More additions

This commit is contained in:
Thomas Stromberg 2022-09-01 20:36:48 -04:00
parent e9dcfbbe2e
commit af8ecbb03e
Failed to extract signature
2 changed files with 12 additions and 3 deletions

View File

@ -25,17 +25,19 @@ AND NOT (p.name IN ('spotify', 'Spotify Helper', 'Spotify') AND remote_port IN (
AND NOT (p.name='coredns' AND remote_port=53 AND protocol=17) AND NOT (p.name='coredns' AND remote_port=53 AND protocol=17)
AND NOT (p.name='systemd-resolve' AND remote_port=53 AND protocol=17) AND NOT (p.name='systemd-resolve' AND remote_port=53 AND protocol=17)
AND NOT (p.name='ssh' AND remote_port=22 AND protocol=6) AND NOT (p.name='ssh' AND remote_port=22 AND protocol=6)
AND NOT (p.name='java' AND remote_port IN (30031,25565) AND protocol=6)
AND NOT (p.path = '/usr/bin/gnome-software' AND remote_port = 443) AND NOT (p.path = '/usr/bin/gnome-software' AND remote_port = 443)
AND NOT (p.path = '/usr/libexec/rapportd' AND remote_port > 49000 and protocol=6) AND NOT (p.path = '/usr/libexec/rapportd' AND remote_port > 49000 and protocol=6)
AND NOT (p.path = '/usr/libexec/timed' AND remote_port = 123) AND NOT (p.path = '/usr/libexec/timed' AND remote_port = 123)
AND NOT (p.path = '/usr/libexec/trustd' AND remote_port IN (80,443)) AND NOT (p.path = '/usr/libexec/trustd' AND remote_port IN (80,443))
AND NOT (p.path = '/usr/libexec/trustd' AND remote_port IN (80,443))
AND NOT (p.path LIKE '/private/var/folders/%/Reflect 2.app/Contents/Frameworks/Reflect Helper.app/Contents/MacOS/Reflect Helper' AND p.cwd='/' AND remote_port=443 AND s.protocol IN (6,17)) AND NOT (p.path LIKE '/private/var/folders/%/Reflect 2.app/Contents/Frameworks/Reflect Helper.app/Contents/MacOS/Reflect Helper' AND p.cwd='/' AND remote_port=443 AND s.protocol IN (6,17))
AND NOT (p.path LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%' AND p.cwd='/' AND remote_port=443 AND protocol=6) AND NOT (p.path LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%' AND p.cwd='/' AND remote_port=443 AND protocol=6)
AND NOT (p.path LIKE '/Users/%/.cache/trunk/cli/%/trunk' AND remote_port=443 AND s.protocol=6) AND NOT (p.path LIKE '/Users/%/.cache/trunk/cli/%/trunk' AND remote_port=443 AND s.protocol=6)
AND NOT (p.path LIKE '/Users/%/Library/Application Support/WebEx Folder/%/Meeting Center.app/Contents/MacOS/Meeting Center' AND p.cwd='/' AND remote_port=443 AND protocol=6) AND NOT (p.path LIKE '/Users/%/Library/Application Support/WebEx Folder/%/Meeting Center.app/Contents/MacOS/Meeting Center' AND p.cwd='/' AND remote_port=443 AND protocol=6)
AND NOT (p.path LIKE '/Users/%/Library/Application Support/WebEx Folder/%/Meeting Center.app/Contents/MacOS/Meeting Center' AND p.cwd='/' AND remote_port=9000 AND protocol=17) AND NOT (p.path LIKE '/Users/%/Library/Application Support/WebEx Folder/%/Meeting Center.app/Contents/MacOS/Meeting Center' AND p.cwd='/' AND remote_port=9000 AND protocol=17)
AND NOT (p.path LIKE '%/firefox' AND remote_port IN (443,80)) AND NOT (p.path LIKE '%/firefox' AND remote_port IN (443,80))
AND NOT (p.path LIKE '%/NetworkManager' AND remote_port = 67) AND NOT (p.path LIKE '%/NetworkManager' AND remote_port IN (67,80))
AND NOT (p.path LIKE '%tailscaled%' AND remote_port IN (443,80)) AND NOT (p.path LIKE '%tailscaled%' AND remote_port IN (443,80))
AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=4500 AND protocol=17) AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=4500 AND protocol=17)
AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=500 AND protocol=17) AND NOT (p.path='/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter' AND p.cwd='/' AND remote_port=500 AND protocol=17)
@ -47,14 +49,17 @@ AND NOT (remote_port = 443 AND protocol=6 AND p.path LIKE '/usr/libexec/%')
AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/Applications/%.app/Contents/%') AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/Applications/%.app/Contents/%')
AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/System/Applications/%') AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/System/Applications/%')
AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/System/Library/%') AND NOT (remote_port IN (80, 443) AND protocol IN (6,17) AND p.path LIKE '/System/Library/%')
AND NOT (remote_port=443 AND protocol=6 AND p.name IN ( AND NOT (remote_port=443 AND protocol IN (6,17) AND p.name IN (
'gitsign', 'gitsign',
'ko', 'ko',
'kubectl', 'kubectl',
'k9s', 'k9s',
'launcher-Helper',
'terraform', 'terraform',
'steam_osx', 'steam_osx',
'slack', 'slack',
'ngrok',
'jcef_helper',
'Slack Helper', 'Slack Helper',
'Slack', 'Slack',
'controlplane', 'controlplane',
@ -66,5 +71,5 @@ AND NOT (remote_port=443 AND protocol=6 AND p.name IN (
) )
) )
AND NOT (remote_port=443 AND protocol=6 AND p.name LIKE 'terraform-provider-%') AND NOT (remote_port=443 AND protocol=6 AND p.name LIKE 'terraform-provider-%')
AND NOT (remote_port=443 AND protocol=6 AND p.name LIKE 'kubectl.%')

