From 03789d2957fa67ad666a837972fa6bd2dcf35e5e Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Fri, 12 Jul 2024 13:12:43 -0500
Subject: [PATCH] Add LittleSnitch exception_key

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 detection/c2/unexpected-talkers-macos.sql | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
index 45af292..843e53f 100644
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@@ -192,7 +192,8 @@ WHERE pos.protocol > 0
     '500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream',
     '500,6,993,Spark Desktop Helper,Spark Desktop Helper,Developer ID Application: Readdle Technologies Limited (3L68KQB4HG),com.readdle.SparkDesktop.helper',
     '500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
-    '500,6,995,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac'
+    '500,6,995,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
+    '0,6,853,at.obdev.littlesnitch.networkextension,at.obdev.littlesnitch.networkextension,0u,0g'
   ) -- Useful for unsigned binaries
   AND NOT alt_exception_key IN (
     '0,6,80,tailscaled,tailscaled,500u,80g',
@@ -292,4 +293,4 @@ WHERE pos.protocol > 0
       'Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon'
     )
   )
-GROUP BY p0.cmdline
\ No newline at end of file
+GROUP BY p0.cmdline