Performance tuning, mark some Linux queries as 'extra'

2025-02-16 09:27:06 +00:00 · 2024-03-15 19:06:16 -04:00 · 2024-03-15 19:06:16 -04:00 · 3447f95d9e
commit 3447f95d9e
parent 9342485881
12 changed files with 15 additions and 15 deletions
--- a/8
+++ b/8
@ -9,16 +9,16 @@ out/osqtool-$(ARCH)-$(OSQTOOL_VERSION):
 	mv out/osqtool out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)
 out/detection.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/*.sql)
-	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --verify -output out/detection.conf pack detection
+	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --verify --exclude-tags=disabled,disabled-privacy,extra --output  out/detection.conf pack detection
 out/policy.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)  $(wildcard policy/*.sql)
-	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --verify --output out/policy.conf pack policy/
+	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy,extra o --verify --output out/policy.conf pack policy/
 out/vulnerabilities.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)  $(wildcard vulnerabilities/*.sql)
-	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --output out/vulnerabilities.conf pack vulnerabilities/
+	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy,extra --output out/vulnerabilities.conf pack vulnerabilities/
 out/incident-response.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)  $(wildcard incident_response/*.sql)
-	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy --output out/incident-response.conf pack incident_response/
+	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy,extra --output out/incident-response.conf pack incident_response/
 out/osquery.conf:
 	cat osquery.conf | sed s/"out\/"/""/g > out/osquery.conf
--- a/detection/c2/unexpected-icmp-socket-events.sql
+++ b/detection/c2/unexpected-icmp-socket-events.sql
@ -4,7 +4,7 @@
 --   *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
 --
 -- interval: 300
-- tags: transient events net
+-- tags: transient events net extra
 SELECT
  se.*,
  p.path,
--- a/detection/c2/unexpected-icmp-socket.sql
+++ b/detection/c2/unexpected-icmp-socket.sql
@ -3,7 +3,7 @@
 -- references:
 --   *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
 --
-- tags: transient state net often
+-- tags: transient state net extra
 SELECT
  pop.pid AS p0_pid,
  pop.socket,
--- a/detection/c2/unexpected-talker-events.sql
+++ b/detection/c2/unexpected-talker-events.sql
@ -3,7 +3,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
 --
-- tags: transient state net
+-- tags: transient state net extra
 -- interval: 601
 -- platform: posix
 SELECT
--- a/detection/evasion/hidden-cwd-events-linux.sql
+++ b/detection/evasion/hidden-cwd-events-linux.sql
@ -9,7 +9,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories)
 --
-- tags: transient
+-- tags: transient extra
 -- platform: linux
 -- interval: 600
 SELECT
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@ -6,7 +6,7 @@
 -- false positives:
 --   * possible, but none known
 --
-- tags: transient process events
+-- tags: transient process events extra
 -- platform: linux
 -- interval: 600
 SELECT -- Child
--- a/detection/execution/yara-unexpected-upx-process.sql
+++ b/detection/execution/yara-unexpected-upx-process.sql
@ -1,7 +1,7 @@
 -- Currently running UPX executable
 -- 
 -- tags: persistent
-- interval: 3600
+-- interval: 7199
 -- platform: posix
 SELECT
  yara.*,
--- a/detection/initial_access/yara-recently-downloaded-miner.sql
+++ b/detection/initial_access/yara-recently-downloaded-miner.sql
@ -1,4 +1,4 @@
-- Recently downloaded UPX file
+-- tags: volume filesystem seldom
 SELECT
  file.path,
  file.size,
--- a/detection/initial_access/yara-recently-downloaded-ransom.sql
+++ b/detection/initial_access/yara-recently-downloaded-ransom.sql
@ -1,4 +1,4 @@
-- Recently downloaded UPX file
+-- tags: volume filesystem seldom
 SELECT
  file.path,
  file.size,
--- a/detection/initial_access/yara-recently-downloaded-rust-http-exec.sql
+++ b/detection/initial_access/yara-recently-downloaded-rust-http-exec.sql
@ -1,4 +1,4 @@
-- Recently downloaded cryptexec program
+-- tags: volume filesystem seldom
 SELECT
  file.path,
  file.size,
--- a/detection/initial_access/yara-recently-downloaded-stealer.sql
+++ b/detection/initial_access/yara-recently-downloaded-stealer.sql
@ -1,4 +1,4 @@
-- Recently downloaded Stealer
+-- tags: volume filesystem seldom
 SELECT
  file.path,
  file.size,
--- a/detection/initial_access/yara-recently-downloaded-upx.sql
+++ b/detection/initial_access/yara-recently-downloaded-upx.sql
@ -1,4 +1,4 @@
-- Recently downloaded UPX file
+-- tags: volume filesystem seldom
 SELECT
  file.path,
  file.size,