From 889ad9a5fddffb6a811a204c9aa89815828ced4e Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sun, 30 Oct 2022 09:39:10 -0400 Subject: [PATCH] Add exception for whois --- detection/c2/unexpected-talkers-linux.sql | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index e2f38e7..09fa265 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -88,6 +88,7 @@ WHERE '22,6,500,/usr/ssh,0u,0g,ssh', '3478,6,500,/opt/chrome,0u,0g,chrome', '4070,6,500,/opt/spotify,0u,0g,spotify', + '43,6,500,/usr/whois,0u,0g,whois', '5228,6,500,/opt/chrome,0u,0g,chrome', '5228,6,500,/usr/chrome,0u,0g,chrome', '8000,6,500,/opt/chrome,0u,0g,chrome', @@ -97,7 +98,6 @@ WHERE '80,6,0,/usr/packagekitd,0u,0g,packagekitd', '80,6,0,/usr/pacman,0u,0g,pacman', '80,6,0,/usr/python3.10,0u,0g,dnf', - '80,6,500,/usr/python3.10,0u,0g,yum', '80,6,0,/usr/python3.10,0u,0g,yum', '80,6,0,/usr/tailscaled,0u,0g,tailscaled', '80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', @@ -110,6 +110,7 @@ WHERE '80,6,500,/usr/firefox,0u,0g,firefox', '80,6,500,/usr/firefox,0u,0g,.firefox-wrappe', '80,6,500,/usr/pacman,0u,0g,pacman', + '80,6,500,/usr/python3.10,0u,0g,yum', '8080,6,500,/opt/chrome,0u,0g,chrome', '8080,6,500,/usr/firefox,0u,0g,firefox', '8443,6,500,/opt/chrome,0u,0g,chrome', @@ -130,5 +131,11 @@ WHERE AND s.protocol = 6 AND p.euid > 500 ) + -- TODO: Move this to a custom override overlay, as it is extremely obscure (small ISP) + AND NOT ( + exception_key = '32768,6,500,/usr/ssh,0u,0g,ssh' + AND s.remote_port = 40022 + AND s.remote_address = '104.131.84.33' -- gatekeeper.uservers.net + ) GROUP BY p.cmdline