mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-12 09:04:35 +00:00
350 lines
7.7 KiB
SQL
350 lines
7.7 KiB
SQL
SELECT
|
|
s.family,
|
|
protocol,
|
|
s.local_port,
|
|
s.remote_port,
|
|
s.local_address,
|
|
s.remote_address,
|
|
p.name,
|
|
p.path,
|
|
p.cmdline AS child_cmd,
|
|
p.cwd,
|
|
s.pid,
|
|
s.net_namespace,
|
|
pp.path AS parent_path,
|
|
p.parent AS parent_pid,
|
|
pp.cmdline AS parent_cmd,
|
|
hash.sha256,
|
|
CONCAT (
|
|
MIN(s.remote_port, 32768),
|
|
",",
|
|
protocol,
|
|
",",
|
|
MIN(p.uid, 500),
|
|
",",
|
|
p.name
|
|
) AS exception_key
|
|
FROM
|
|
process_open_sockets s
|
|
LEFT JOIN processes p ON s.pid = p.pid
|
|
LEFT JOIN processes pp ON p.parent = pp.pid
|
|
LEFT JOIN hash ON p.path = hash.path
|
|
WHERE
|
|
protocol > 0
|
|
AND s.remote_port > 0
|
|
AND s.remote_address NOT IN ("127.0.0.1", "::ffff:127.0.0.1", "::1")
|
|
AND s.remote_address NOT LIKE "fe80:%"
|
|
AND s.remote_address NOT LIKE "127.%"
|
|
AND s.remote_address NOT LIKE "192.168.%"
|
|
AND s.remote_address NOT LIKE "172.1%"
|
|
AND s.remote_address NOT LIKE "172.2%"
|
|
AND s.remote_address NOT LIKE "172.30.%"
|
|
AND s.remote_address NOT LIKE "172.31.%"
|
|
AND s.remote_address NOT LIKE "::ffff:172.%"
|
|
AND s.remote_address NOT LIKE "10.%"
|
|
AND s.remote_address NOT LIKE "::ffff:10.%"
|
|
AND s.remote_address NOT LIKE "fc00:%"
|
|
AND s.state != "LISTEN"
|
|
-- DNS clients
|
|
AND NOT (
|
|
remote_port = 53
|
|
AND protocol IN (6, 17)
|
|
AND p.name IN (
|
|
"1password",
|
|
"apt",
|
|
"apt-get",
|
|
"Brackets",
|
|
"chainctl",
|
|
"chrome",
|
|
"chronyd",
|
|
"cloud_sql_proxy",
|
|
"code",
|
|
"containerd",
|
|
"controlplane",
|
|
"crc",
|
|
"curl",
|
|
"dig",
|
|
"dnf",
|
|
"electron",
|
|
"firefox",
|
|
".firefox-wrappe",
|
|
"flameshot",
|
|
"gh",
|
|
"git-remote-http",
|
|
"gitsign",
|
|
"gnome-software",
|
|
"go",
|
|
"grafana-server",
|
|
"grype",
|
|
"host",
|
|
"htop",
|
|
"istioctl",
|
|
"jcef_helper",
|
|
"k6",
|
|
"k9s",
|
|
"ko",
|
|
"kolide-pipeline",
|
|
"launcher",
|
|
"NetworkManager",
|
|
"ngrok",
|
|
"nix",
|
|
"node",
|
|
"nscd",
|
|
"obs",
|
|
"obs-browser-page",
|
|
"obs-ffmpeg-mux",
|
|
"obsidian",
|
|
"opera",
|
|
"pacman",
|
|
"ping",
|
|
"podman",
|
|
"prometheus",
|
|
"rootlessport",
|
|
"signal-desktop",
|
|
"slack",
|
|
"slirp4netns",
|
|
"snapd",
|
|
"snap-store",
|
|
"Socket Process",
|
|
"spotify",
|
|
"ssh",
|
|
"steam",
|
|
"steamwebhelper",
|
|
"syncthing",
|
|
"systemd-resolve",
|
|
"tailscaled",
|
|
".tailscaled-wra",
|
|
"terraform",
|
|
"terraform-provi",
|
|
"tkn",
|
|
"traceroute",
|
|
"vcluster",
|
|
"wget",
|
|
"whois",
|
|
"xmobar",
|
|
"yay",
|
|
"zoom"
|
|
