,bash,0u,0g,bash',
    '80,6,0,bash,0u,0g,mkinitcpio',
    '80,6,0,bash,0u,0g,sh',
    '80,6,0,bash,0u,0g,update-ca-trust',
    '80,6,0,cp,0u,0g,cp',
    '80,6,0,fc-cache,0u,0g,fc-cache',
    '500,syft,0u,0g,syft',
    '80,6,0,find,0u,0g,find',
    '80,6,0,gawk,0u,0g,awk',
    '80,6,0,gpg,0u,0g,gpg',
    '80,6,0,kmod,0u,0g,depmod',
    '80,6,0,kubelet,u,g,kubelet',
    '80,6,0,ldconfig,0u,0g,ldconfig',
    '80,6,0,NetworkManager,0u,0g,NetworkManager',
    '80,6,0,packagekitd,0u,0g,packagekitd',
    '80,6,0,pacman,0u,0g,pacman',
    '80,6,0,python3.10,0u,0g,dnf',
    '1983,6,500,dleyna-renderer-service,0u,0g,dleyna-renderer',
    '80,6,0,python3.10,0u,0g,dnf-automatic',
    '80,6,0,python3.10,0u,0g,yum',
    '80,6,0,python3.11,0u,0g,dnf',
    '80,6,0,python3.11,0u,0g,yum',
    '80,6,0,tailscaled,0u,0g,tailscaled',
    '80,6,0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
    '80,6,0,/usr/python2.7,u,g,yum',
    '80,6,0,/usr/xargs,0u,0g,xargs',
    '80,6,0,wget,0u,0g,wget',
    '80,6,0,zstd,0u,0g,zstd',
    '80,6,100,http,0u,0g,http',
    '80,6,105,http,0u,0g,http',
    '80,6,500,aws-iam-authenticator,0u,0g,aws-iam-authent',
    '80,6,500,brave,0u,0g,brave',
    '80,6,500,chrome,0u,0g,chrome',
    '80,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
    '80,6,500,curl,0u,0g,curl',
    '80,6,500,electron,0u,0g,electron',
    '80,6,500,firefox,0u,0g,firefox',
    '80,6,500,firefox,0u,0g,.firefox-wrappe',
    '80,6,500,gnome-software,0u,0g,gnome-software',
    '80,6,500,mconvert,500u,500g,mconvert',
    '80,6,500,obs-browser-page,u,g,obs-browser-pag',
    '80,6,500,pacman,0u,0g,pacman',
    '80,6,500,python3.10,0u,0g,aws',
    '80,6,500,python3.10,0u,0g,yum',
    '80,6,500,python3.11,0u,0g,abrt-action-ins',
    '80,6,500,rpi-imager,0u,0g,rpi-imager',
    '80,6,500,signal-desktop,0u,0g,signal-desktop',
    '80,6,500,signal-desktop,u,g,signal-desktop',
    '80,6,500,wine64-preloader,0u,0g,control.exe',
    '80,6,500,slirp4netns,500u,500g,slirp4netns',
    '80,6,500,spotify,0u,0g,spotify',
    '80,6,500,spotify-launcher,0u,0g,spotify-launche',
    '80,6,500,spotify,u,g,spotify',
    '80,6,500,steam,500u,100g,steam',
    '80,6,500,steam,500u,500g,steam',
    '80,6,500,steamwebhelper,500u,500g,steamwebhelper',
    '80,6,500,python3.11,0u,0g,dnf',
    '80,6,500,terraform,500u,500g,terraform',
    '80,6,500,thunderbird,0u,0g,thunderbird',
    '80,6,500,thunderbird,u,g,thunderbird',
    '587,6,500,thunderbird,u,g,thunderbird',
    '80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
    '80,6,500,zoom,0u,0g,zoom',
    '80,6,500,zoom.real,u,g,zoom.real',
    '9418,6,500,git,0u,0g,git',
    '8080,6,500,brave,0u,0g,brave',
    '8080,6,500,chrome,0u,0g,chrome',
    '8080,6,500,firefox,0u,0g,firefox',
    '8080,6,500,python3.11,0u,0g,speedtest-cli',
    '8080,6,500,speedtest,500u,500g,speedtest',
    '8443,6,500,chrome,0u,0g,chrome',
    '8443,6,500,firefox,0u,0g,firefox',
