RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-02 10:41:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add exception for 'go run'

Browse Source
This commit is contained in:
Thomas Stromberg 2022-10-30 09:39:48 -04:00
parent 889ad9a5fd
commit 46ef9668d7
Failed to extract signature
2 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
detection/c2/unexpected-https-client-linux.sql
View File

@ -136,5 +136,9 @@ WHERE
AND s.remote_address LIKE '151.101.%' AND s.remote_address LIKE '151.101.%'
AND s.state = 'ESTABLISHED' AND s.state = 'ESTABLISHED'
) )
AND NOT (
exception_key = '500,/tmp/main,500u,500g,main'
AND p.path LIKE '/tmp/go-build%/exe/main'
)
GROUP BY GROUP BY
p.cmdline p.cmdline

1
detection/evasion/touched-executable-linux.sql
View File

@ -34,5 +34,6 @@ WHERE
AND f.path NOT LIKE '/snap/%' AND f.path NOT LIKE '/snap/%'
AND f.path NOT LIKE '/home/%' AND f.path NOT LIKE '/home/%'
AND f.path != '/usr/local/bin/chainctl' AND f.path != '/usr/local/bin/chainctl'
AND f.path NOT LIKE '/tmp/go-build%/exe/main'
GROUP by GROUP by
p.pid p.pid