View File

@ -18,11 +18,15 @@ AND NOT (name='launcher' AND path='/usr/local/kolide-k2/bin/launcher-updates/165
AND NOT (name='logd' AND cmdline='/usr/libexec/logd' AND parent=1) AND NOT (name='logd' AND cmdline='/usr/libexec/logd' AND parent=1)
AND NOT (name='osqueryd' AND path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd') AND NOT (name='osqueryd' AND path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd')
AND NOT (name='packagekitd' AND path='/usr/libexec/packagekitd') AND NOT (name='packagekitd' AND path='/usr/libexec/packagekitd')
AND NOT (name='spindump' AND path='/usr/sbin/spindump')
AND NOT (name='systemstats' AND path='/usr/sbin/systemstats')
AND NOT (name='signpost_reporter' AND cmdline='/usr/libexec/signpost_reporter' AND parent=1) AND NOT (name='signpost_reporter' AND cmdline='/usr/libexec/signpost_reporter' AND parent=1)
AND NOT (name='snapd' AND path='/usr/lib/snaptd/snaptd') AND NOT (name='snapd' AND path='/usr/lib/snaptd/snaptd')
AND NOT (name='syspolicyd' AND path='/usr/libexec/syspolicyd' AND parent=1) AND NOT (name='syspolicyd' AND path='/usr/libexec/syspolicyd' AND parent=1)
AND NOT (name='systemd-udevd' AND path='/usr/bin/udevadm') AND NOT (name='systemd-udevd' AND path='/usr/bin/udevadm')
AND NOT (name='systemd' AND path='/usr/lib/systemd/systemd') AND NOT (name='systemd' AND path='/usr/lib/systemd/systemd')
AND NOT (name='node' AND cwd LIKE '%/console-ui/app')
AND NOT (name='FindMy' AND path='/System/Applications/FindMy.app/Contents/MacOS/FindMy')
AND NOT (path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java') AND NOT (path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java')
AND path NOT LIKE '/Applications/%.app/Contents/%' AND path NOT LIKE '/Applications/%.app/Contents/%'
AND path NOT LIKE '/System/Library/%' AND path NOT LIKE '/System/Library/%'