Remove some false positives

detection/c2/unexpected-talkers-linux.sql

@@ -135,9 +135,10 @@ WHERE
   AND NOT exception_key IN (
     '123,17,,',
     '123,17,500,chronyd',
+    '22000,6,500,syncthing',
+    '22067,6,500,syncthing',
     '22,6,,',
     '22,6,500,ssh',
-    '22067,6,500,syncthing',
     '27024,6,500,steam',
     '3100,6,500,firefox',
     '3100,6,500,k6',
@@ -149,36 +150,29 @@ WHERE
     '443,17,500,jcef_helper',
     '443,17,500,slack',
     '443,17,500,spotify',
-    '443,6,0,.tailscaled-wra',
     '443,6,0,apk',
     '443,6,0,containerd',
     '443,6,0,depmod',
     '443,6,0,dirmngr',
     '443,6,0,dnf',
-    '443,6,0,mkinitcpio',
-    '443,6,500,.java-wrapped',
-    '443,6,0,flatpak-system-',
     '443,6,0,dockerd',
+    '443,6,0,flatpak-system-',
     '443,6,0,influxd',
-    '443,6,500,npm install',
-    '53,17,154,systemd-timesyn',
     '443,6,0,launcher',
-    '443,6,0,nix-daemon',
+    '443,6,0,mkinitcpio',
     '443,6,0,nix',
-    '443,6,500,reporter-urepor',
+    '443,6,0,nix-daemon',
     '443,6,0,packagekitd',
     '443,6,0,pacman',
     '443,6,0,snapd',
     '443,6,0,systemctl',
     '443,6,0,tailscaled',
+    '443,6,0,.tailscaled-wra',
     '443,6,0,trivy',
     '443,6,0,yay',
     '443,6,0,yum',
     '443,6,105,https',
     '443,6,472,grafana-server',
-    '443,6,500,___go_build_github_com_anchore_grype,a.out,',
-    '443,6,500,.firefox-wrappe',
-    '443,6,500,.tox-wrapped',
     '443,6,500,1password',
     '443,6,500,authentik-proxy',
     '443,6,500,aws',
@@ -187,7 +181,6 @@ WHERE
     '443,6,500,celery',
     '443,6,500,chainctl',
     '443,6,500,chrome',
-    '443,6,500,gsd-datetime',
     '443,6,500,cloud_sql_proxy',
     '443,6,500,code',
     '443,6,500,containerd',
@@ -202,6 +195,7 @@ WHERE
     '443,6,500,electron',
     '443,6,500,emacs',
     '443,6,500,firefox',
+    '443,6,500,.firefox-wrappe',
     '443,6,500,flameshot',
     '443,6,500,geoclue',
     '443,6,500,gh',
@@ -210,14 +204,17 @@ WHERE
     '443,6,500,gnome-shell',
     '443,6,500,gnome-software',
     '443,6,500,go',
+    '443,6,500,___go_build_github_com_anchore_grype,a.out,',
     '443,6,500,grafana-server',
     '443,6,500,grype',
+    '443,6,500,gsd-datetime',
     '443,6,500,gunicorn',
     '443,6,500,gvfsd-http',
     '443,6,500,htop',
     '443,6,500,influxd',
     '443,6,500,istioctl',
     '443,6,500,java',
+    '443,6,500,.java-wrapped',
     '443,6,500,jcef_helper',
     '443,6,500,jetbrains-toolb',
     '443,6,500,k6',
@@ -230,13 +227,15 @@ WHERE
     '443,6,500,nix',
     '443,6,500,node',
     '443,6,500,npm exec sql-fo',
+    '443,6,500,npm install',
+    '443,6,500,obs',
     '443,6,500,obs-browser-page',
     '443,6,500,obs-ffmpeg-mux',
-    '443,6,500,obs',
     '443,6,500,obsidian',
     '443,6,500,pingsender',
     '443,6,500,pip',
     '443,6,500,podman',
+    '443,6,500,reporter-urepor',
     '443,6,500,rustup',
     '443,6,500,signal-desktop',
     '443,6,500,slack',
@@ -246,9 +245,10 @@ WHERE
     '443,6,500,spotify',
     '443,6,500,steamwebhelper',
     '443,6,500,teams',
-    '443,6,500,terraform-provi',
     '443,6,500,terraform',
+    '443,6,500,terraform-provi',
     '443,6,500,tkn',
+    '443,6,500,.tox-wrapped',
     '443,6,500,trivy',
     '443,6,500,vcluster',
     '443,6,500,vim',
@@ -260,23 +260,24 @@ WHERE
     '443,6,500,yay',
     '443,6,500,zoom',
     '5228,6,500,chrome',
+    '53,17,154,systemd-timesyn',
     '6000,6,500,ssh',
     '67,17,0,NetworkManager',
     '7903,6,500,syncthing',
-    '80,6,0,.tailscaled-wra',
+    '8006,6,500,chrome',
     '80,6,0,dnf',
     '80,6,0,gdk-pixbuf-quer',
     '80,6,0,mkinitcpio',
     '80,6,0,NetworkManager',
     '80,6,0,pacman',
     '80,6,0,tailscaled',
+    '80,6,0,.tailscaled-wra',
     '80,6,0,yum',
     '80,6,105,http',
-    '80,6,500,.firefox-wrappe',
-    '80,6,500,chrome',
     '80,6,500,chrome',
     '80,6,500,curl',
     '80,6,500,firefox',
+    '80,6,500,.firefox-wrappe',
     '80,6,500,gitsign',
     '80,6,500,slack',
     '80,6,500,spotify',
@@ -284,13 +285,13 @@ WHERE
     '80,6,500,steamwebhelper',
     '80,6,500,syncthing',
     '80,6,500,thunderbird',
-    '8006,6,500,chrome',
+    '8443,6,500,chrome',
     '8801,17,500,zoom',
     '9090,6,500,firefox',
     '9090,6,500,k6',
     '9090,6,500,prometheus',
     '9090,6,500,rootlessport'
-  ) -- These programs would normally never make an outgoing connection, but thanks to Nix, it can happen.
+  )
   AND NOT (
     (
       remote_address LIKE '151.101.%'

detection/evasion/hidden-cwd.sql

@@ -90,7 +90,6 @@ WHERE
     OR dir LIKE '~/src/%'
     OR dir LIKE '~/%/.github%'
     OR dir LIKE '~/.cargo/%'
-
     OR dir LIKE '~/.local/share/JetBrains/%'
     OR dir LIKE '~/code/%'
   )