Merge pull request #447 from chainguard-dev/lorimor/SortAndRemoveDupes

Sort a bunch of lines and remove duplicates

detection/c2/unexpected-dns-traffic-events.sql

@@ -88,11 +88,10 @@ WHERE
     'ChatGPT,8.8.8.8,53',
     'Code Helper (Plugin),1.0.0.1,53',
     'com.docker.backend,8.8.8.8,53',
-    'com.docker.vpnkit,8.8.8.8,53',
     'com.docker.buil,35.190.88.7,53', -- licensing exfil via Bugsnag?
+    'com.docker.vpnkit,8.8.8.8,53',
     'coredns,0.0.0.0,53',
     'coredns,8.8.8.8,53',
-    'io.tailscale.ipn.macsys.network-extension,8.8.8.8,53',
     'Creative Cloud Content Manager.node,8.8.4.4,53',
     'Creative Cloud Content Manager.node,8.8.8.8,53',
     'distnoted,8.8.4.4,53',
@@ -102,19 +101,19 @@ WHERE
     'EpicWebHelper,8.8.8.8,53',
     'gvproxy,170.247.170.2,53',
     'helm,185.199.108.133,53',
+    'io.tailscale.ipn.macsys.network-extension,8.8.8.8,53',
     'limactl,8.8.8.8,53',
-    'Code Helper (Plugin),1.0.0.1,53',
     'Meeting Center,8.8.8.8,53',
     'msedge,8.8.4.4,53',
     'msedge,8.8.8.8,53',
     'node,149.22.90.225,5353',
     'nuclei,1.0.0.1,53',
-    'Pieces OS,8.8.4.4,53',
     'Pieces OS,208.67.222.222,53',
+    'Pieces OS,8.8.4.4,53',
     'plugin-container,8.8.8.8,53',
     'ServiceExtension,8.8.8.8,53',
-    'signal-desktop,8.8.8.8,53',
     'Signal Helper (Renderer),8.8.8.8,53',
+    'signal-desktop,8.8.8.8,53',
     'slack,8.8.8.8,53',
     'snapd,185.125.188.54,53',
     'snapd,185.125.188.55,53',

detection/c2/unexpected-dns-traffic.sql

@@ -87,15 +87,15 @@ WHERE
   )
   -- Local DNS servers and custom clients go here
   AND p.path NOT IN (
-    '/Applications/Evernote.app/Contents/MacOS/Evernote',
     '/Applications/Evernote.app/Contents/Frameworks/Evernote Helper.app/Contents/MacOS/Evernote Helper',
+    '/Applications/Evernote.app/Contents/MacOS/Evernote',
     '/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper',
     '/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper',
     '/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS/IPNExtension',
     '/opt/podman/bin/gvproxy',
+    '/sbin/apk',
     '/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking',
     '/usr/bin/tailscaled',
-    '/sbin/apk',
     '/usr/lib/systemd/systemd-resolved',
     '/usr/sbin/mDNSResponder'
   )

