Merge pull request #359 from tstromberg/fpr-mar7
fpr: snapd, cups, ubuntu, etc
This commit is contained in:
Thomas Strömberg
GitHub
commit
7c5599c07d
|
|
@ -119,6 +119,7 @@ WHERE
|
|||
'500,trunk,trunk,Developer ID Application: Trunk Technologies, Inc. (LDR5F9BL92),trunk-cli',
|
||||
'500,java,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.8u401.java',
|
||||
'500,bash,bash,,bash',
|
||||
'500,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer',
|
||||
'500,Skitch,Skitch,Developer ID Application: Skitch Inc (J8RPQ294UB),com.skitch.skitch',
|
||||
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
|
||||
'500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
|
||||
|
|
@ -131,6 +132,7 @@ WHERE
|
|||
AND NOT alt_exception_key IN (
|
||||
'0,velociraptor,velociraptor,0u,0g',
|
||||
'0,velociraptor,velociraptor,0u,80g',
|
||||
'500,taplo,taplo,500u,20g',
|
||||
'500,nodegizmo,nodegizmo,500u,20g',
|
||||
'500,apko,apko,0u,0g',
|
||||
'500,apko,apko,500u,20g',
|
||||
|
|
@ -218,6 +220,7 @@ WHERE
|
|||
'500,Python,Python,,org.python.python',
|
||||
'500,Python,Python,,Python',
|
||||
'500,Python,Python,,',
|
||||
'500,Python,Python,Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python',
|
||||
'500,Python,Python,0u,80g',
|
||||
'500,Python,Python,Developer ID Application: Ned Deily (DJ3H93M7VJ),org.python.python'
|
||||
)
|
||||
|
|
|
|||
|
|
@ -133,6 +133,8 @@ WHERE
|
|||
'500,0,32768,ir_agent',
|
||||
'500,0,32768,ksfetch',
|
||||
'500,0,32768,networkQuality',
|
||||
'500,500,80,elastic-agent',
|
||||
'500,0,80,filebeat',
|
||||
'500,0,32768,syncthing',
|
||||
'500,0,3478,firefox',
|
||||
'500,0,4070,spotify',
|
||||
|
|
@ -208,6 +210,7 @@ WHERE
|
|||
'500,0,80,com.apple.NRD.UpdateBrainService',
|
||||
'500,0,80,com.bitdefender.cst.net.dci.dci-network-extension',
|
||||
'500,0,80,electron',
|
||||
'500,0,443,com.docker.backend',
|
||||
'500,0,80,firefox',
|
||||
'500,0,80,http',
|
||||
'500,0,80,incusd',
|
||||
|
|
|
|||
|
|
@ -5,8 +5,7 @@
|
|||
--
|
||||
-- tags: transient state net often
|
||||
-- platform: macos
|
||||
SELECT
|
||||
pos.protocol,
|
||||
SELECT pos.protocol,
|
||||
pos.local_port,
|
||||
pos.remote_port,
|
||||
pos.remote_address,
|
||||
|
|
@ -67,8 +66,7 @@ SELECT
|
|||
p2.path AS p2_path,
|
||||
p2.cmdline AS p2_cmd,
|
||||
p2_hash.sha256 AS p2_sha256
|
||||
FROM
|
||||
process_open_sockets pos
|
||||
FROM process_open_sockets pos
|
||||
LEFT JOIN processes p0 ON pos.pid = p0.pid
|
||||
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
||||
LEFT JOIN processes p1 ON p0.parent = p1.pid
|
||||
|
|
@ -77,8 +75,7 @@ FROM
|
|||
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
||||
LEFT JOIN file f ON p0.path = f.path
|
||||
LEFT JOIN signature s ON p0.path = s.path
|
||||
WHERE
|
||||
pos.protocol > 0
|
||||
WHERE pos.protocol > 0
|
||||
AND NOT (
|
||||
pos.remote_port IN (53, 443)
|
||||
AND pos.protocol IN (6, 17)
|
||||
|
|
@ -234,27 +231,27 @@ WHERE
|
|||
AND id_exception_key IN (
|
||||
'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac',
|
||||
'Apple Mac OS Application Signing,com.ookla.speedtest-macos',
|
||||
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension',
|
||||
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer',
|
||||
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
|
||||
'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension',
|
||||
'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
|
||||
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
|
||||
'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP',
|
||||
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
|
||||
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.nightly.helper',
|
||||
'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP',
|
||||
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',
|
||||
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',
|
||||
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
|
||||
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher',
|
||||
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.UE4EditorServices',
|
||||
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate',
|
||||
