diff --git a/net/unexpected-talkers-macos.sql b/net/unexpected-talkers-macos.sql index ce49055..c7035b8 100644 --- a/net/unexpected-talkers-macos.sql +++ b/net/unexpected-talkers-macos.sql @@ -2,7 +2,6 @@ SELECT protocol, s.local_port, s.remote_port, - s.local_address, s.remote_address, p.name, p.path, @@ -21,9 +20,9 @@ SELECT MIN(p.uid, 500), ",", p.name, - ',', + ",", signature.identifier, - ',', + ",", signature.authority ) AS exception_key FROM process_open_sockets s @@ -33,25 +32,25 @@ FROM process_open_sockets s LEFT JOIN signature ON p.path = signature.path WHERE protocol > 0 AND s.remote_port > 0 - AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1') - AND s.remote_address NOT LIKE 'fe80:%' - AND s.remote_address NOT LIKE '127.%' - AND s.remote_address NOT LIKE '192.168.%' - AND s.remote_address NOT LIKE '172.1%' - AND s.remote_address NOT LIKE '172.2%' - AND s.remote_address NOT LIKE '172.30.%' - AND s.remote_address NOT LIKE '172.31.%' - AND s.remote_address NOT LIKE '::ffff:172.%' - AND s.remote_address NOT LIKE '10.%' - AND s.remote_address NOT LIKE '::ffff:10.%' - AND s.remote_address NOT LIKE 'fc00:%' - AND s.state != 'LISTEN' -- Ignore most common application paths - AND p.path NOT LIKE '/Applications/%.app/Contents/%' - AND p.path NOT LIKE '/Library/Apple/System/Library/%' - AND p.path NOT LIKE '/Library/Application Support/%/Contents/%' - AND p.path NOT LIKE '/System/Applications/%' - AND p.path NOT LIKE '/System/Library/%' - AND p.path NOT LIKE '/Users/%/Library/%.app/Contents/MacOS/%' + AND s.remote_address NOT IN ("127.0.0.1", "::ffff:127.0.0.1", "::1") + AND s.remote_address NOT LIKE "fe80:%" + AND s.remote_address NOT LIKE "127.%" + AND s.remote_address NOT LIKE "192.168.%" + AND s.remote_address NOT LIKE "172.1%" + AND s.remote_address NOT LIKE "172.2%" + AND s.remote_address NOT LIKE "172.30.%" + AND s.remote_address NOT LIKE "172.31.%" + AND s.remote_address NOT LIKE "::ffff:172.%" + AND s.remote_address NOT LIKE "10.%" + AND s.remote_address NOT LIKE "::ffff:10.%" + AND s.remote_address NOT LIKE "fc00:%" + AND s.state != "LISTEN" -- Ignore most common application paths + AND p.path NOT LIKE "/Applications/%.app/Contents/%" + AND p.path NOT LIKE "/Library/Apple/System/Library/%" + AND p.path NOT LIKE "/Library/Application Support/%/Contents/%" + AND p.path NOT LIKE "/System/Applications/%" + AND p.path NOT LIKE "/System/Library/%" + AND p.path NOT LIKE "/Users/%/Library/%.app/Contents/MacOS/%" AND p.path NOT LIKE "/System/%" AND p.path NOT LIKE "/opt/homebrew/Cellar/%/bin/%" AND p.path NOT LIKE "/usr/libexec/%" @@ -61,112 +60,118 @@ WHERE protocol > 0 remote_port = 53 AND protocol IN (6, 17) AND p.name IN ( - '1password', - 'Acrobat Update Helper', - 'chainctl', - 'cloud_sql_proxy', - 'Code Helper', - 'com.apple.MobileSoftwareUpdate.UpdateBrainService', - 'cosign', - 'crc', - 'curl', - 'dig', - 'Evernote Helper', - 'figma_agent', - 'gh', - 'git-remote-http', - 'gitsign', - 'go', - 'grafana-server', - 'grype', - 'host', - 'htop', - 'istioctl', - 'k6', - 'k9s', - 'ko', - 'launcher', - 'ngrok', - 'nix', - 'node', - 'obs', - 'obs-browser-page', - 'obs-ffmpeg-mux', - 'obsidian', - 'opera', - 'ping', - 'Python', - 'python3.10', - 'Reflect', - 'Reflect Helper', - 'ruby', - 'sample', - 'ssh', - 'steam_osx', - 'syncthing', - 'tailscaled', - 'terraform', - 'tkn', - 'traceroute', - 'vcluster', - 'wget', - 'whois', - 'zoom' + "1password", + "Acrobat Update Helper", + "chainctl", + "cloud_sql_proxy", + "Code Helper", + "com.apple.MobileSoftwareUpdate.UpdateBrainService", + "cosign", + "crc", + "curl", + "dig", + "Evernote Helper", + "figma_agent", + "gh", + "git-remote-http", + "gitsign", + "go", + "grafana-server", + "grype", + "host", + "htop", + "istioctl", + "k6", + "k9s", + "ko", + "launcher", + "ngrok", + "nix", + "node", + "obs", + "obs-browser-page", + "obs-ffmpeg-mux", + "obsidian", + "opera", + "ping", + "Python", + "python3.10", + "Reflect", + "Reflect Helper", + "ruby", + "sample", + "ssh", + "steam_osx", + "syncthing", + "tailscaled", + "terraform", + "tkn", + "traceroute", + "vcluster", + "wget", + "whois", + "zoom" ) ) AND NOT exception_key IN ( - '22,6,500,ssh,,', - '22,6,500,ssh,ssh,', - '22,6,500,ssh,com.apple.openssh,Software Signing', - '22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,', - '43,6,500,DropboxMacUpdate,com.dropbox.DropboxMacUpdate,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', - '443,17,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', - '443,17,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', - '443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)', - '443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing', - '443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)', - '443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)', - '443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)', - '443,6,500,bash,bash,', - '443,6,500,chainctl,,', - '443,6,500,chainctl,a.out,', - '443,6,500,cloud_sql_proxy,a.out,', - '443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', - '443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', - '443,6,500,cosign,a.out,', - '443,6,500,curl,com.apple.curl,Software