osquery-defense-kit/net/unexpected-talkers-linux.sql
2022-09-29 16:19:30 -04:00

345 lines
7.6 KiB
SQL

SELECT
s.family,
protocol,
s.local_port,
s.remote_port,
s.local_address,
s.remote_address,
p.name,
p.path,
p.cmdline AS child_cmd,
p.cwd,
s.pid,
s.net_namespace,
pp.path AS parent_path,
p.parent AS parent_pid,
pp.cmdline AS parent_cmd,
hash.sha256,
CONCAT (
MIN(s.remote_port, 32768),
",",
protocol,
",",
MIN(p.uid, 500),
",",
p.name
) AS exception_key
FROM
process_open_sockets s
LEFT JOIN processes p ON s.pid = p.pid
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON p.path = hash.path
WHERE
protocol > 0
AND s.remote_port > 0
AND s.remote_address NOT IN ("127.0.0.1", "::ffff:127.0.0.1", "::1")
AND s.remote_address NOT LIKE "fe80:%"
AND s.remote_address NOT LIKE "127.%"
AND s.remote_address NOT LIKE "192.168.%"
AND s.remote_address NOT LIKE "172.1%"
AND s.remote_address NOT LIKE "172.2%"
AND s.remote_address NOT LIKE "172.30.%"
AND s.remote_address NOT LIKE "172.31.%"
AND s.remote_address NOT LIKE "::ffff:172.%"
AND s.remote_address NOT LIKE "10.%"
AND s.remote_address NOT LIKE "::ffff:10.%"
AND s.remote_address NOT LIKE "fc00:%"
AND s.state != "LISTEN"
-- DNS clients
AND NOT (
remote_port = 53
AND protocol IN (6, 17)
AND p.name IN (
"1password",
"apt",
"apt-get",
"Brackets",
"chainctl",
"chrome",
"chronyd",
"cloud_sql_proxy",
"code",
"containerd",
"controlplane",
"crc",
"curl",
"dig",
"dnf",
"electron",
"firefox",
".firefox-wrappe",
"flameshot",
"gh",
"git-remote-http",
"gitsign",
"gnome-software",
"go",
"grafana-server",
"grype",
"host",
"htop",
"istioctl",
"jcef_helper",
"k6",
"k9s",
"ko",
"kolide-pipeline",
"launcher",
"NetworkManager",
"ngrok",
"nix",
"node",
"nscd",
"obs",
"obs-browser-page",
"obs-ffmpeg-mux",
"obsidian",
"opera",
"pacman",
"ping",
"podman",
"prometheus",
"rootlessport",
"signal-desktop",
"slack",
"slirp4netns",
"snapd",
"snap-store",
"Socket Process",
"spotify",
"ssh",
"steam",
"steamwebhelper",
"syncthing",
"systemd-resolve",
"tailscaled",
".tailscaled-wra",
"terraform",
"terraform-provi",
"tkn",
"traceroute",
"vcluster",
"wget",
"whois",
"xmobar",
"yay",
"zoom"
)
)
-- General exceptions
AND NOT exception_key IN (
"123,17,,",
"123,17,500,chronyd",
"22067,6,500,syncthing",
"22,6,500,ssh",
"22,6,,", -- shortlived SSH (git push)
"27024,6,500,steam",
"3100,6,500,firefox",
"3100,6,500,k6",
"3307,6,500,cloud_sql_proxy",
"4070,6,500,spotify",
"443,17,500,chrome",
"443,17,500,electron",
"443,17,500,jcef_helper",
"443,17,500,slack",
"443,17,500,spotify",
"443,6,0,containerd",
"443,6,0,depmod",
"443,6,0,dirmngr",
"443,6,0,dnf",
"443,6,0,dockerd",
"443,6,0,influxd",
"443,6,0,launcher",
"443,6,0,nix-daemon",
"443,6,0,packagekitd",
"443,6,0,pacman",
"443,6,0,snapd",
"443,6,0,tailscaled",
"443,6,0,.tailscaled-wra",
"443,6,0,yum",
"443,6,105,https", -- /usr/lib/apt/methods/https
"443,6,472,grafana-server",
"443,6,500,1password",
"443,6,500,authentik-proxy",
"443,6,500,aws",
"443,6,500,Brackets",
"443,6,500,celery",
"443,6,500,chainctl",
"443,6,500,chrome",
"443,6,500,cloud_sql_proxy",
"443,6,500,code",
"443,6,500,containerd",
"443,6,500,controlplane",
"443,6,500,cosign",
"443,6,500,crane",
"443,6,500,CrBrowserMain",
"443,6,500,crc",
