RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-17 09:57:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove some false positives

Browse Source
This commit is contained in:
Thomas Stromberg 2022-10-17 20:57:56 -04:00
parent 9bf85e3137
commit 8ddd5764e8
Failed to extract signature
2 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
detection/c2/unexpected-talkers-linux.sql
View File

@ -135,9 +135,10 @@ WHERE
AND NOT exception_key IN ( AND NOT exception_key IN (
'123,17,,', '123,17,,',
'123,17,500,chronyd', '123,17,500,chronyd',
'22000,6,500,syncthing',
'22067,6,500,syncthing',
'22,6,,', '22,6,,',
'22,6,500,ssh', '22,6,500,ssh',
'22067,6,500,syncthing',
'27024,6,500,steam', '27024,6,500,steam',
'3100,6,500,firefox', '3100,6,500,firefox',
'3100,6,500,k6', '3100,6,500,k6',
@ -149,36 +150,29 @@ WHERE
'443,17,500,jcef_helper', '443,17,500,jcef_helper',
'443,17,500,slack', '443,17,500,slack',
'443,17,500,spotify', '443,17,500,spotify',
'443,6,0,.tailscaled-wra',
'443,6,0,apk', '443,6,0,apk',
'443,6,0,containerd', '443,6,0,containerd',
'443,6,0,depmod', '443,6,0,depmod',
'443,6,0,dirmngr', '443,6,0,dirmngr',
'443,6,0,dnf', '443,6,0,dnf',
'443,6,0,mkinitcpio',
'443,6,500,.java-wrapped',
'443,6,0,flatpak-system-',
'443,6,0,dockerd', '443,6,0,dockerd',
'443,6,0,flatpak-system-',
'443,6,0,influxd', '443,6,0,influxd',
'443,6,500,npm install',
'53,17,154,systemd-timesyn',
'443,6,0,launcher', '443,6,0,launcher',
'443,6,0,nix-daemon', '443,6,0,mkinitcpio',
'443,6,0,nix', '443,6,0,nix',
'443,6,500,reporter-urepor', '443,6,0,nix-daemon',
'443,6,0,packagekitd', '443,6,0,packagekitd',
'443,6,0,pacman', '443,6,0,pacman',
'443,6,0,snapd', '443,6,0,snapd',
'443,6,0,systemctl', '443,6,0,systemctl',
'443,6,0,tailscaled', '443,6,0,tailscaled',
'443,6,0,.tailscaled-wra',
'443,6,0,trivy', '443,6,0,trivy',
'443,6,0,yay', '443,6,0,yay',
'443,6,0,yum', '443,6,0,yum',
'443,6,105,https', '443,6,105,https',
'443,6,472,grafana-server', '443,6,472,grafana-server',
'443,6,500,___go_build_github_com_anchore_grype,a.out,',
'443,6,500,.firefox-wrappe',
'443,6,500,.tox-wrapped',
'443,6,500,1password', '443,6,500,1password',
'443,6,500,authentik-proxy', '443,6,500,authentik-proxy',
'443,6,500,aws', '443,6,500,aws',
@ -187,7 +181,6 @@ WHERE
'443,6,500,celery', '443,6,500,celery',
'443,6,500,chainctl', '443,6,500,chainctl',
'443,6,500,chrome', '443,6,500,chrome',
'443,6,500,gsd-datetime',
'443,6,500,cloud_sql_proxy', '443,6,500,cloud_sql_proxy',
'443,6,500,code', '443,6,500,code',
'443,6,500,containerd', '443,6,500,containerd',
@ -202,6 +195,7 @@ WHERE
'443,6,500,electron', '443,6,500,electron',
'443,6,500,emacs', '443,6,500,emacs',
'443,6,500,firefox', '443,6,500,firefox',
'443,6,500,.firefox-wrappe',
'443,6,500,flameshot', '443,6,500,flameshot',
'443,6,500,geoclue', '443,6,500,geoclue',
'443,6,500,gh', '443,6,500,gh',
@ -210,14 +204,17 @@ WHERE
'443,6,500,gnome-shell', '443,6,500,gnome-shell',
'443,6,500,gnome-software', '443,6,500,gnome-software',
'443,6,500,go', '443,6,500,go',
'443,6,500,___go_build_github_com_anchore_grype,a.out,',
'443,6,500,grafana-server', '443,6,500,grafana-server',
'443,6,500,grype', '443,6,500,grype',
'443,6,500,gsd-datetime',
'443,6,500,gunicorn', '443,6,500,gunicorn',
'443,6,500,gvfsd-http', '443,6,500,gvfsd-http',
'443,6,500,htop', '443,6,500,htop',