    '8801,17,500,zoom,0u,0g,zoom',
    '8801,17,500,zoom.real,u,g,zoom.real',
    '88,6,500,syncthing,0u,0g,syncthing',
    '465,6,500,thunderbird,0u,0g,thunderbird',
    '993,6,500,evolution,0u,0g,evolution',
    '993,6,500,thunderbird,0u,0g,thunderbird',
    '993,6,500,thunderbird,u,g,thunderbird',
    '9999,6,500,firefox,0u,0g,firefox'
  )
  AND NOT (
    p.name = 'java'
    AND p.cmdline LIKE '/home/%/.local/share/JetBrains/Toolbox/%'
    AND s.remote_port > 1024
    AND s.protocol = 6
    AND p.euid > 500
  )
  AND NOT (
    p.name = 'syncthing'
    AND f.filename = 'syncthing'
    AND s.remote_port > 1024
    AND s.protocol = 6
    AND p.euid > 500
  )
  AND NOT (
    p.name = 'chrome'
    AND f.filename = 'chrome'
    AND s.remote_port > 1024
    AND s.protocol = 6
    AND p.euid > 500
  )
  AND NOT (
    p.name = 'steam'
    AND f.filename = 'steam'
    AND s.remote_port > 27000
    AND s.protocol = 6
    AND p.euid > 500
  )
  AND NOT (
    p.name = 'chrome'
    AND f.filename = 'chrome'
    AND s.remote_port > 3000
    AND s.protocol = 6
    AND p.euid > 500
  )
  AND NOT (
    p.name = 'firefox'
    AND f.filename = 'firefox'
    AND s.remote_port > 3000
    AND s.protocol = 6
    AND p.euid > 500
  )
  -- TODO: Move this to a custom override overlay, as it is extremely obscure (small ISP)
  AND NOT (
    exception_key = '32768,6,500,ssh,0u,0g,ssh'
    AND s.remote_port = 40022
  )
  AND NOT (
    s.remote_port = 80
    AND (
      p.cgroup_path LIKE '/system.slice/docker-%'
      OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
    )
  )
GROUP BY
  p.cmdline
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`-- Unexpected programs communicating over non-HTTPS protocols (state-based)`
			`--`
			`-- This query is a bit awkward and hobbled due to the lack of osquery support`
			`-- for looking up binary signatures in Linux.`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`--`
			`-- references:`
Add a lot more mitre data 2022-10-19 20:56:32 +00:00			`-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`--`
Use 'rapid' instead of 'continous' for tagging 2022-10-17 12:43:29 +00:00			`-- tags: transient state net rapid`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`-- platform: linux`
Run 'make reformat' 2022-10-20 18:01:34 +00:00			`SELECT`
			`s.remote_address,`
More exclusions 2022-11-08 17:59:11 +00:00			`s.remote_port,`
Add local port and address to network queries 2023-02-08 15:12:44 +00:00			`s.local_port,`
			`s.local_address,`
More whitelisting 2022-09-22 09:18:03 +00:00			`p.name,`
			`p.path,`
			`p.cmdline AS child_cmd,`
			`p.cwd,`
Launch day fixes 2022-09-22 17:18:16 +00:00			`pp.path AS parent_path,`
More whitelisting 2022-09-22 09:18:03 +00:00			`p.parent AS parent_pid,`
			`pp.cmdline AS parent_cmd,`
Catch up to some older false positives we ran into 2023-01-06 22:11:24 +00:00			`p.cgroup_path,`
