Run 'make reformat'

2022-10-20 14:01:34 -04:00 · 2022-10-20 14:01:34 -04:00 · a68a3496e9
parent 6d535ddc37
commit a68a3496e9
2 changed files with 20 additions and 10 deletions
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@ -8,7 +8,8 @@
 --
 -- tags: transient state net rapid
 -- platform: linux
-SELECT s.remote_address,
+SELECT
  s.remote_address,
  p.name,
  p.path,
  p.cmdline AS child_cmd,
@ -30,7 +31,8 @@ SELECT s.remote_address,
      ),
      '/snap',
      '/opt'
-    ) '/',
+    ),
    '/',
    REGEX_MATCH (p.path, '.*/(.*?)$', 1),
    ',',
    MIN(f.uid, 500),
@ -39,12 +41,14 @@ SELECT s.remote_address,
    'g,',
    p.name
  ) AS exception_key
-FROM process_open_sockets s
+FROM
  process_open_sockets s
  LEFT JOIN processes p ON s.pid = p.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN hash ON p.path = hash.path
-WHERE protocol IN (6, 17)
+WHERE
  protocol IN (6, 17)
  AND s.remote_port = 443
  AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
  AND s.remote_address NOT LIKE 'fe80:%'
@ -90,4 +94,5 @@ WHERE protocol IN (6, 17)
    '500,/usr/syncthing,0u,0g,syncthing'
  ) -- stay weird, NixOS (Fastly nix mirror)
  AND NOT child_cmd = '/run/current-system/sw/bin/bash'
-GROUP BY p.cmdline
+GROUP BY
  p.cmdline
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -8,7 +8,8 @@
 --
 -- tags: transient state net rapid
 -- platform: linux
-SELECT s.remote_address,
+SELECT
  s.remote_address,
  p.name,
  p.path,
  p.cmdline AS child_cmd,
@ -34,7 +35,8 @@ SELECT s.remote_address,
      ),
      '/snap',
      '/opt'
-    ) '/',
+    ),
    '/',
    REGEX_MATCH (p.path, '.*/(.*?)$', 1),
    ',',
    MIN(f.uid, 500),
@ -43,12 +45,14 @@ SELECT s.remote_address,
    'g,',
    p.name
  ) AS exception_key
-FROM process_open_sockets s
+FROM
  process_open_sockets s
  LEFT JOIN processes p ON s.pid = p.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN hash ON p.path = hash.path
-WHERE protocol > 0
+WHERE
  protocol > 0
  AND s.remote_port > 0 -- See unexpected-https-client
  AND NOT (
    s.remote_port = 443
@ -105,4 +109,5 @@ WHERE protocol > 0
    AND s.protocol = 6
    AND p.euid > 500
  )
-GROUP BY p.cmdline
+GROUP BY
  p.cmdline