From a973dcbcf22ecb7f7bb3141935ab464389a98b89 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 20 Oct 2022 13:12:46 -0400
Subject: [PATCH] Add more Linux/macOS talker exceptions

---
 detection/c2/unexpected-https-client-linux.sql | 2 ++
 detection/c2/unexpected-talkers-linux.sql      | 4 +++-
 detection/c2/unexpected-talkers-macos.sql      | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql
index e24b3ad..e937a36 100644
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@@ -73,6 +73,8 @@ WHERE
     '500,/ko-app/controlplane,u,g,controlplane',
     '500,/opt/chrome,0u,0g,chrome',
     '500,/opt/spotify,0u,0g,spotify',
+    '500,/snap/firefox,0u,0g,firefox',
+    '500,/usr/curl,0u,0g,curl',
     '500,/usr/chrome,0u,0g,chrome',
     '500,/usr/code,0u,0g,code',
     '500,/usr/firefox,0u,0g,firefox',
diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
index 3820475..6638ef1 100644
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@@ -84,14 +84,16 @@ WHERE
     '22000,6,500,/usr/syncthing,0u,0g,syncthing',
     '4070,6,500,/opt/spotify,0u,0g,spotify',
     '5228,6,500,/opt/chrome,0u,0g,chrome',
+    '5228,6,500,/usr/chrome,0u,0g,chrome', -- Android Market/GCM
     '8000,6,500,/opt/chrome,0u,0g,chrome',
     '8000,6,500,/usr/firefox,0u,0g,firefox',
     '80,6,0,/usr/NetworkManager,0u,0g,NetworkManager', -- fedoraproject.org
     '80,6,0,/usr/tailscaled,0u,0g,tailscaled',
     '80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
     '80,6,500,/opt/chrome,0u,0g,chrome',
+    '80,6,500,/snap/firefox,0u,0g,firefox',,
+    '80,6,500,/usr/curl,0u,0g,curl',
     '80,6,500,/usr/firefox,0u,0g,firefox',
-    '5228,6,500,/usr/chrome,0u,0g,chrome', -- Android Market/GCM
     '8080,6,500,/opt/chrome,0u,0g,chrome',
     '8080,6,500,/usr/firefox,0u,0g,firefox',
     '8443,6,500,/opt/chrome,0u,0g,chrome',
diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
index 5339a21..5f29306 100644
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@@ -177,6 +177,7 @@ WHERE
     '443,6,500,gh,gh,',
     '443,6,500,git,com.apple.git,Software Signing',
     '443,6,500,git,git,',
+    '443,6,500,git-remote-http,,',
     '443,6,500,git-remote-http,com.apple.git-remote-http,Software Signing',
     '443,6,500,git-remote-http,git-remote-http-5555494493930c47f9d9385e94cdee8b19968153,',
     '443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,',