Merge pull request #368 from tstromberg/fpr-jun25

Massive false-positive reduction, particularly for uBlue

detection/c2/unexpected-https-linux.sql

@@ -57,12 +57,12 @@ WHERE
   AND s.remote_address NOT LIKE 'fc00:%'
   AND p.path != ''
   AND NOT exception_key IN (
-    '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
     '0,apk,u,g,apk',
     '0,applydeltarpm,0u,0g,applydeltarpm',
     '0,bash,0u,0g,bash',
     '0,bash,0u,0g,mkinitcpio',
     '0,bash,0u,0g,sh',
+    '0,canonical-livepatchd,0u,0g,canonical-livep',
     '0,chainctl,0u,0g,chainctl',
     '0,cmake,u,g,cmake',
     '0,containerd,u,g,containerd',
@@ -78,90 +78,72 @@ WHERE
     '0,http,0u,0g,https',
     '0,ir_agent,0u,0g,ir_agent',
     '0,kmod,0u,0g,depmod',
-    '500,gdb,0u,0g,gdb',
     '0,launcher,0u,0g,launcher',
     '0,launcher,500u,500g,launcher',
     '0,ldconfig,0u,0g,ldconfig',
     '0,make,0u,0g,make',
     '0,metricbeat,0u,0g,metricbeat',
     '0,nessusd,0u,0g,nessusd',
-    '500,license-detector,500u,500g,license-detecto',
     '0,nix,0u,0g,nix',
-    '500,node,500u,500g,npm run start',
     '0,nix,0u,0g,nix-daemon',
     '0,orbit,0u,0g,orbit',
     '0,osqueryd,0u,0g,osqueryd',
     '0,packagekitd,0u,0g,packagekitd',
+    '0,packetbeat,0u,0g,packetbeat',
     '0,pacman,0u,0g,pacman',
     '0,python3.10,0u,0g,dnf',
     '0,python3.10,0u,0g,dnf-automatic',
     '0,python3.10,0u,0g,yum',
     '0,python3.11,0u,0g,dnf',
-    '500,deno,500u,500g,deno',
     '0,python3.11,0u,0g,dnf-automatic',
     '0,python3.11,0u,0g,yum',
+    '0,python3.12,0u,0g,dnf',
     '0,python3.12,0u,0g,dnf-automatic',
     '0,python3.12,0u,0g,yum',
     '0,rapid7_endpoint_broker,0u,0g,rapid7_endpoint',
     '0,rpi-imager,0u,0g,rpi-imager',
     '0,snapd,0u,0g,snapd',
-    '128,fwupdmgr,0u,0g,fwupdmgr',
     '0,systemctl,0u,0g,systemctl',
-    '500,flatpak,0u,0g,flatpak',
     '0,tailscaled,0u,0g,tailscaled',
     '0,tailscaled,500u,500g,tailscaled',
+    '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
     '0,velociraptor,0u,0g,velociraptor_cl',
     '0,yay,0u,0g,yay',
-    '500,losslesscut,500u,500g,losslesscut',
     '105,http,0u,0g,https',
     '106,geoclue,0u,0g,geoclue',
+    '115,geoclue,0u,0g,geoclue',
+    '120,fwupdmgr,0u,0g,fwupdmgr',
+    '128,fwupdmgr,0u,0g,fwupdmgr',
     '129,fwupdmgr,0u,0g,fwupdmgr',
     '42,http,0u,0g,https',
     '500,1password,0u,0g,1password',
-    '500,Brackets,0u,0g,Brackets',
-    '500,Discord,0u,0g,Discord',
-    '500,Discord,u,g,Discord',
-    '500,Keybase,0u,0g,Keybase',
-    '500,Logseq,u,g,Logseq',
-    '500,Melvor Idle,500u,500g,exe',
-    '500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan',
-    '500,WPILibInstaller,500u,500g,WPILibInstaller',
-    '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
-    '500,___go_build_main_go,500u,500g,___go_build_mai',
     '500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
     '500,act,0u,0g,act',
     '500,apk,500u,500g,apk',
-    '500,apk,u,g,apk',
-    '500,obsidian,0u,0g,obsidian',
     '500,apko,500u,500g,apko',
     '500,apko,u,g,apko',
-    '500,gcsfuse,500u,500g,gcsfuse',
+    '500,apk,u,g,apk',
     '500,aws,0u,0g,aws',
-    '500,skopeo,0u,0g,skopeo',
-    '500,syncthing,u,g,syncthing',
