From 4abd265459d70846d388c48c7028fba8daf860bf Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Wed, 30 Oct 2024 11:33:49 -0500
Subject: [PATCH] Address PR comments

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 detection/c2/unexpected-talkers-macos.sql | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
index bfb1f71..6b8962e 100644
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@@ -112,5 +112,7 @@ WHERE pos.pid IN (
   AND NOT (
     unsigned_exception = '500,0,0,chainlink,chainlink'
     AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/chainlink'
+    AND remote_port = 0
+    AND protocol = 0
   )
 GROUP BY p0.cmdline