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`s.state,`
More whitelisting 2022-09-22 09:18:03 +00:00			`hash.sha256,`
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`-- This intentionally avoids file.path, as it won't join across mount namespaces`
Format everything with 'npx sql-formatter -l sqlite' 2022-09-24 15:12:23 +00:00			`CONCAT (`
More whitelisting 2022-09-22 09:18:03 +00:00			`MIN(s.remote_port, 32768),`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`',',`
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`s.protocol,`
			`',',`
			`MIN(p.euid, 500),`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`',',`
reformat SQL queries 2022-10-20 13:11:29 +00:00			`REGEX_MATCH (p.path, './(.?)$', 1),`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`',',`
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`MIN(f.uid, 500),`
			`'u,',`
			`MIN(f.gid, 500),`
			`'g,',`
More whitelisting 2022-09-22 09:18:03 +00:00			`p.name`
			`) AS exception_key`
Run 'make reformat' 2022-10-20 18:01:34 +00:00			`FROM`
			`process_open_sockets s`
More whitelisting 2022-09-22 09:18:03 +00:00			`LEFT JOIN processes p ON s.pid = p.pid`
			`LEFT JOIN processes pp ON p.parent = pp.pid`
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`LEFT JOIN file f ON p.path = f.path`
More whitelisting 2022-09-22 09:18:03 +00:00			`LEFT JOIN hash ON p.path = hash.path`
Run 'make reformat' 2022-10-20 18:01:34 +00:00			`WHERE`
			`protocol > 0`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`AND s.remote_port > 0 -- See unexpected-https-client`
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`AND NOT (`
			`s.remote_port = 443`
			`AND protocol IN (6, 17)`
linux talkers: Treat /snap as /opt 2022-10-20 17:50:14 +00:00			`) -- See unexpected-dns-traffic`
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`AND NOT (`
			`s.remote_port = 53`
			`AND protocol IN (6, 17)`
			`)`
			`AND s.remote_address NOT IN (`
			`'127.0.0.1',`
			`'::ffff:127.0.0.1',`
			`'::1',`
			`'::',`
			`'0.0.0.0'`
			`)`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND s.remote_address NOT LIKE 'fe80:%'`
			`AND s.remote_address NOT LIKE '127.%'`
			`AND s.remote_address NOT LIKE '192.168.%'`
			`AND s.remote_address NOT LIKE '172.1%'`
			`AND s.remote_address NOT LIKE '172.2%'`
			`AND s.remote_address NOT LIKE '172.30.%'`
			`AND s.remote_address NOT LIKE '172.31.%'`
			`AND s.remote_address NOT LIKE '::ffff:172.%'`
			`AND s.remote_address NOT LIKE '10.%'`
			`AND s.remote_address NOT LIKE '::ffff:10.%'`
fpr: minikube, tailscale, dex, pacman, virtualbox, steam, lsmod, busybox, etc 2023-01-24 01:33:52 +00:00			`AND s.remote_address NOT LIKE '::ffff:192.168.%'`
Migrate query strings from double to single apostrophes 2022-10-13 18:59:32 +00:00			`AND s.remote_address NOT LIKE 'fc00:%'`
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`AND p.path != ''`
			`AND NOT exception_key IN (`