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
|
||||
'Developer ID Application: Vivaldi Technologies AS (4XF3XNRN6Y),com.vivaldi.Vivaldi.helper',
|
||||
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension',
|
||||
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
|
||||
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
|
||||
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater',
|
||||
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
|
||||
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',
|
||||
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper',
|
||||
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
|
||||
'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java',
|
||||
'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
|
||||
'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition',
|
||||
|
|
@ -263,16 +260,16 @@ WHERE
|
|||
'Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
|
||||
'Developer ID Application: Skype Communications S.a.r.l (AL798K98FX),com.skype.skype.Helper',
|
||||
'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
|
||||
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
|
||||
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
|
||||
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
|
||||
'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
|
||||
'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2020',
|
||||
'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
|
||||
'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
|
||||
'Developer ID Application: Vivaldi Technologies AS (4XF3XNRN6Y),com.vivaldi.Vivaldi.helper',
|
||||
'Developer ID Application: Vladimir Prelovac (TFVG979488),com.apple.WebKit.Networking',
|
||||
'Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp.ServiceExtension',
|
||||
'Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon'
|
||||
)
|
||||
)
|
||||
GROUP BY
|
||||
p0.cmdline
|
||||
GROUP BY p0.cmdline
|
||||
|
|
@ -174,6 +174,7 @@ WHERE
|
|||
'/dev/hidraw,chrome',
|
||||
'/dev/hvc,agetty',
|
||||
'/dev/hwrng,rngd',
|
||||
'/dev/wwan0mbim,mbim-proxy',
|
||||
'/dev/input/event,Xorg',
|
||||
'/dev/input/event,thermald',
|
||||
'/dev/input/event,touchegg',
|
||||
|
|
|
|||
|
|
@ -42,6 +42,7 @@ WHERE
|
|||
AND f.path NOT LIKE '/opt/rapid7/ir_agent/%'
|
||||
AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws'
|
||||
AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
|
||||
AND f.path NOT LIKE '/var/kolide-k2/k2device.kolide.com/updates/%'
|
||||
AND f.path NOT LIKE '/tmp/go-build%'
|
||||
AND p.name NOT LIKE 'osqtool%'
|
||||
GROUP by
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ WHERE
|
|||
AND file.filename NOT IN (
|
||||
'acpid.pid',
|
||||
'agetty.reload',
|
||||
'pulseaudio-enable-autospawn',
|
||||
'alsactl.pid',
|
||||
'apcupsd.pid',
|
||||
'com.rapid7.cnchub.pid',
|
||||
|
|
|
|||
|
|
@ -102,6 +102,9 @@ WHERE
|
|||
"systemd-executor",
|
||||
"irqbalance",
|
||||
"kactivitymanagerd",
|
||||
"com.docker.backend",
|
||||
"com.docker.build",
|
||||
"com.docker.extensions",
|
||||
"nm-applet",
|
||||
"perl",
|
||||
"systemd",
|
||||
|
|
|
|||
|
|
@ -103,8 +103,8 @@ WHERE
|
|||
OR (
|
||||
p0.cmdline LIKE '%UserKnownHostsFile=/dev/null%'
|
||||
AND NOT p1.name = 'limactl'
|
||||
AND NOT p0.cmdline LIKE '%@localhost'
|
||||
AND NOT p0.cmdline LIKE '%@localhost -A'
|
||||
AND NOT p0.cmdline LIKE '%@localhost%'
|
||||
AND NOT p0.cmdline LIKE '%@localhost -A%'
|
||||
) -- Crypto miners
|
||||
OR p0.cmdline LIKE '%hashrate%'
|
||||
OR p0.cmdline LIKE '%hashvault%'
|
||||
|
|
|
|||
|
|
@ -77,6 +77,7 @@ WHERE
|
|||
AND INSTR(path, "/nix/") != 1
|
||||
AND INSTR(path, "/opt/") != 1
|
||||
AND INSTR(path, "/snap/") != 1
|
||||
AND INSTR(path, "/var/kolide-k2/") != 1
|
||||
AND INSTR(path, "/var/lib/snapd/") != 1
|
||||
AND INSTR(path, "/usr/share/spotify") != 1
|
||||
AND INSTR(path, "/usr/share/code/") != 1
|
||||
|
|
|
|||
|
|
@ -60,6 +60,8 @@ WHERE
|
|||
AND INSTR(path, "/opt/") != 1
|
||||
AND INSTR(path, "/snap/") != 1
|
||||
AND INSTR(path, "/var/lib/snapd/") != 1
|
||||
AND INSTR(path, "/usr/local/kolide-k2/bin/") != 1
|
||||
AND INSTR(path, "/var/kolide-k2/") != 1
|
||||
