Merge pull request #162 from tstromberg/fpr-again

Add local port and address to network queries
2025-02-19 19:26:55 +00:00 · 2023-02-08 10:13:39 -05:00 · 2023-02-08 10:13:39 -05:00 · 9bebd8a59a
commit 9bebd8a59a
parent 1f3b78dac4 9652464b27
5 changed files with 10 additions and 0 deletions
--- a/detection/c2/unexpected-dns-traffic-events.sql
+++ b/detection/c2/unexpected-dns-traffic-events.sql
@ -14,6 +14,8 @@ SELECT
  protocol,
  s.remote_port,
  s.remote_address,
+  s.local_port,
+  s.local_address,
  s.action,
  s.status,
  p.name,
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@ -18,6 +18,8 @@ SELECT
  pp.path AS parent_path,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd,
+  s.local_address,
+  s.local_port,
  s.state,
  hash.sha256,
  -- This intentionally avoids file.path, as it won't join across mount namespaces
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -11,6 +11,8 @@
 SELECT
  s.remote_address,
  s.remote_port,
+  s.local_port,
+  s.local_address,
  p.name,
  p.path,
  p.cmdline AS child_cmd,
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -10,6 +10,8 @@ SELECT
  s.local_port,
  s.remote_port,
  s.remote_address,
+  s.local_port,
+  s.local_address,
  p.name,
  p.path,
  p.cmdline AS child_cmd,
--- a/detection/execution/reverse-shell-socket.sql
+++ b/detection/execution/reverse-shell-socket.sql
@ -22,6 +22,8 @@ SELECT DISTINCT
  p.start_time,
  pos.remote_address,
  pos.remote_port,
+  pos.local_address,
+  pos.local_port,
  pp.cmdline,
  pp.path
 FROM