'443,6,500,influxd', '443,6,500,influxd',
'443,6,500,istioctl', '443,6,500,istioctl',
'443,6,500,java', '443,6,500,java',
'443,6,500,.java-wrapped',
'443,6,500,jcef_helper', '443,6,500,jcef_helper',
'443,6,500,jetbrains-toolb', '443,6,500,jetbrains-toolb',
'443,6,500,k6', '443,6,500,k6',
@ -230,13 +227,15 @@ WHERE
'443,6,500,nix', '443,6,500,nix',
'443,6,500,node', '443,6,500,node',
'443,6,500,npm exec sql-fo', '443,6,500,npm exec sql-fo',
'443,6,500,npm install',
'443,6,500,obs',
'443,6,500,obs-browser-page', '443,6,500,obs-browser-page',
'443,6,500,obs-ffmpeg-mux', '443,6,500,obs-ffmpeg-mux',
'443,6,500,obs',
'443,6,500,obsidian', '443,6,500,obsidian',
'443,6,500,pingsender', '443,6,500,pingsender',
'443,6,500,pip', '443,6,500,pip',
'443,6,500,podman', '443,6,500,podman',
'443,6,500,reporter-urepor',
'443,6,500,rustup', '443,6,500,rustup',
'443,6,500,signal-desktop', '443,6,500,signal-desktop',
'443,6,500,slack', '443,6,500,slack',
@ -246,9 +245,10 @@ WHERE
'443,6,500,spotify', '443,6,500,spotify',
'443,6,500,steamwebhelper', '443,6,500,steamwebhelper',
'443,6,500,teams', '443,6,500,teams',
'443,6,500,terraform-provi',
'443,6,500,terraform', '443,6,500,terraform',
'443,6,500,terraform-provi',
'443,6,500,tkn', '443,6,500,tkn',
'443,6,500,.tox-wrapped',
'443,6,500,trivy', '443,6,500,trivy',
'443,6,500,vcluster', '443,6,500,vcluster',
'443,6,500,vim', '443,6,500,vim',
@ -260,23 +260,24 @@ WHERE
'443,6,500,yay', '443,6,500,yay',
'443,6,500,zoom', '443,6,500,zoom',
'5228,6,500,chrome', '5228,6,500,chrome',
'53,17,154,systemd-timesyn',
'6000,6,500,ssh', '6000,6,500,ssh',
'67,17,0,NetworkManager', '67,17,0,NetworkManager',
'7903,6,500,syncthing', '7903,6,500,syncthing',
'80,6,0,.tailscaled-wra', '8006,6,500,chrome',
'80,6,0,dnf', '80,6,0,dnf',
'80,6,0,gdk-pixbuf-quer', '80,6,0,gdk-pixbuf-quer',
'80,6,0,mkinitcpio', '80,6,0,mkinitcpio',
'80,6,0,NetworkManager', '80,6,0,NetworkManager',
'80,6,0,pacman', '80,6,0,pacman',
'80,6,0,tailscaled', '80,6,0,tailscaled',
'80,6,0,.tailscaled-wra',
'80,6,0,yum', '80,6,0,yum',
'80,6,105,http', '80,6,105,http',
'80,6,500,.firefox-wrappe',
'80,6,500,chrome',
'80,6,500,chrome', '80,6,500,chrome',
'80,6,500,curl', '80,6,500,curl',
'80,6,500,firefox', '80,6,500,firefox',
'80,6,500,.firefox-wrappe',
'80,6,500,gitsign', '80,6,500,gitsign',
'80,6,500,slack', '80,6,500,slack',
'80,6,500,spotify', '80,6,500,spotify',
@ -284,13 +285,13 @@ WHERE
'80,6,500,steamwebhelper', '80,6,500,steamwebhelper',
'80,6,500,syncthing', '80,6,500,syncthing',
'80,6,500,thunderbird', '80,6,500,thunderbird',
'8006,6,500,chrome', '8443,6,500,chrome',
'8801,17,500,zoom', '8801,17,500,zoom',
'9090,6,500,firefox', '9090,6,500,firefox',
'9090,6,500,k6', '9090,6,500,k6',
'9090,6,500,prometheus', '9090,6,500,prometheus',
'9090,6,500,rootlessport' '9090,6,500,rootlessport'
) -- These programs would normally never make an outgoing connection, but thanks to Nix, it can happen. )
AND NOT ( AND NOT (
( (
remote_address LIKE '151.101.%' remote_address LIKE '151.101.%'

1
detection/evasion/hidden-cwd.sql
View File

@ -90,7 +90,6 @@ WHERE
OR dir LIKE '~/src/%' OR dir LIKE '~/src/%'
OR dir LIKE '~/%/.github%' OR dir LIKE '~/%/.github%'
OR dir LIKE '~/.cargo/%' OR dir LIKE '~/.cargo/%'
OR dir LIKE '~/.local/share/JetBrains/%' OR dir LIKE '~/.local/share/JetBrains/%'
OR dir LIKE '~/code/%' OR dir LIKE '~/code/%'
) )