False positive flush, particularly in talkers 2023-02-17 16:57:23 +00:00			`'123,17,114,chronyd,0u,0g,chronyd',`
			`'123,17,500,chronyd,0u,0g,chronyd',`
			`'143,6,500,thunderbird,0u,0g,thunderbird',`
			`'143,6,500,thunderbird,u,g,thunderbird',`
			`'19305,6,500,firefox,0u,0g,firefox',`
			`'19305,6,500,firefox,0u,0g,.firefox-wrappe',`
			`'22000,6,500,syncthing,0u,0g,syncthing',`
			`'22,6,0,ssh,0u,0g,ssh',`
			`'22,6,0,tailscaled,0u,0g,tailscaled',`
			`'22,6,500,cargo,0u,0g,cargo',`
			`'22,6,500,cargo,500u,500g,cargo',`
			`'22,6,500,netcat,0u,0g,nc',`
			`'22,6,500,ssh,0u,0g,ssh',`
			`'22,6,500,terraform,500u,500g,terraform',`
			`'3000,6,500,brave,0u,0g,brave',`
			`'3000,6,500,chrome,0u,0g,chrome',`
			`'32768,6,0,tailscaled,0u,0g,tailscaled',`
			`'32768,6,500,ssh,0u,0g,ssh',`
			`'3443,6,500,chrome,0u,0g,chrome',`
			`'3478,6,500,chrome,0u,0g,chrome',`
			`'3478,6,500,firefox,0u,0g,firefox',`
			`'4070,6,500,spotify,0u,0g,spotify',`
			`'4070,6,500,spotify,500u,500g,spotify',`
			`'4070,6,500,spotify,u,g,spotify',`
			`'43,6,500,whois,0u,0g,whois',`
			`'4460,6,114,chronyd,0u,0g,chronyd',`
			`'5004,6,500,brave,0u,0g,brave',`
			`'5006,6,500,brave,0u,0g,brave',`
			`'500,htop,0u,0g,htop',`
fpr: abrt-dbus, gdm, chrome, ff, etc 2023-02-24 21:30:17 +00:00			`'80,6,500,qemu-system-x86_64,0u,0g,qemu-system-x86',`
False positive flush, particularly in talkers 2023-02-17 16:57:23 +00:00			`'5228,6,500,chrome,0u,0g,chrome',`
			`'6443,6,500,kubectl,0u,0g,kubectl',`
			`'67,17,0,NetworkManager,0u,0g,NetworkManager',`
			`'8000,6,500,brave,0u,0g,brave',`
			`'8000,6,500,chrome,0u,0g,chrome',`
fpr: exceptions for pacman, StreamDeck, gcloud, Rocket, thunderbird 2023-02-20 23:04:17 +00:00			`'465,6,500,thunderbird,0u,0g,thunderbird',`
False positive flush, particularly in talkers 2023-02-17 16:57:23 +00:00			`'8000,6,500,firefox,0u,0g,firefox',`
			`'80,6,0,applydeltarpm,0u,0g,applydeltarpm',`
			`'80,6,0,appstreamcli,0u,0g,appstreamcli',`
			`'80,6,0,bash,0u,0g,bash',`
			`'80,6,0,bash,0u,0g,mkinitcpio',`
			`'80,6,0,bash,0u,0g,sh',`
			`'80,6,0,bash,0u,0g,update-ca-trust',`
			`'80,6,0,cp,0u,0g,cp',`
			`'80,6,0,fc-cache,0u,0g,fc-cache',`
fpr: aws-sdk, melange, Tailscale, Xprotect, etc 2023-03-03 12:24:42 +00:00			`'500,syft,0u,0g,syft',`
False positive flush, particularly in talkers 2023-02-17 16:57:23 +00:00			`'80,6,0,find,0u,0g,find',`
			`'80,6,0,gawk,0u,0g,awk',`
			`'80,6,0,gpg,0u,0g,gpg',`
			`'80,6,0,kmod,0u,0g,depmod',`
			`'80,6,0,kubelet,u,g,kubelet',`
			`'80,6,0,ldconfig,0u,0g,ldconfig',`
			`'80,6,0,NetworkManager,0u,0g,NetworkManager',`
			`'80,6,0,packagekitd,0u,0g,packagekitd',`
			`'80,6,0,pacman,0u,0g,pacman',`
			`'80,6,0,python3.10,0u,0g,dnf',`
fpr: aws-sdk, melange, Tailscale, Xprotect, etc 2023-03-03 12:24:42 +00:00			`'1983,6,500,dleyna-renderer-service,0u,0g,dleyna-renderer',`
False positive flush, particularly in talkers 2023-02-17 16:57:23 +00:00			`'80,6,0,python3.10,0u,0g,dnf-automatic',`
