RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More additions

This commit is contained in:
Thomas Stromberg 2022-09-01 20:36:48 -04:00
parent e9dcfbbe2e
commit af8ecbb03e
Failed to extract signature
2 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
unexpected-talkers.sql
View File

@ -25,17 +25,19 @@ AND NOT (p.name IN ('spotify', 'Spotify Helper', 'Spotify') AND remote_port IN (
AND NOT (p.name='coredns' AND remote_port=53 AND protocol=17)
AND NOT (p.name='systemd-resolve' AND remote_port=53 AND protocol=17)
AND NOT (p.name='ssh' AND remote_port=22 AND protocol=6)
AND NOT (p.name='java' AND remote_port IN (30031,25565) AND protocol=6)
AND NOT (p.path = '/usr/bin/gnome-software' AND remote_port = 443)
AND NOT (p.path = '/usr/libexec/rapportd' AND remote_port > 49000 and protocol=6)
AND NOT (p.path = '/usr/libexec/timed' AND remote_port = 123)
AND NOT (p.path = '/usr/libexec/trustd' AND remote_port IN (80,443))
AND NOT (p.path = '/usr/libexec/trustd' AND remote_port IN (80,443))
AND NOT (p.path LIKE '/private/var/folders/%/Reflect 2.app/Contents/Frameworks/Reflect Helper.app/Contents/MacOS/Reflect Helper' AND p.cwd='/' AND remote_port=443 AND s.protocol IN (6,17))
AND NOT (p.path LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%' AND p.cwd='/' AND remote_port=443 AND protocol=6)
AND NOT (p.path LIKE '/Users/%/.cache/trunk/cli/%/trunk' AND remote_port=443 AND s.protocol=6)
AND NOT (p.path LIKE '/Users/%/Library/Application Support/WebEx Folder/%/Meeting Center.app/Contents/MacOS/Meeting Center' AND p.cwd='/' AND remote_port=443 AND protocol=6)
AND NOT (p.path LIKE '/Users/%/Library/Application Support/WebEx Folder/%/Meeting Center.app/Contents/MacOS/Meeting Center' AND p.cwd='/' AND remote_port=9000 AND protocol=17)
AND NOT (p.path LIKE '%/firefox' AND remote_port IN (443,80))
AND NOT (p.path LIKE '%/NetworkManager' AND remote_port = 67)
AND NOT (p.path LIKE '%/NetworkManager' AND remote_port IN (67,80))
AND NOT (p.path LIKE '%tailscaled%' AND remote_port IN (443,80))
AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=4500 AND protocol=17)
AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=500 AND protocol=17)
@ -47,14 +49,17 @@ AND NOT (remote_port = 443 AND protocol=6 AND p.path LIKE '/usr/libexec/%')
AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/Applications/%.app/Contents/%')
AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/System/Applications/%')
AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/System/Library/%')
AND NOT (remote_port=443 AND protocol=6 AND p.name IN (
AND NOT (remote_port=443 AND protocol IN (6,17) AND p.name IN (
'gitsign',
'ko',
'kubectl',
'k9s',
'launcher-Helper',
'terraform',
'steam_osx',
'slack',
'ngrok',
'jcef_helper',
'Slack Helper',
'Slack',
'controlplane',
@ -66,5 +71,5 @@ AND NOT (remote_port=443 AND protocol=6 AND p.name IN (
)
)
AND NOT (remote_port=443 AND protocol=6 AND p.name LIKE 'terraform-provider-%')
AND NOT (remote_port=443 AND protocol=6 AND p.name LIKE 'kubectl.%')

4
unexpectedly-high-readers.sql
View File

@ -18,11 +18,15 @@ AND NOT (name='launcher' AND path='/usr/local/kolide-k2/bin/launcher-updates/165
AND NOT (name='logd' AND cmdline='/usr/libexec/logd' AND parent=1)
AND NOT (name='osqueryd' AND path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd')
AND NOT (name='packagekitd' AND path='/usr/libexec/packagekitd')
AND NOT (name='spindump' AND path='/usr/sbin/spindump')
AND NOT (name='systemstats' AND path='/usr/sbin/systemstats')
AND NOT (name='signpost_reporter' AND cmdline='/usr/libexec/signpost_reporter' AND parent=1)
AND NOT (name='snapd' AND path='/usr/lib/snaptd/snaptd')
AND NOT (name='syspolicyd' AND path='/usr/libexec/syspolicyd' AND parent=1)
AND NOT (name='systemd-udevd' AND path='/usr/bin/udevadm')
AND NOT (name='systemd' AND path='/usr/lib/systemd/systemd')
AND NOT (name='node' AND cwd LIKE '%/console-ui/app')
AND NOT (name='FindMy' AND path='/System/Applications/FindMy.app/Contents/MacOS/FindMy')
AND NOT (path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java')
AND path NOT LIKE '/Applications/%.app/Contents/%'
AND path NOT LIKE '/System/Library/%'