AND INSTR(path, "/usr/share/spotify") != 1
|
||||
AND INSTR(path, "/usr/share/code/") != 1
|
||||
AND INSTR(path, "/usr/local/") != 1
|
||||
|
|
|
|||
|
|
@ -101,6 +101,7 @@ WHERE
|
|||
'go',
|
||||
'gopls',
|
||||
'grype',
|
||||
'packetbeat',
|
||||
'incus',
|
||||
'incusd',
|
||||
'keybase',
|
||||
|
|
|
|||
|
|
@ -290,6 +290,7 @@ WHERE
|
|||
'zsh,500,OpenLens,launchd',
|
||||
'sh,500,ssh,mosh-client',
|
||||
'sh,500,updater,Foxit PDF Reader',
|
||||
'dash,500,gdm-wayland-session,gdm-session-worker',
|
||||
'sh,500,yabai,launchd',
|
||||
'zsh,500,old,launchd',
|
||||
'zsh,500,old,old',
|
||||
|
|
|
|||
|
|
@ -76,7 +76,12 @@ WHERE
|
|||
AND NOT exception_key IN (
|
||||
"true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk",
|
||||
'false,privacybadger-owner@eff.org,Privacy Badger,mkejgcgkdlddbggjhhflekkondicpnop',
|
||||
'true,,Hundred Handshakes,cmlngncglcblbobiehdpjcgbpoemidho',
|
||||
'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
|
||||
'true,,Google Play Movies & TV,gdijeikdkaembjbdobgfkoidjkpbmlkd',
|
||||
'true,Gordon Pedsersen,MarkDownload - Markdown Web Clipper,pcmpcfapbekmbjjkdalcgopdkipoggdi',
|
||||
"true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja",
|
||||
'true,Microsoft Corporation,Microsoft Autofill,fiedbfgcleddlbcmgdigjgdfcggjcion',
|
||||
'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk',
|
||||
'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced',
|
||||
'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj',
|
||||
|
|
@ -155,6 +160,7 @@ WHERE
|
|||
'true,,HubSpot Sales,oiiaigjnkhngdbnoookogelabohpglmd',
|
||||
'true,,IBA Opt-out (by Google),gbiekjoijknlhijdjbaadobpkdhmoebb',
|
||||
'true,,Instapaper,ldjkgaaoikpmhmkelcgkgacicjfbofhh',
|
||||
'true,,Greenhouse Recruiting Chrome extension,naooopefdfeangnkgmjpklgblnfmbaea',
|
||||
'true,,JSON Formatter,bcjindcccaagfpapjjmafapmmgkkhgoa',
|
||||
'true,,JSON Viewer Pro,eifflpmocdbdmepbjaopkkhbfmdgijcc',
|
||||
'true,,Jamstash,jccdpflnecheidefpofmlblgebobbloc',
|
||||
|
|
|
|||
|
|
@ -168,11 +168,14 @@ WHERE
|
|||
'8181,6,0,coredns',
|
||||
'8181,6,500,coredns',
|
||||
'8443,6,0,kube-apiserver',
|
||||
'631,17,133,cups-browsed',
|
||||
'8443,6,101,nginx-ingress-c',
|
||||
'58,255,500,dnsmasq',
|
||||
'8443,6,500,controller',
|
||||
'8443,6,500,controlplane',
|
||||
'8443,6,500,webhook',
|
||||
'8834,6,0,nessusd',
|
||||
'631,17,116,cups-browsed',
|
||||
'547,17,500,dnsmasq',
|
||||
'9000,6,500,authentik-proxy',
|
||||
'9000,6,500,main',
|
||||
|
|
|
|||
|
|
@ -80,6 +80,8 @@ WHERE
|
|||
'systemctl,0,snapd,systemd',
|
||||
'systemctl,0,tailscaled,',
|
||||
'systemctl,127,snap,systemd',
|
||||
'systemctl,500,snapd,systemd',
|
||||
'systemctl,500,systemd,systemd',
|
||||
'systemctl,500,bash,gnome-terminal-server',
|
||||
'systemctl,500,snap,systemd',
|
||||
'systemctl,500,systemd,',
|
||||
|
|
|
|||
|
|
@ -101,6 +101,7 @@ WHERE
|
|||
'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755',
|
||||
'incusd,/usr/libexec/incus/incusd,0,lxc.monitor.pure-dodo,,0755',
|
||||
'canonical-livep,/snap/canonical-livepatch/__VERSION__/canonical-livepatchd,0,system.slice,snap.canonical-livepatch.canonical-livepatchd.service,0755',
|
||||
'dirmngr,/usr/bin/dirmngr,0,system.slice,system-dirmngr.slice,0755',
|
||||
'anacron,/usr/sbin/anacron,0,system.slice,crond.service,0755',
|
||||
'apcupsd,/usr/bin/apcupsd,0,system.slice,apcupsd.service,0755',
|
||||
'atd,/usr/sbin/atd,0,system.slice,atd.service,0755',
|
||||
|
|
@ -122,6 +123,9 @@ WHERE
|
|||
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
|
||||
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755',
|
||||
'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
|
||||
'networkd-dispat,/usr/bin/python3.12,0,system.slice,networkd-dispatcher.service,0755',
|
||||
'unattended-upgr,/usr/bin/python3.12,0,system.slice,unattended-upgrades.service,0755',
|
||||
'unattended-upgr,/usr/bin/python3.12,0,system.slice,unattended-upgrades.service,0755',
|
||||
'crond,/usr/bin/crond,0,system.slice,cronie.service,0755',
|
||||
'crond,/usr/sbin/crond,0,system.slice,crond.service,0755',
|
||||
'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755',
|
||||
|
|
|
|||
Loading…
Reference in New Issue