import "elf"

rule ELF_Droplet_Object {
    meta:
      description = "Droplet object used during xz / liblzma incident"
      reference   = "CVE-2024-3094"
      author      = "Matthias Weckbecker"

    condition:
        elf.machine == elf.EM_X86_64

        and

        elf.number_of_sections > 100 and elf.number_of_sections <= 242

        and

        for any s in (".text.crc64_resolve", ".text._get_cpuid"): (
            for any i in (0 .. elf.number_of_sections): (
                ((elf.sections[i].name == s)
                and (elf.sections[i].type == elf.SHT_PROGBITS))
            )
        )
}