检测规则
CVE-2024-3094-p.yara
import "elf"
rule ELF_Droplet_Object {
meta:
description = "Droplet object used during xz / liblzma incident"
reference = "CVE-2024-3094"
author = "Matthias Weckbecker"
strings:
$1 = { f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410 }
condition:
elf.machine == elf.EM_X86_64
and
(
(
elf.number_of_sections > 100 and elf.number_of_sections <= 242
and
for any s in (".text.crc64_resolve", ".text._get_cpuid"): (
for any i in (0 .. elf.number_of_sections): (
((elf.sections[i].name == s)
and (elf.sections[i].type == elf.SHT_PROGBITS))
)
)
)
or
$1
)
}
CVE-2024-3094-p.yara
import "elf"
rule ELF_Droplet_Object {
meta:
description = "Droplet object used during xz / liblzma incident"
reference = "CVE-2024-3094"
author = "Matthias Weckbecker"
strings:
$1 = { f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410 }
condition:
elf.machine == elf.EM_X86_64
and
(
(
elf.number_of_sections > 100 and elf.number_of_sections <= 242
and
for any s in (".text.crc64_resolve", ".text._get_cpuid"): (
for any i in (0 .. elf.number_of_sections): (
((elf.sections[i].name == s)
and (elf.sections[i].type == elf.SHT_PROGBITS))
)
)
)
or
$1
)
}
👍2