			`'80,6,0,python3.10,0u,0g,yum',`
			`'80,6,0,python3.11,0u,0g,dnf',`
			`'80,6,0,python3.11,0u,0g,yum',`
			`'80,6,0,tailscaled,0u,0g,tailscaled',`
			`'80,6,0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',`
			`'80,6,0,/usr/python2.7,u,g,yum',`
			`'80,6,0,/usr/xargs,0u,0g,xargs',`
			`'80,6,0,wget,0u,0g,wget',`
			`'80,6,0,zstd,0u,0g,zstd',`
			`'80,6,100,http,0u,0g,http',`
			`'80,6,105,http,0u,0g,http',`
			`'80,6,500,aws-iam-authenticator,0u,0g,aws-iam-authent',`
			`'80,6,500,brave,0u,0g,brave',`
			`'80,6,500,chrome,0u,0g,chrome',`
			`'80,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',`
			`'80,6,500,curl,0u,0g,curl',`
			`'80,6,500,electron,0u,0g,electron',`
			`'80,6,500,firefox,0u,0g,firefox',`
			`'80,6,500,firefox,0u,0g,.firefox-wrappe',`
			`'80,6,500,gnome-software,0u,0g,gnome-software',`
			`'80,6,500,mconvert,500u,500g,mconvert',`
			`'80,6,500,obs-browser-page,u,g,obs-browser-pag',`
			`'80,6,500,pacman,0u,0g,pacman',`
			`'80,6,500,python3.10,0u,0g,aws',`
			`'80,6,500,python3.10,0u,0g,yum',`
			`'80,6,500,python3.11,0u,0g,abrt-action-ins',`
			`'80,6,500,rpi-imager,0u,0g,rpi-imager',`
			`'80,6,500,signal-desktop,0u,0g,signal-desktop',`
			`'80,6,500,signal-desktop,u,g,signal-desktop',`
fpr: abrt-dbus, gdm, chrome, ff, etc 2023-02-24 21:30:17 +00:00			`'80,6,500,wine64-preloader,0u,0g,control.exe',`
False positive flush, particularly in talkers 2023-02-17 16:57:23 +00:00			`'80,6,500,slirp4netns,500u,500g,slirp4netns',`
			`'80,6,500,spotify,0u,0g,spotify',`
			`'80,6,500,spotify-launcher,0u,0g,spotify-launche',`
			`'80,6,500,spotify,u,g,spotify',`
			`'80,6,500,steam,500u,100g,steam',`
			`'80,6,500,steam,500u,500g,steam',`
			`'80,6,500,steamwebhelper,500u,500g,steamwebhelper',`
fpr: aws-sdk, melange, Tailscale, Xprotect, etc 2023-03-03 12:24:42 +00:00			`'80,6,500,python3.11,0u,0g,dnf',`
False positive flush, particularly in talkers 2023-02-17 16:57:23 +00:00			`'80,6,500,terraform,500u,500g,terraform',`
			`'80,6,500,thunderbird,0u,0g,thunderbird',`
			`'80,6,500,thunderbird,u,g,thunderbird',`
fpr: aws-sdk, melange, Tailscale, Xprotect, etc 2023-03-03 12:24:42 +00:00			`'587,6,500,thunderbird,u,g,thunderbird',`
False positive flush, particularly in talkers 2023-02-17 16:57:23 +00:00			`'80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',`
			`'80,6,500,zoom,0u,0g,zoom',`
fpr: aws-sdk, melange, Tailscale, Xprotect, etc 2023-03-03 12:24:42 +00:00			`'80,6,500,zoom.real,u,g,zoom.real',`
			`'9418,6,500,git,0u,0g,git',`
False positive flush, particularly in talkers 2023-02-17 16:57:23 +00:00			`'8080,6,500,brave,0u,0g,brave',`
			`'8080,6,500,chrome,0u,0g,chrome',`
			`'8080,6,500,firefox,0u,0g,firefox',`
			`'8080,6,500,python3.11,0u,0g,speedtest-cli',`
			`'8080,6,500,speedtest,500u,500g,speedtest',`
			`'8443,6,500,chrome,0u,0g,chrome',`
			`'8443,6,500,firefox,0u,0g,firefox',`