detection/c2/unexpected-https-linux.sql

@@ -61,6 +61,7 @@ WHERE
   AND p.path NOT LIKE '/usr/local/bin/%'
   AND p.path NOT LIKE '/opt/%'
   AND NOT exception_key IN (
+    '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
     '0,agentbeat,0u,0g,agentbeat',
     '0,apk,u,g,apk',
     '0,applydeltarpm,0u,0g,applydeltarpm',
@@ -78,8 +79,8 @@ WHERE
     '0,elastic-agent,u,g,elastic-agent',
     '0,elastic-endpoint,0u,0g,elastic-endpoin',
     '0,filebeat,0u,0g,filebeat',
-    '0,flatpak,0u,0g,flatpak',
     '0,flatpak-system-helper,0u,0g,flatpak-system-',
+    '0,flatpak,0u,0g,flatpak',
     '0,git-remote-http,0u,0g,git-remote-http',
     '0,go,0u,0g,go',
     '0,gtk4-update-icon-cache,0u,0g,gtk-update-icon',
@@ -93,8 +94,8 @@ WHERE
     '0,melange,500u,500g,melange',
     '0,metricbeat,0u,0g,metricbeat',
     '0,nessusd,0u,0g,nessusd',
-    '0,nix,0u,0g,nix',
     '0,nix,0u,0g,nix-daemon',
+    '0,nix,0u,0g,nix',
     '0,orbit,0u,0g,orbit',
     '0,osqueryd,0u,0g,osqueryd',
     '0,packagekitd,0u,0g,packagekitd',
@@ -107,7 +108,6 @@ WHERE
     '0,systemctl,0u,0g,systemctl',
     '0,tailscaled,0u,0g,tailscaled',
     '0,tailscaled,500u,500g,tailscaled',
-    '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
     '0,velociraptor,0u,0g,velociraptor_cl',
     '0,yay,0u,0g,yay',
     '105,http,0u,0g,https',
@@ -117,22 +117,23 @@ WHERE
     '128,fwupdmgr,0u,0g,fwupdmgr',
     '129,fwupdmgr,0u,0g,fwupdmgr',
     '42,http,0u,0g,https',
+    '500,___go_build_main_go,500u,500g,___go_build_mai',
     '500,1password,0u,0g,1password',
     '500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
     '500,accountwizard,u,g,accountwizard',
     '500,act,0u,0g,act',
     '500,apk,500u,500g,apk',
+    '500,apk,u,g,apk',
     '500,apko,500u,500g,apko',
     '500,apko,u,g,apko',
-    '500,apk,u,g,apk',
     '500,armcord,u,g,armcord',
     '500,aws,0u,0g,aws',
     '500,aws,500u,500g,aws',
     '500,bash,0u,0g,bash',
     '500,beeper,u,g,beeper',
     '500,bitwarden,u,g,bitwarden',
-    '500,bom,500u,500g,bom',
     '500,bom-linux-amd64,500u,500g,bom-linux-amd64',
+    '500,bom,500u,500g,bom',
     '500,Brackets,0u,0g,Brackets',
     '500,brave,0u,0g,brave',
     '500,buildkitd,500u,500g,buildkitd',
@@ -145,15 +146,15 @@ WHERE
     '500,chainctl,500u,493g,chainctl',
     '500,chainctl,500u,500g,chainctl',
     '500,chainctl,500u,500g,docker-credenti',
-    '500,chrome,0u,0g,chrome',
     '500,chrome_crashpad_handler,0u,0g,chrome_crashpad',
+    '500,chrome,0u,0g,chrome',
     '500,chrome,u,g,chrome',
     '500,cilium,500u,123g,cilium',
     '500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
     '500,cockatrice,u,g,cockatrice',
+    '500,code-oss,u,g,code-oss',
     '500,code,0u,0g,code',
     '500,code,500u,500g,code',
-    '500,code-oss,u,g,code-oss',
     '500,code,u,g,code',
     '500,com.docker.backend,0u,0g,com.docker.back',
     '500,com.docker.build,0u,0g,com.docker.buil',
@@ -162,17 +163,17 @@ WHERE
     '500,copilot-agent-linux,500u,500g,copilot-agent-l',
     '500,copilot-language-server,500u,500g,copilot-languag',
     '500,copy-from-gs,500u,500g,copy-from-gs',
-    '500,cosign,500u,500g,cosign',
     '500,cosign-linux-amd64,0u,0g,cosign',
+    '500,cosign,500u,500g,cosign',
     '500,crane,0u,0g,crane',
     '500,crane,500u,500g,crane',
     '500,curl,0u,0g,curl',
     '500,deno,500u,500g,deno',
     '500,Discord,0u,0g,Discord',
     '500,Discord,u,g,Discord',
-    '500,docker,0u,0g,docker',
