From 7d3590f9a1ed4f2c519551cb7a2dc08c969cef88 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 21 Oct 2022 17:44:53 -0400
Subject: [PATCH] Add another firefox & chainctl exception

---
 detection/c2/unexpected-https-client-linux.sql | 3 ++-
 detection/c2/unexpected-talkers-linux.sql      | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql
index 52413c2..44588a1 100644
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@@ -70,12 +70,13 @@ WHERE
     '0,/usr/nix,0u,0g,nix',
     '0,/usr/packagekitd,0u,0g,packagekitd',
     '0,/usr/pacman,0u,0g,pacman',
+    '0,/usr/python3.10,0u,0g,dnf',
     '0,/usr/tailscaled,0u,0g,tailscaled',
     '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
     '500,/app/slack,u,g,slack',
     '500,/app/thunderbird,u,g,thunderbird',
     '500,/app/zoom.real,u,g,zoom.real',
-    '0,/usr/python3.10,0u,0g,dnf',
+    '500,/home/chainctl,500u,100g,chainctl',
     '500,/home/chainctl,500u,500g,chainctl',
     '500,/home/gitsign,500u,500g,gitsign',
     '500,/home/go,500u,500g,go',
diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
index 581afad..2a9d06a 100644
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@@ -100,6 +100,7 @@ WHERE
     '80,6,500,/usr/chrome,0u,0g,chrome',
     '80,6,500,/usr/curl,0u,0g,curl',
     '80,6,500,/usr/firefox,0u,0g,firefox',
+    '80,6,500,/usr/firefox,0u,0g,.firefox-wrappe',
     '8080,6,500,/opt/chrome,0u,0g,chrome',
     '8080,6,500,/usr/firefox,0u,0g,firefox',
     '8443,6,500,/opt/chrome,0u,0g,chrome',