			`'8801,17,500,zoom,0u,0g,zoom',`
			`'8801,17,500,zoom.real,u,g,zoom.real',`
			`'88,6,500,syncthing,0u,0g,syncthing',`
fpr: abrt-dbus, gdm, chrome, ff, etc 2023-02-24 21:30:17 +00:00			`'465,6,500,thunderbird,0u,0g,thunderbird',`
False positive flush, particularly in talkers 2023-02-17 16:57:23 +00:00			`'993,6,500,evolution,0u,0g,evolution',`
			`'993,6,500,thunderbird,0u,0g,thunderbird',`
			`'993,6,500,thunderbird,u,g,thunderbird',`
			`'9999,6,500,firefox,0u,0g,firefox'`
Remove more false positives: kind, gopls, docker.socket, etc 2022-12-15 15:20:16 +00:00			`)`
Add exception for JetBrains Toolbox 2022-12-15 15:25:35 +00:00			`AND NOT (`
			`p.name = 'java'`
			`AND p.cmdline LIKE '/home/%/.local/share/JetBrains/Toolbox/%'`
			`AND s.remote_port > 1024`
			`AND s.protocol = 6`
			`AND p.euid > 500`
			`)`
Further reduction of false positives 2022-10-19 21:07:52 +00:00			`AND NOT (`
			`p.name = 'syncthing'`
Rewrite and split linux talkers 2022-10-20 11:04:18 +00:00			`AND f.filename = 'syncthing'`
			`AND s.remote_port > 1024`
			`AND s.protocol = 6`
			`AND p.euid > 500`
Remove some false positives 2022-10-18 00:57:56 +00:00			`)`
fpr: abrt-dbus, gdm, chrome, ff, etc 2023-02-24 21:30:17 +00:00			`AND NOT (`
			`p.name = 'chrome'`
			`AND f.filename = 'chrome'`
			`AND s.remote_port > 1024`
			`AND s.protocol = 6`
			`AND p.euid > 500`
			`)`
Friday False Positive Flush 2023-01-13 19:10:43 +00:00			`AND NOT (`
			`p.name = 'steam'`
			`AND f.filename = 'steam'`
			`AND s.remote_port > 27000`
			`AND s.protocol = 6`
			`AND p.euid > 500`
			`)`
Add broader port exception for Chrome 2022-10-20 18:11:19 +00:00			`AND NOT (`
			`p.name = 'chrome'`
			`AND f.filename = 'chrome'`
fpr: abrt-dbus, gdm, chrome, ff, etc 2023-02-24 21:30:17 +00:00			`AND s.remote_port > 3000`
			`AND s.protocol = 6`
			`AND p.euid > 500`
			`)`
			`AND NOT (`
			`p.name = 'firefox'`
			`AND f.filename = 'firefox'`
			`AND s.remote_port > 3000`
Add broader port exception for Chrome 2022-10-20 18:11:19 +00:00			`AND s.protocol = 6`
			`AND p.euid > 500`
			`)`
Add exception for whois 2022-10-30 13:39:10 +00:00			`-- TODO: Move this to a custom override overlay, as it is extremely obscure (small ISP)`
			`AND NOT (`
False positive flush, particularly in talkers 2023-02-17 16:57:23 +00:00			`exception_key = '32768,6,500,ssh,0u,0g,ssh'`
Make another stab at reducing false positives across the map 2022-11-03 15:51:54 +00:00			`AND s.remote_port = 40022`
Add exception for whois 2022-10-30 13:39:10 +00:00			`)`
Filter out new false positives 2023-01-13 20:24:18 +00:00			`AND NOT (`
Run 'make reformat' 2023-01-20 14:24:24 +00:00			`s.remote_port = 80`
			`AND (`
Filter out new false positives 2023-01-13 20:24:18 +00:00			`p.cgroup_path LIKE '/system.slice/docker-%'`
			`OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'`
			`)`
			`)`
Run 'make reformat' 2022-10-20 18:01:34 +00:00			`GROUP BY`
			`p.cmdline`