Reduce false positives

detection/c2/unexpected-talkers-linux.sql

@@ -77,12 +77,20 @@ WHERE protocol > 0
   AND s.remote_address NOT LIKE 'fc00:%'
   AND p.path != ''
   AND NOT exception_key IN (
-    '80,6,0,/usr/tailscaled,0u,0g,tailscaled',
-    '5228,6,500,/opt/chrome,0u,0g,chrome',
-    '4070,6,500,/opt/spotify,0u,0g,spotify',
-    '22000,6,500,/usr/syncthing,0u,0g,syncthing',
     '123,17,500,/usr/chronyd,0u,0g,chronyd',
+    '22000,6,500,/usr/syncthing,0u,0g,syncthing',
+    '4070,6,500,/opt/spotify,0u,0g,spotify',
+    '5228,6,500,/opt/chrome,0u,0g,chrome',
     '80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra'
+    '80,6,0,/usr/tailscaled,0u,0g,tailscaled',
+    '80,6,500,/opt/chrome,0u,0g,chrome',
+    '80,6,500,/usr/firefox,0u,0g,firefox',
+    '8000,6,500,/opt/chrome,0u,0g,chrome',
+    '8000,6,500,/usr/firefox,0u,0g,firefox',
+    '8080,6,500,/opt/chrome,0u,0g,chrome',
+    '8080,6,500,/usr/firefox,0u,0g,firefox',
+    '8443,6,500,/opt/chrome,0u,0g,chrome',
+    '8443,6,500,/usr/firefox,0u,0g,firefox',
   )
   AND NOT (
     p.name = 'syncthing'

detection/execution/sketchy-fetcher-events.sql

@@ -46,7 +46,7 @@ WHERE
     OR p.cmdline LIKE '%curl.*—write-out%'
     OR p.cmdline LIKE '%curl %--user-agent%'
     OR p.cmdline LIKE '%curl -k%'
-    OR p.cmdline LIKE '%curl -sL%'
+    OR p.cmdline LIKE '%curl -sL %'
     OR p.cmdline LIKE '%curl%--connect-timeout%'
     OR p.cmdline LIKE '%curl%--output /dev/null%'
     OR p.cmdline LIKE '%curl%--O /dev/null%'

detection/execution/sketchy-fetcher.sql

@@ -40,7 +40,7 @@ WHERE
     OR p.cmdline LIKE '%pastebin%'
     OR p.cmdline LIKE '%curl %--user-agent%'
     OR p.cmdline LIKE '%curl -k%'
-    OR p.cmdline LIKE '%curl -sL%'
+    OR p.cmdline LIKE '%curl -sL %'
     OR p.cmdline LIKE '%curl%--insecure%'
     OR p.cmdline LIKE '%wget %--user-agent%'
     OR p.cmdline LIKE '%wget %--no-check-certificate%'