"443,6,500,CrUtilityMain",
"443,6,500,curl",
"443,6,500,Discord",
"443,6,500,electron",
"443,6,500,firefox",
"443,6,500,.firefox-wrappe",
"443,6,500,flameshot",
"443,6,500,geoclue",
"443,6,500,gh",
"443,6,500,git-remote-http",
"443,6,500,gitsign",
"443,6,500,gnome-shell",
"443,6,500,gnome-software",
"443,6,500,go",
"443,6,500,___go_build_github_com_anchore_grype,a.out,",
"443,6,500,grafana-server",
"443,6,500,grype",
"443,6,500,gunicorn",
"443,6,500,gvfsd-http",
"443,6,500,htop",
"443,6,500,influxd",
"443,6,500,istioctl",
"443,6,500,java",
"443,6,500,jcef_helper",
"443,6,500,jetbrains-toolb",
"443,6,500,k6",
"443,6,500,k9s",
"443,6,500,ko",
"443,6,500,kolide-pipeline",
"443,6,500,kubectl",
"443,6,500,ngrok",
"443,6,500,nix",
"443,6,500,node",
"443,6,500,obs",
"443,6,500,obs-browser-page",
"443,6,500,obs-ffmpeg-mux",
"443,6,500,obsidian",
"443,6,500,pingsender",
"443,6,500,podman",
"443,6,500,signal-desktop",
"443,6,500,slack",
"443,6,500,slirp4netns",
"443,6,500,snap-store",
"443,6,500,Socket Process",
"443,6,500,spotify",
"443,6,500,steamwebhelper",
"443,6,500,teams",
"443,6,500,terraform",
"443,6,500,terraform-provi",
"443,6,500,tkn",
"443,6,500,trivy",
"443,6,500,vcluster",
"443,6,500,WebKitNetworkPr",
"443,6,500,wget",
"443,6,500,wineserver",
"443,6,500,xmobar",
"443,6,500,yay",
"443,6,500,zoom",
"5228,6,500,chrome",
"6000,6,500,ssh",
"7903,6,500,syncthing",
"8006,6,500,chrome",
"80,6,0,dnf",
"80,6,0,NetworkManager",
"443,6,500,x11-ssh-askpass",
"80,6,0,pacman",
"80,6,0,tailscaled",
"80,6,0,.tailscaled-wra",
"80,6,0,yum",
"80,6,105,http", -- /usr/lib/apt/methods/http
"80,6,500,curl",
"80,6,500,firefox",
"80,6,500,.firefox-wrappe",
"80,6,500,slack",
"80,6,500,spotify",
"80,6,500,steam",
"80,6,500,steamwebhelper",
"80,6,500,syncthing",
"8801,17,500,zoom",
"9090,6,500,firefox",
"9090,6,500,k6",
"9090,6,500,prometheus",
"9090,6,500,rootlessport"
)
-- These programs would normally never make an outgoing connection, but thanks to Nix, it can happen.
AND NOT (
remote_address LIKE("151.101.%")
AND remote_port = 443
AND protocol = 6
AND (
parent_path LIKE "%/bash"
OR parent_path LIKE "%/zsh"
OR p.path LIKE "/nix/store/%/bash"
)
)
AND NOT p.cmdline LIKE "bash --rcfile /tmp/nix-shell.%"
-- Other more complicated situations
AND NOT (
p.name = "rootlessport"
AND remote_port > 1024
)
AND NOT (
p.name = "syncthing"
AND (
remote_port IN (53, 80, 88, 110, 443, 587, 993, 3306, 7451)
OR remote_port > 1024
)
)
AND NOT (
p.name IN (
"chrome",
"Google Chrome Helper",
"Brave Browser Helper",
"Chromium Helper",
"Opera Helper"
)
AND remote_port IN (
53,
3100,
443,
80,
8006,
9000,
5004,
8009,
8080,
8888,
8443,
5228,
32211,
53,
10001,
3478,
19305,
19306,
19307,
19308,
19309
)
)
AND NOT (
p.name IN ("thunderbird")
AND remote_port IN (53, 143, 443, 587, 465, 585, 993)
)
AND NOT (
p.name IN ("spotify", "Spotify Helper", "Spotify")
AND remote_port IN (53, 443, 8009, 4070, 32211)
)
AND NOT (
remote_port IN (443, 53)
AND p.name LIKE "terraform-provider-%"
)
AND NOT (
remote_port IN (443, 53)
AND p.name LIKE "npm exec %"
)
AND NOT (
remote_port iN (443, 53)
AND p.name LIKE "kubectl.%"
)
AND NOT (
p.cmdline LIKE "%google-cloud-sdk/lib/gcloud.py%"
AND remote_port IN (80, 53, 443)
)
GROUP BY
p.cmdline