Merge pull request #319 from tstromberg/fpr-sep21
Address issues which kept some Linux alerts from firing
This commit is contained in:
commit
417b0a6408
|
@ -47,7 +47,10 @@ WHERE
|
|||
file.uid = 1000
|
||||
AND file.gid = 1000
|
||||
AND file.mode = '0700'
|
||||
AND magic.data = 'data'
|
||||
AND (
|
||||
magic.data IS NULL
|
||||
OR magic.data = 'data'
|
||||
)
|
||||
AND file.path LIKE '/dev/shm/pulse-shm-%'
|
||||
AND file.size > 60000000
|
||||
) -- Seen with Steam
|
||||
|
@ -57,7 +60,8 @@ WHERE
|
|||
AND file.mode IN ('0755', '0775')
|
||||
AND file.path LIKE '/dev/shm/u1000-Shm_%'
|
||||
AND (
|
||||
magic.data NOT LIKE "%executable%"
|
||||
magic.data IS NULL
|
||||
OR magic.data NOT LIKE "%executable%"
|
||||
OR magic.data IN (
|
||||
'data',
|
||||
'Applesoft BASIC program data, first line number 86',
|
||||
|
|
|
@ -54,5 +54,8 @@ WHERE
|
|||
'/var/run/lima-boot-done',
|
||||
'/var/run/lima-ssh-ready'
|
||||
)
|
||||
AND magic.data NOT IN ('JSON data')
|
||||
AND (
|
||||
magic.data IS NULL
|
||||
OR magic.data != 'JSON data'
|
||||
)
|
||||
AND file.size > 10
|
||||
|
|
|
@ -5,7 +5,8 @@
|
|||
--
|
||||
-- tags: transient process state
|
||||
-- platform: linux
|
||||
SELECT -- Child
|
||||
SELECT
|
||||
-- Child
|
||||
p0.pid AS p0_pid,
|
||||
p0.cgroup_path AS p0_cgroup,
|
||||
p0.path AS p0_path,
|
||||
|
@ -66,7 +67,7 @@ WHERE
|
|||
AND INSTR(path, "/app/") != 1
|
||||
AND INSTR(path, "/ko-app") != 1
|
||||
AND INSTR(path, "/usr/share/teams/") != 1
|
||||
AND INSTR(path, "/.terraform/") > 0
|
||||
AND path NOT LIKE "%/.terraform%"
|
||||
AND NOT path LIKE '/tmp/%/osqtool'
|
||||
AND NOT path LIKE '/tmp/GoLand/___go_build_%_go'
|
||||
AND NOT cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
|
||||
|
|
Loading…
Reference in New Issue