From 29c41c4eed4bbc51aaf5be0f3ea332a66ef54e31 Mon Sep 17 00:00:00 2001
From: Edgaras <edgaras@apsega.lt>
Date: Mon, 13 May 2024 09:11:44 +0300
Subject: [PATCH] fix: change CVE-2024-3094 to match liblzma contain instead of
 endswith

Signed-off-by: Edgaras <edgaras@apsega.lt>
---
 rules/falco-incubating_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
index 8653d42a..4aeabe8c 100644
--- a/rules/falco-incubating_rules.yaml
+++ b/rules/falco-incubating_rules.yaml
@@ -1280,7 +1280,7 @@
   condition: > 
     open_read and 
     proc.name=sshd and 
-    (fd.name endswith "liblzma.so.5.6.0" or fd.name endswith "liblzma.so.5.6.1")
+    (fd.name contains "liblzma.so.5.6.0" or fd.name contains "liblzma.so.5.6.1")
   output: SSHD loaded a backdoored version of liblzma library %fd.name with parent %proc.pname and cmdline %proc.cmdline (process=%proc.name parent=%proc.pname file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
   priority: WARNING
   tags: [maturity_incubating, host, container]