-    '500,docker-buildx,0u,0g,docker-buildx',
     '500,Docker Desktop,0u,0g,Docker Desktop',
+    '500,docker-buildx,0u,0g,docker-buildx',
+    '500,docker,0u,0g,docker',
     '500,drkonqi,0u,0g,drkonqi',
     '500,eksctl,0u,0g,eksctl',
     '500,eksctl,500u,500g,eksctl',
@@ -181,41 +182,40 @@ WHERE
     '500,evolution-calendar-factory,0u,0g,evolution-calen',
     '500,evolution-source-registry,0u,0g,evolution-sourc',
     '500,extension-manager,0u,0g,extension-manag',
-    '500,firefox,0u,0g,firefox',
-    '500,firefox,0u,0g,.firefox-wrappe',
-    '500,firefox,0u,0g,Socket Process',
     '500,firefox-bin,500u,500g,firefox-bin',
     '500,firefox-bin,u,g,firefox-bin',
+    '500,firefox,0u,0g,.firefox-wrappe',
+    '500,firefox,0u,0g,firefox',
+    '500,firefox,0u,0g,Socket Process',
     '500,flameshot,0u,0g,flameshot',
-    '500,flatpak,0u,0g,flatpak',
     '500,flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
+    '500,flatpak,0u,0g,flatpak',
     '500,flux,500u,500g,flux',
     '500,fulcio,500u,500g,fulcio',
     '500,gcsfuse,500u,500g,gcsfuse',
     '500,gdb,0u,0g,gdb',
     '500,geoclue,0u,0g,geoclue',
-    '500,gh,0u,0g,gh',
     '500,gh-dash,500u,500g,gh-dash',
-    '500,git,0u,0g,git',
-    '500,github-desktop,0u,0g,github-desktop',
+    '500,gh,0u,0g,gh',
     '500,git-remote-http,0u,0g,git-remote-http',
     '500,git-remote-http,u,g,git-remote-http',
+    '500,git,0u,0g,git',
+    '500,github-desktop,0u,0g,github-desktop',
+    '500,gitsign-credential-cache,500u,500g,gitsign-credent',
     '500,gitsign,0u,0g,gitsign',
     '500,gitsign,500u,0g,gitsign',
     '500,gitsign,500u,500g,gitsign',
-    '500,gitsign-credential-cache,500u,500g,gitsign-credent',
     '500,gitsign,u,g,gitsign',
     '500,gjs-console,0u,0g,org.gnome.Maps',
     '500,gnome-recipes,0u,0g,gnome-recipes',
     '500,gnome-shell,0u,0g,gnome-shell',
     '500,gnome-software,0u,0g,gnome-software',
     '500,go,0u,0g,go',
     '500,go,500u,500g,go',
+    '500,go,u,g,go',
     '500,goa-daemon,0u,0g,goa-daemon',
-    '500,___go_build_main_go,500u,500g,___go_build_mai',
     '500,gobuster,500u,500g,gobuster',
     '500,goland,500u,500g,goland',
-    '500,go,u,g,go',
     '500,grafana,u,g,grafana',
     '500,grype,0u,0g,grype',
     '500,grype,500u,500g,grype',
@@ -264,19 +264,19 @@ WHERE
     '500,nautilus,0u,0g,nautilus',
     '500,nerdctl,500u,500g,nerdctl',
     '500,nix,0u,0g,nix',
-    '500,node,0u,0g,node',
     '500,node,0u,0g,.node2nix-wrapp',
+    '500,node,0u,0g,node',
     '500,node,0u,0g,npm install',
     '500,node,500u,500g,npm run start',
     '500,node,u,g,node',
     '500,nuclei,500u,500g,nuclei',
-    '500,obs,0u,0g,obs',
     '500,obs-browser-page,0u,0g,obs-browser-pag',
     '500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
     '500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux',
+    '500,obs,0u,0g,obs',
+    '500,obs,u,g,obs',
     '500,obsidian,0u,0g,obsidian',
     '500,obsidian,u,g,obsidian',
-    '500,obs,u,g,obs',
     '500,op,0u,500g,op',
     '500,packer-plugin-proxmox_v1.1.2_x5.0_linux_amd64,500u,500g,packer-plugin-p',
     '500,pacman,0u,0g,pacman',
@@ -289,7 +289,9 @@ WHERE
     '500,promoter,500u,500g,promoter',
     '500,publish-release,500u,500g,publish-release',
     '500,pycharm,500u,500g,pycharm',
+    '500,python.test,500u,500g,python.test',
     '500,python3,0u,0g,python3',
+    '500,python3,500u,500g,python3',
     '500,python3.10,0u,0g,aws',
     '500,python3.10,0u,0g,python',
