More tuning

This commit is contained in:
Thomas Stromberg 2022-09-16 14:21:42 -04:00
parent f5696431c7
commit b75c7d5404
Failed to extract signature
3 changed files with 11 additions and 3 deletions

View File

@ -28,3 +28,5 @@ AND NOT (
AND NOT (file.directory LIKE "/tmp/tmp%" AND gid=0 AND uid> 300 AND uid< 350)
-- Don't alert if it's only on disk for a moment
AND NOT (file.directory LIKE "/tmp/%" AND (strftime('%s', 'now') - ctime) < 60)
-- macOS updates
AND NOT file.directory LIKE "/tmp/msu-target-%"

View File

@ -78,8 +78,12 @@ WHERE
OR p.cmdline LIKE "%ctlog%"
OR p.cmdline LIKE "%.well-known/openid-configuration%"
OR p.cmdline LIKE "%/openid/v1/jwks%"
OR p.cmdline LIKE "--progress-bar"
OR p.cmdline LIKE "%--progress-bar%"
OR parent_cmdline LIKE "%brew.rb%"
OR parent_cmdline LIKE "%brew.sh%"
OR p.cmdline LIKE "git %"
OR p.cmdline LIKE "%LICENSES/vendor/%"
OR p.cmdline LIKE "%localhost:%"
OR p.cmdline LIKE "%127.0.0.1:%"
)
)

View File

@ -80,10 +80,12 @@ WHERE p.time > (strftime('%s', 'now') -300)
OR p.cmdline LIKE "%ctlog%"
OR p.cmdline LIKE "%.well-known/openid-configuration%"
OR p.cmdline LIKE "%/openid/v1/jwks%"
OR p.cmdline LIKE "--progress-bar"
OR p.cmdline LIKE "%--progress-bar%"
OR parent_cmdline LIKE "%brew.rb%"
OR parent_cmdline LIKE "%brew.sh%"
OR p.cmdline LIKE "git %"
OR p.cmdline LIKE "%LICENSES/vendor/%"
OR p.cmdline LIKE "%localhost:%"
OR p.cmdline LIKE "%127.0.0.1:%"
)
)