-    '0,python3.12,0u,0g,dnf',
     '500,aws,500u,500g,aws',
     '500,bash,0u,0g,bash',
     '500,beeper,u,g,beeper',
-    '115,geoclue,0u,0g,geoclue',
-    '120,fwupdmgr,0u,0g,fwupdmgr',
-    '500,Docker Desktop,0u,0g,Docker Desktop',
     '500,bom,500u,500g,bom',
     '500,bom-linux-amd64,500u,500g,bom-linux-amd64',
+    '500,Brackets,0u,0g,Brackets',
     '500,brave,0u,0g,brave',
-    '0,canonical-livepatchd,0u,0g,canonical-livep',
     '500,buildkitd,500u,500g,buildkitd',
     '500,buildkite-agent,500u,500g,buildkite-agent',
     '500,cargo,0u,0g,cargo',
     '500,cargo,500u,500g,cargo',
+    '500,cargo,u,g,cargo',
     '500,chainctl,0u,0g,chainctl',
     '500,chainctl,500u,100g,chainctl',
     '500,chainctl,500u,493g,chainctl',
     '500,chainctl,500u,500g,chainctl',
     '500,chainctl,500u,500g,docker-credenti',
     '500,chrome,0u,0g,chrome',
-    '500,chrome,u,g,chrome',
     '500,chrome_crashpad_handler,0u,0g,chrome_crashpad',
+    '500,chrome,u,g,chrome',
     '500,cilium,500u,123g,cilium',
     '500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
     '500,code,0u,0g,code',
@@ -177,23 +159,30 @@ WHERE
     '500,crane,0u,0g,crane',
     '500,crane,500u,500g,crane',
     '500,curl,0u,0g,curl',
+    '500,deno,500u,500g,deno',
+    '500,Discord,0u,0g,Discord',
+    '500,Discord,u,g,Discord',
     '500,docker,0u,0g,docker',
     '500,docker-buildx,0u,0g,docker-buildx',
+    '500,Docker Desktop,0u,0g,Docker Desktop',
     '500,eksctl,0u,0g,eksctl',
     '500,eksctl,500u,500g,eksctl',
     '500,electron,0u,0g,electron',
     '500,evolution-addressbook-factory,0u,0g,evolution-addre',
     '500,evolution-calendar-factory,0u,0g,evolution-calen',
     '500,evolution-source-registry,0u,0g,evolution-sourc',
+    '500,firefox,0u,0g,firefox',
     '500,firefox,0u,0g,.firefox-wrappe',
     '500,firefox,0u,0g,Socket Process',
-    '500,firefox,0u,0g,firefox',
     '500,firefox-bin,500u,500g,firefox-bin',
     '500,firefox-bin,u,g,firefox-bin',
     '500,flameshot,0u,0g,flameshot',
+    '500,flatpak,0u,0g,flatpak',
     '500,flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
     '500,flux,500u,500g,flux',
     '500,fulcio,500u,500g,fulcio',
+    '500,gcsfuse,500u,500g,gcsfuse',
+    '500,gdb,0u,0g,gdb',
     '500,geoclue,0u,0g,geoclue',
     '500,gh,0u,0g,gh',
     '500,git,0u,0g,git',
@@ -209,9 +198,10 @@ WHERE
     '500,gnome-software,0u,0g,gnome-software',
     '500,go,0u,0g,go',
     '500,go,500u,500g,go',
-    '500,go,u,g,go',
     '500,goa-daemon,0u,0g,goa-daemon',
+    '500,___go_build_main_go,500u,500g,___go_build_mai',
     '500,gobuster,500u,500g,gobuster',
+    '500,go,u,g,go',
     '500,grafana,u,g,grafana',
     '500,grype,0u,0g,grype',
     '500,grype,500u,500g,grype',
@@ -231,6 +221,7 @@ WHERE
     '500,k6,500u,500g,k6',
     '500,kbfsfuse,0u,0g,kbfsfuse',
     '500,keybase,0u,0g,keybase',
+    '500,Keybase,0u,0g,Keybase',
     '500,kioslave5,0u,0g,kioslave5',
     '500,ko,500u,500g,ko',
     '500,ko,u,g,ko',
@@ -240,26 +231,32 @@ WHERE
     '500,kubectl,500u,500g,kubectl',
     '500,lens,0u,0g,lens',
     '500,less,0u,0g,less',
+    '500,license-detector,500u,500g,license-detecto',
     '500,limactl,0u,0g,limactl',
+    '500,Logseq,u,g,Logseq',