)
|
|
)
|
|
-- General exceptions
|
|
AND NOT exception_key IN (
|
|
"123,17,,",
|
|
"123,17,500,chronyd",
|
|
"22,6,,", -- shortlived SSH (git push)
|
|
"22,6,500,ssh",
|
|
"22067,6,500,syncthing",
|
|
"27024,6,500,steam",
|
|
"3100,6,500,firefox",
|
|
"3100,6,500,k6",
|
|
"3307,6,500,cloud_sql_proxy",
|
|
"4070,6,500,spotify",
|
|
"443,17,500,chrome",
|
|
"443,17,500,electron",
|
|
"443,17,500,jcef_helper",
|
|
"443,17,500,slack",
|
|
"443,17,500,spotify",
|
|
"443,6,0,.tailscaled-wra",
|
|
"443,6,0,containerd",
|
|
"443,6,0,depmod",
|
|
"443,6,0,dirmngr",
|
|
"443,6,0,dnf",
|
|
"443,6,0,dockerd",
|
|
"443,6,0,influxd",
|
|
"443,6,0,launcher",
|
|
"443,6,0,nix-daemon",
|
|
"443,6,0,packagekitd",
|
|
"443,6,0,pacman",
|
|
"443,6,0,snapd",
|
|
"443,6,0,tailscaled",
|
|
"443,6,0,yum",
|
|
"443,6,105,https", -- /usr/lib/apt/methods/https
|
|
"443,6,472,grafana-server",
|
|
"443,6,500,___go_build_github_com_anchore_grype,a.out,",
|
|
"443,6,500,.firefox-wrappe",
|
|
"443,6,500,1password",
|
|
"443,6,500,authentik-proxy",
|
|
"443,6,500,aws",
|
|
"443,6,500,Brackets",
|
|
"443,6,500,celery",
|
|
"443,6,500,chainctl",
|
|
"443,6,500,chrome",
|
|
"443,6,500,cloud_sql_proxy",
|
|
"443,6,500,code",
|
|
"443,6,500,containerd",
|
|
"443,6,500,controlplane",
|
|
"443,6,500,cosign",
|
|
"443,6,500,crane",
|
|
"443,6,500,CrBrowserMain",
|
|
"443,6,500,crc",
|
|
"443,6,500,CrUtilityMain",
|
|
"443,6,500,curl",
|
|
"443,6,500,Discord",
|
|
"443,6,500,electron",
|
|
"443,6,500,emacs",
|
|
"443,6,500,firefox",
|
|
"443,6,500,flameshot",
|
|
"443,6,500,geoclue",
|
|
"443,6,500,gh",
|
|
"443,6,500,git-remote-http",
|
|
"443,6,500,gitsign",
|
|
"443,6,500,gnome-shell",
|
|
"443,6,500,gnome-software",
|
|
"443,6,500,go",
|
|
"443,6,500,grafana-server",
|
|
"443,6,500,grype",
|
|
"443,6,500,gunicorn",
|
|
"443,6,500,gvfsd-http",
|
|
"443,6,500,htop",
|
|
"443,6,500,influxd",
|
|
"443,6,500,istioctl",
|
|
"443,6,500,java",
|
|
"443,6,500,jcef_helper",
|
|
"443,6,500,jetbrains-toolb",
|
|
"443,6,500,k6",
|
|
"443,6,500,k9s",
|
|
"443,6,500,ko",
|
|
"443,6,500,kolide-pipeline",
|
|
"443,6,500,kubectl",
|
|
"443,6,500,ngrok",
|
|
"443,6,500,nix",
|
|
"443,6,500,node",
|
|
"443,6,500,obs-browser-page",
|
|
"443,6,500,obs-ffmpeg-mux",
|
|
"443,6,500,obs",
|
|
"443,6,500,obsidian",
|
|
"443,6,500,pingsender",
|
|
"443,6,500,pip",
|
|
"443,6,500,podman",
|
|
"443,6,500,signal-desktop",
|
|
"443,6,500,slack",
|
|
"443,6,500,slirp4netns",
|
|
"443,6,500,snap-store",
|
|
"443,6,500,Socket Process",
|
|
"443,6,500,spotify",
|
|
"443,6,500,steamwebhelper",
|
|
"443,6,500,teams",
|
|
"443,6,500,terraform-provi",
|
|
"443,6,500,terraform",
|
|
