fix: change CVE-2024-3094 to match liblzma contain instead of endswith

Signed-off-by: Edgaras <[email protected]>
falcosecurity · May 14, 2024 · 29c41c4 · 29c41c4
1 parent 4f153f5
commit 29c41c4
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
@@ -1280,7 +1280,7 @@
   condition: > 
     open_read and 
     proc.name=sshd and 
-    (fd.name endswith "liblzma.so.5.6.0" or fd.name endswith "liblzma.so.5.6.1")
+    (fd.name contains "liblzma.so.5.6.0" or fd.name contains "liblzma.so.5.6.1")
   output: SSHD loaded a backdoored version of liblzma library %fd.name with parent %proc.pname and cmdline %proc.cmdline (process=%proc.name parent=%proc.pname file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
   priority: WARNING
   tags: [maturity_incubating, host, container]