+    '500,losslesscut,500u,500g,losslesscut',
     '500,mconvert,500u,500g,mconvert',
     '500,mediawriter,u,g,mediawriter',
     '500,melange,500u,500g,melange',
     '500,melange,u,g,melange',
+    '500,Melvor Idle,500u,500g,exe',
     '500,minikube,0u,0g,minikube',
     '500,nautilus,0u,0g,nautilus',
     '500,nerdctl,500u,500g,nerdctl',
     '500,nix,0u,0g,nix',
-    '500,node,0u,0g,.node2nix-wrapp',
     '500,node,0u,0g,node',
+    '500,node,0u,0g,.node2nix-wrapp',
     '500,node,0u,0g,npm install',
+    '500,node,500u,500g,npm run start',
     '500,node,u,g,node',
     '500,nuclei,500u,500g,nuclei',
     '500,obs,0u,0g,obs',
-    '500,obs,u,g,obs',
     '500,obs-browser-page,0u,0g,obs-browser-pag',
     '500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
     '500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux',
+    '500,obsidian,0u,0g,obsidian',
     '500,obsidian,u,g,obsidian',
+    '500,obs,u,g,obs',
     '500,op,0u,500g,op',
     '500,packer-plugin-proxmox_v1.1.2_x5.0_linux_amd64,500u,500g,packer-plugin-p',
     '500,pacman,0u,0g,pacman',
@@ -268,9 +265,7 @@ WHERE
     '500,pingsender,0u,0g,pingsender',
     '500,promoter,500u,500g,promoter',
     '500,publish-release,500u,500g,publish-release',
-    '500,python.test,500u,500g,python.test',
     '500,python3,0u,0g,python3',
-    '500,python3,500u,500g,python3',
     '500,python3.10,0u,0g,aws',
     '500,python3.10,0u,0g,python',
     '500,python3.10,0u,0g,python3',
@@ -279,13 +274,16 @@ WHERE
     '500,python3.11,0u,0g,gnome-abrt',
     '500,python3.11,0u,0g,protonvpn',
     '500,python3.11,0u,0g,prowler',
+    '500,python3,500u,500g,python3',
+    '500,python.test,500u,500g,python.test',
     '500,qemu-system-x86_64,0u,0g,qemu-system-x86',
     '500,reporter-ureport,0u,0g,reporter-urepor',
     '500,rpi-imager,0u,0g,rpi-imager',
     '500,rustup,0u,0g,rustup',
     '500,scoville,500u,500g,scoville',
     '500,signal-desktop,0u,0g,signal-desktop',
     '500,signal-desktop,u,g,signal-desktop',
+    '500,skopeo,0u,0g,skopeo',
     '500,slack,0u,0g,slack',
     '500,slack,u,g,slack',
     '500,slirp4netns,0u,0g,slirp4netns',
@@ -303,6 +301,7 @@ WHERE
     '500,step-cli,0u,0g,step',
     '500,stern,500u,500g,stern',
     '500,syncthing,0u,0g,syncthing',
+    '500,syncthing,u,g,syncthing',
     '500,synergy,0u,0g,synergy',
     '500,teams,0u,0g,teams',
     '500,terraform,0u,0g,terraform',
@@ -311,17 +310,19 @@ WHERE
     '500,thunderbird,0u,0g,thunderbird',
     '500,thunderbird,u,g,thunderbird',
     '500,tilt,500u,500g,tilt',
+    '500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan',
     '500,todoist,0u,0g,todoist',
     '500,trivy,0u,0g,trivy',
     '500,trivy,500u,500g,trivy',
     '500,ubuntu-report,0u,0g,ubuntu-report',
+    '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
     '500,wget,0u,0g,wget',
     '500,wine64-preloader,500u,500g,DaveTheDiver.ex',
     '500,wine64-preloader,500u,500g,Root.exe',
     '500,wolfictl,500u,500g,wolfictl',
+    '500,WPILibInstaller,500u,500g,WPILibInstaller',
     '500,xmobar,0u,0g,xmobar',
     '500,yay,0u,0g,yay',
-    '0,packetbeat,0u,0g,packetbeat',
     '500,zdup,500u,500g,zdup',
     '500,zoom,0u,0g,zoom',
     '500,zoom.real,u,g,zoom.real'

