mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-25 07:12:05 +00:00
Merge pull request #282 from tstromberg/dns
Cleanup unexpected-dns-traffic-events
This commit is contained in:
commit
c096acee92
@ -3,7 +3,7 @@
|
||||
-- references:
|
||||
-- * https://attack.mitre.org/techniques/T1071/004/ (C2: Application Layer Protocol: DNS)
|
||||
--
|
||||
-- interval: 120
|
||||
-- interval: 300
|
||||
-- tags: persistent events net
|
||||
--
|
||||
-- NOTE: The interval above must match WHERE clause to avoid missing events
|
||||
@ -19,6 +19,7 @@ SELECT
|
||||
s.action,
|
||||
s.status,
|
||||
p.name,
|
||||
COALESCE(REGEX_MATCH (p.path, '.*/(.*)', 1), p.path) AS basename,
|
||||
p.path,
|
||||
p.cmdline AS child_cmd,
|
||||
p.cwd,
|
||||
@ -33,7 +34,7 @@ FROM
|
||||
LEFT JOIN processes pp ON p.parent = pp.pid
|
||||
LEFT JOIN hash ON p.path = hash.path
|
||||
WHERE
|
||||
s.time > (strftime('%s', 'now') -120)
|
||||
s.time > (strftime('%s', 'now') -300)
|
||||
AND remote_port IN (53, 5353)
|
||||
AND remote_address NOT LIKE '%:%'
|
||||
AND s.remote_address NOT LIKE '172.1%'
|
||||
@ -62,19 +63,6 @@ WHERE
|
||||
-- Some applications hard-code a safe DNS resolver, or allow the user to configure one
|
||||
AND s.remote_address NOT IN (
|
||||
'100.100.100.100', -- Tailscale Magic DNS
|
||||
'1.1.1.1', -- Cloudflare
|
||||
'1.1.1.2', -- Cloudflare
|
||||
'8.8.8.8', -- Google
|
||||
'8.8.4.4', -- Google (backup)
|
||||
'4.2.2.1', -- Level 3
|
||||
'4.2.2.2', -- Level 3
|
||||
'4.2.2.3', -- Level 3
|
||||
'4.2.2.4', -- Level 3
|
||||
'4.2.2.5', -- Level 3
|
||||
'4.2.2.6', -- Level 3
|
||||
'208.67.220.220', -- OpenDNS
|
||||
'208.67.222.222', -- OpenDNS
|
||||
'208.67.222.123', -- OpenDNS
|
||||
'208.67.220.123', -- OpenDNS FamilyShield
|
||||
'75.75.75.75', -- Comcast
|
||||
'75.75.76.76', -- Comcast
|
||||
@ -85,33 +73,22 @@ WHERE
|
||||
AND exception_key NOT IN (
|
||||
'coredns,0.0.0.0,53',
|
||||
'syncthing,46.162.192.181,53',
|
||||
'Code Helper,208.67.222.123,53',
|
||||
'Code Helper,68.105.29.11,53',
|
||||
'Opera Helper,77.111.247.77,53',
|
||||
'chrome,74.125.250.47,53',
|
||||
'AssetCacheLocatorService,0.0.0.0,53',
|
||||
'Jabra Direct Helper,208.67.222.123,53'
|
||||
'AssetCacheLocatorService,0.0.0.0,53'
|
||||
)
|
||||
AND exception_key NOT LIKE 'Opera Helper,77.111.247.%,53'
|
||||
AND p.name != 'nessusd'
|
||||
-- Local DNS servers and custom clients go here
|
||||
-- Electron apps
|
||||
AND p.path NOT LIKE '/private/var/folders/%/T/AppTranslocation/%/%.app/Contents/MacOS/% Helper'
|
||||
AND p.path NOT LIKE '/Applications/%.app/Contents/MacOS/% Helper'
|
||||
AND p.path NOT LIKE '/Volumes/Google Chrome/%.app/Contents/MacOS/% Helper'
|
||||
AND p.path NOT IN (
|
||||
'/Library/Nessus/run/sbin/nessusd',
|
||||
'/opt/google/chrome/chrome',
|
||||
'/usr/bin/apko',
|
||||
'/usr/bin/melange',
|
||||
'/sbin/apk',
|
||||
'/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking',
|
||||
'/usr/lib/systemd/systemd-resolved'
|
||||
AND basename NOT IN (
|
||||
'chrome',
|
||||
'Jabra Direct Helper',
|
||||
'nessusd',
|
||||
'apko',
|
||||
'melange',
|
||||
'com.apple.WebKit.Networking',
|
||||
'apk',
|
||||
'systemd-resolved'
|
||||
)
|
||||
-- Chromium apps can send stray DNS packets
|
||||
AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'
|
||||
AND p.path NOT LIKE '/Applications/Brave Browser.app/Contents/Frameworks/Brave Browser Framework.framework/Versions/%/Helpers/Brave Browser Helper.app/Contents/MacOS/Brave Browser Helper'
|
||||
AND p.path NOT LIKE '/Applications/Opera.app/Contents/Frameworks/Opera Framework.framework/Versions/%/Helpers/Opera Helper.app/Contents/MacOS/Opera Helper'
|
||||
AND p.name NOT IN ('Jabra Direct Helper')
|
||||
-- Chromium/Electron apps seem to send stray packets out like nobodies business
|
||||
AND p.path NOT LIKE '%/%.app/Contents/MacOS/% Helper'
|
||||
-- Workaround for the GROUP_CONCAT subselect adding a blank ent
|
||||
GROUP BY
|
||||
s.remote_address,
|
||||
|
Loading…
Reference in New Issue
Block a user