Signing', - '443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)', - '443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', - '443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)', - '443,6,500,gh,gh,', - '443,6,0,nix,nix,', - '443,6,500,ctclient,a.out,', - '443,6,500,git-remote-http,git-remote-http-55554944e5dca79a2b44332e941af547708b0c68,', - '443,6,500,gitsign,,', - '443,6,500,gitsign,a.out,', - '443,6,500,go,a.out,', - '443,6,500,go,org.golang.go,Developer ID Application: Google LLC (EQHXZ8M8AV)', - '443,6,500,istioctl,a.out,', - '443,6,500,ko,a.out,', - '443,6,500,step,step,', - '443,6,500,kubectl,a.out,', - '443,6,500,main,a.out,', - '443,6,500,Python,org.python.python,', - '443,6,500,python3.10,python3.10,', - '443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)', - '443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)', - '443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing', - '443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', - '443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', - '443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', - '443,6,500,vim,vim,', - '443,6,500,zsh,com.apple.zsh,Software Signing', - '53,17,500,docker-credential-gcr,a.out,', - '6000,6,500,ssh,,', - '443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,', - '6000,6,500,ssh,com.apple.openssh,Software Signing', - '6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,', - '80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing' + "22,6,500,ssh,,", + "443,6,500,Python,com.apple.python3,Software Signing", + "443,6,500,nix,nix,", + "22,6,500,ssh,ssh,", + "443,6,500,scorecard-darwin-amd64,,", + "22,6,500,ssh,com.apple.openssh,Software Signing", + "22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,", + "43,6,500,DropboxMacUpdate,com.dropbox.DropboxMacUpdate,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)", + "443,17,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)", + "443,17,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing", + "443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)", + "443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing", + "443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)", + "443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)", + "443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)", + "443,6,500,bash,bash,", + "443,6,500,emacs-28.2,emacs-28.2,", + "443,6,500,prober,a.out,", + "443,6,500,chainctl,,", + "443,6,500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX)", + "443,6,500,chainctl,a.out,", + "443,6,500,cloud_sql_proxy,a.out,", + "443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)", + "443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)", + "443,6,500,cosign,a.out,", + "443,6,500,curl,com.apple.curl,Software Signing", + "443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)", + "443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing", + "443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)", + "443,6,500,gh,gh,", + "443,6,0,nix,nix,", + "443,6,500,ctclient,a.out,", + "443,6,500,git-remote-http,git-remote-http-55554944e5dca79a2b44332e941af547708b0c68,", + "443,6,500,gitsign,,", + "443,6,500,gitsign,a.out,", + "443,6,500,go,a.out,", + "443,6,500,go,org.golang.go,Developer ID Application: Google LLC (EQHXZ8M8AV)", + "443,6,500,istioctl,a.out,", + "443,6,500,ko,a.out,", + "443,6,500,step,step,", + "443,6,500,kubectl,a.out,", + "443,6,500,main,a.out,", + "443,6,500,Python,org.python.python,", + "443,6,500,python3.10,python3.10,", + "443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)", + "443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)", + "443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing", + "443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)", + "443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)", + "443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)", + "443,6,500,vim,vim,", + "443,6,500,zsh,com.apple.zsh,Software Signing", + "53,17,500,docker-credential-gcr,a.out,", + "6000,6,500,ssh,,", + "443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,", + "6000,6,500,ssh,com.apple.openssh,Software Signing", + "6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,", + "80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing" ) -- nix-shell infects children with open connections @@ -189,7 +194,7 @@ WHERE protocol > 0 -- More complicated patterns go here AND NOT ( - p.name = 'syncthing' + p.name = "syncthing" AND ( remote_port IN (53, 80, 88, 110, 443, 587, 993, 3306, 7451) OR remote_port > 8000 @@ -197,10 +202,10 @@ WHERE protocol > 0 ) AND NOT ( p.name IN ( - 'Google Chrome Helper', - 'Brave Browser Helper', - 'Chromium Helper', - 'Opera Helper' + "Google Chrome Helper", + "Brave Browser Helper", + "Chromium Helper", + "Opera Helper" ) AND remote_port IN ( 53, @@ -225,23 +230,23 @@ WHERE protocol > 0 ) ) AND NOT ( - p.name IN ('Mail', 'thunderbird', 'Spark', 'Notes') + p.name IN ("Mail", "thunderbird", "Spark", "Notes") AND remote_port IN (53, 143, 443, 587, 465, 585, 993) ) AND NOT ( - p.name IN ('Spotify Helper', 'Spotify') + p.name IN ("Spotify Helper", "Spotify") AND remote_port IN (53, 443, 8009, 4070, 32211) ) AND NOT ( remote_port IN (53, 443) - AND p.name LIKE 'terraform-provider-%' + AND p.name LIKE "terraform-provider-%" ) AND NOT ( remote_port IN (53, 443) - AND p.name LIKE 'kubectl.%' + AND p.name LIKE "kubectl.%" ) AND NOT ( - p.cmdline LIKE '%google-cloud-sdk/lib/gcloud.py%' + p.cmdline LIKE "%google-cloud-sdk/lib/gcloud.py%" AND remote_port IN (80, 43, 53) ) -- Slack update?