     '500,python3.10,0u,0g,python3',
@@ -300,8 +302,6 @@ WHERE
     '500,python3.11,0u,0g,prowler',
     '500,python3.11,u,g,pip',
     '500,python3.12,0u,0g,dnf',
-    '500,python3,500u,500g,python3',
-    '500,python.test,500u,500g,python.test',
     '500,qemu-system-x86_64,0u,0g,qemu-system-x86',
     '500,reporter-ureport,0u,0g,reporter-urepor',
     '500,rpi-imager,0u,0g,rpi-imager',
@@ -324,20 +324,20 @@ WHERE
     '500,steam,500u,500g,steam',
     '500,steamwebhelper,500u,100g,steamwebhelper',
     '500,steamwebhelper,500u,500g,steamwebhelper',
-    '500,step,500u,500g,step',
     '500,step-cli,0u,0g,step',
+    '500,step,500u,500g,step',
     '500,stern,500u,500g,stern',
     '500,syft,500u,500g,syft',
     '500,syncthing,0u,0g,syncthing',
     '500,syncthing,u,g,syncthing',
     '500,synergy,0u,0g,synergy',
     '500,teams,0u,0g,teams',
     '500,telegram-desktop,u,g,telegram-deskto',
+    '500,terraform-ls,500u,500g,terraform-ls',
     '500,terraform,0u,0g,terraform',
     '500,terraform,500u,500g,terraform',
-    '500,terraform-ls,500u,500g,terraform-ls',
-    '500,thunderbird,0u,0g,thunderbird',
     '500,thunderbird-bin,u,g,thunderbird-bin',
+    '500,thunderbird,0u,0g,thunderbird',
     '500,thunderbird,u,g,thunderbird',
     '500,tidal-hifi,u,g,tidal-hifi',
     '500,tilt,500u,500g,tilt',
@@ -350,8 +350,8 @@ WHERE
     '500,wget,0u,0g,wget',
     '500,wine64-preloader,500u,500g,DaveTheDiver.ex',
     '500,wine64-preloader,500u,500g,Root.exe',
-    '500,wolfictl,500u,500g,wolfictl',
     '500,wolfi-package-status,500u,500g,wolfi-package-s',
+    '500,wolfictl,500u,500g,wolfictl',
     '500,WPILibInstaller,500u,500g,WPILibInstaller',
     '500,writerside,500u,500g,writerside',
     '500,xmobar,0u,0g,xmobar',
@@ -361,27 +361,27 @@ WHERE
     '500,zoom,0u,0g,zoom',
     '500,zoom.real,u,g,zoom.real'
   ) -- Exceptions where we have to be more flexible for the process name
-  AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf'
   AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf-automatic'
-  AND NOT exception_key LIKE '0,python3.%,500u,500g,dnf-automatic'
+  AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf'
   AND NOT exception_key LIKE '0,python3.%,0u,0g,yum'
-  AND NOT exception_key LIKE '500,python3.%,0u,0g,update-manager'
+  AND NOT exception_key LIKE '0,python3.%,500u,500g,dnf-automatic'
   AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%'
   AND NOT exception_key LIKE '500,node,0u,0g,npm exec %'
   AND NOT exception_key LIKE '500,node,0u,0g,npm install %'
-  AND NOT exception_key LIKE '500,python3%,u,g,pip'
   AND NOT exception_key LIKE '500,python3.%,0u,0g,pip'
-  AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi'
+  AND NOT exception_key LIKE '500,python3.%,0u,0g,update-manager'
+  AND NOT exception_key LIKE '500,python3%,u,g,pip'
   AND NOT exception_key LIKE '500,terraform_%,500u,500g,terraform'
+  AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi'
   AND NOT (
     exception_key LIKE '500,python3%,0u,0g,python%'
     AND (
       p.cmdline LIKE '%/gcloud.py %'
-      OR p.cmdline LIKE "%pip install%"
       OR p.cmdline LIKE "%pip download%"
+      OR p.cmdline LIKE "%pip install%"
       OR p.cwd LIKE "/home/%/dev/%"
-      OR p.cwd LIKE "/home/%/src/%"
       OR p.cwd LIKE "/home/%/github/%"
+      OR p.cwd LIKE "/home/%/src/%"
     )
   ) -- JetBrains
   AND NOT exception_key LIKE '500,___1go_build_%,500u,500g,___1go_build_%'