"443,6,500,tkn",
|
|
"443,6,500,trivy",
|
|
"443,6,500,vcluster",
|
|
"443,6,500,vim",
|
|
"443,6,500,WebKitNetworkPr",
|
|
"443,6,500,wget",
|
|
"443,6,500,wineserver",
|
|
"443,6,500,x11-ssh-askpass",
|
|
"443,6,500,xmobar",
|
|
"443,6,500,yay",
|
|
"443,6,500,zoom",
|
|
"5228,6,500,chrome",
|
|
"6000,6,500,ssh",
|
|
"7903,6,500,syncthing",
|
|
"80,6,0,.tailscaled-wra",
|
|
"80,6,0,dnf",
|
|
"443,6,500,.tox-wrapped",
|
|
"80,6,0,NetworkManager",
|
|
"80,6,0,pacman",
|
|
"80,6,0,tailscaled",
|
|
"80,6,0,yum",
|
|
"80,6,105,http", -- /usr/lib/apt/methods/http
|
|
"80,6,500,.firefox-wrappe",
|
|
"80,6,500,curl",
|
|
"80,6,500,firefox",
|
|
"80,6,500,slack",
|
|
"80,6,500,spotify",
|
|
"80,6,500,steam",
|
|
"80,6,500,steamwebhelper",
|
|
"80,6,500,syncthing",
|
|
"8006,6,500,chrome",
|
|
"8801,17,500,zoom",
|
|
"9090,6,500,firefox",
|
|
"9090,6,500,k6",
|
|
"9090,6,500,prometheus",
|
|
"9090,6,500,rootlessport"
|
|
|
|
)
|
|
-- These programs would normally never make an outgoing connection, but thanks to Nix, it can happen.
|
|
AND NOT (
|
|
remote_address LIKE("151.101.%")
|
|
AND remote_port = 443
|
|
AND protocol = 6
|
|
AND (
|
|
parent_path LIKE "%/bin/bash"
|
|
OR parent_path LIKE "%/bin/zsh"
|
|
OR parent_path LIKE "%/bin/nix"
|
|
OR p.path LIKE "/nix/store/%"
|
|
)
|
|
)
|
|
AND NOT p.cmdline LIKE "bash --rcfile /tmp/nix-shell.%"
|
|
|
|
-- Other more complicated situations
|
|
AND NOT (
|
|
p.name = "rootlessport"
|
|
AND remote_port > 1024
|
|
)
|
|
AND NOT (
|
|
p.name = "syncthing"
|
|
AND (
|
|
remote_port IN (53, 80, 88, 110, 443, 587, 993, 3306, 7451)
|
|
OR remote_port > 1024
|
|
)
|
|
)
|
|
AND NOT (
|
|
p.name IN (
|
|
"chrome",
|
|
"Google Chrome Helper",
|
|
"Brave Browser Helper",
|
|
"Chromium Helper",
|
|
"Opera Helper"
|
|
)
|
|
AND remote_port IN (
|
|
53,
|
|
3100,
|
|
443,
|
|
80,
|
|
8006,
|
|
9000,
|
|
5004,
|
|
8009,
|
|
8080,
|
|
8888,
|
|
8443,
|
|
5228,
|
|
32211,
|
|
53,
|
|
10001,
|
|
3478,
|
|
19305,
|
|
19306,
|
|
19307,
|
|
19308,
|
|
19309
|
|
)
|
|
)
|
|
AND NOT (
|
|
p.name IN ("thunderbird")
|
|
AND remote_port IN (53, 143, 443, 587, 465, 585, 993)
|
|
)
|
|
AND NOT (
|
|
p.name IN ("spotify", "Spotify Helper", "Spotify")
|
|
AND remote_port IN (53, 443, 8009, 4070, 32211)
|
|
)
|
|
AND NOT (
|
|
remote_port IN (443, 53)
|
|
AND p.name LIKE "terraform-provider-%"
|
|
)
|
|
AND NOT (
|
|
remote_port IN (443, 53)
|
|
AND p.name LIKE "npm exec %"
|
|
)
|
|
AND NOT (
|
|
remote_port iN (443, 53)
|
|
AND p.name LIKE "kubectl.%"
|
|
)
|
|
AND NOT (
|
|
p.cmdline LIKE "%google-cloud-sdk/lib/gcloud.py%"
|
|
AND remote_port IN (80, 53, 443)
|
|
)
|
|
GROUP BY
|
|
p.cmdline
|