From 416bdd8fd1b0f72763021da7c7667647f4c8760e Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 20 Oct 2022 14:11:19 -0400
Subject: [PATCH] Add broader port exception for Chrome

---
 detection/c2/unexpected-talkers-linux.sql | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
index 6638ef1..a154ecf 100644
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@@ -106,5 +106,12 @@ WHERE
     AND s.protocol = 6
     AND p.euid > 500
   )
+  AND NOT (
+    p.name = 'chrome'
+    AND f.filename = 'chrome'
+    AND s.remote_port > 5000
+    AND s.protocol = 6
+    AND p.euid > 500
+  )
 GROUP BY
   p.cmdline