detection/c2/unexpected-https-macos.sql

@@ -111,7 +111,9 @@ WHERE
     '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
     '500,bash,bash,,bash',
     '500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
+    '500,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',
     '500,Fleet,~/Library/Caches/JetBrains/Fleet',
+    '500,.Telegram-wrapped,.Telegram-wrapped,,Telegram',
     '500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
     '500,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
     '500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
@@ -122,18 +124,18 @@ WHERE
     '500,krisp Helper,krisp Helper,Developer ID Application: Krisp Technologies, Inc. (U5R26XM5Z2),ai.krisp.krispMac.helper',
     '500,krisp,krisp,Developer ID Application: Krisp Technologies, Inc. (U5R26XM5Z2),ai.krisp.krispMac',
     '500,melange,melange,,a.out',
-    '500,pycharm,pycharm,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm',
     '500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
     '500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
     '500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
     '500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop',
+    '500,process-agent,process-agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),process-agent',
+    '500,pycharm,pycharm,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm',
     '500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
     '500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
     '500,Skitch,Skitch,Developer ID Application: Skitch Inc (J8RPQ294UB),com.skitch.skitch',
     '500,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer',
     '500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
     '500,syncthing,syncthing,,syncthing',
-    '500,process-agent,process-agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),process-agent',
     '500,trunk,trunk,Developer ID Application: Trunk Technologies, Inc. (LDR5F9BL92),trunk-cli',
     '500,WebexHelper,WebexHelper,Developer ID Application: Cisco (DE8Y96K9QP),Cisco-Systems.SparkHelper',
     '500,zed,zed,Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed'

detection/c2/unexpected-libcurl-user-linux.sql

@@ -67,9 +67,12 @@ WHERE
   p0.euid = 0
   AND pmm.path LIKE '%libcurl%'
   AND NOT exception_key IN (
+    '0,0,/var/run/ublue-update.lock,regular,0755',
+    'rpm-ostree,/usr/bin/rpm-ostree,0,system.slice,rpm-ostreed.service,0755',
+    'rpm-ostree,/usr/bin/rpm-ostree,0,system.slice,ublue-update.service,0755',
+    'dnf-automatic,/usr/bin/python3.12,0,system.slice,dnf-automatic-install.service,0755',
     'dnf-automatic,/usr/bin/python__VERSION__,0,system.slice,dnf-automatic-install.service,0755',
     'dnf,/usr/bin/python__VERSION__,0,system.slice,dnf-makecache.service,0755',
-    '0,0,/var/run/ublue-update.lock,regular,0755',
     'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
     'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
     'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
@@ -78,9 +81,9 @@ WHERE
     'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
     'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
     'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
+    'ostree,/usr/bin/ostree,0,system.slice,ostree-finalize-staged-hold.service,0755',
     'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
     'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
-    'dnf-automatic,/usr/bin/python3.12,0,system.slice,dnf-automatic-install.service,0755',
     'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
     'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755',
     'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',