From 03789d2957fa67ad666a837972fa6bd2dcf35e5e Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Fri, 12 Jul 2024 13:12:43 -0500 Subject: [PATCH 1/3] Add LittleSnitch exception_key Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- detection/c2/unexpected-talkers-macos.sql | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 45af292..843e53f 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -192,7 +192,8 @@ WHERE pos.protocol > 0 '500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream', '500,6,993,Spark Desktop Helper,Spark Desktop Helper,Developer ID Application: Readdle Technologies Limited (3L68KQB4HG),com.readdle.SparkDesktop.helper', '500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird', - '500,6,995,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac' + '500,6,995,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac', + '0,6,853,at.obdev.littlesnitch.networkextension,at.obdev.littlesnitch.networkextension,0u,0g' ) -- Useful for unsigned binaries AND NOT alt_exception_key IN ( '0,6,80,tailscaled,tailscaled,500u,80g', @@ -292,4 +293,4 @@ WHERE pos.protocol > 0 'Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon' ) ) -GROUP BY p0.cmdline \ No newline at end of file +GROUP BY p0.cmdline From fe84cb911c0a38667cbb1fc083ae13cb5e21b182 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Fri, 12 Jul 2024 13:21:02 -0500 Subject: [PATCH 2/3] Higher result/timeout values Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 2aa9175..222b5cc 100644 --- a/Makefile +++ b/Makefile @@ -68,8 +68,8 @@ collect: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) .PHONY: verify-ci verify-ci: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=150000 --max-query-duration=30s --max-total-daily-duration=90m verify incident_response - $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=2 --max-query-duration=12s verify policy - $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=15 --max-query-duration=12s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection + $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=5 --max-query-duration=30s verify policy + $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=20 --max-query-duration=30s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection # Local verification .PHONY: verify From 2c3409df1028a7580c84f7f40ad27aaa5cd9616b Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Fri, 12 Jul 2024 13:30:48 -0500 Subject: [PATCH 3/3] Even higher values Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 222b5cc..31ebaba 100644 --- a/Makefile +++ b/Makefile @@ -68,8 +68,8 @@ collect: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) .PHONY: verify-ci verify-ci: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=150000 --max-query-duration=30s --max-total-daily-duration=90m verify incident_response - $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=5 --max-query-duration=30s verify policy - $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=20 --max-query-duration=30s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection + $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=50 --max-query-duration=30s verify policy + $(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=1000 --max-query-duration=30s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection # Local verification .PHONY: verify