From 7227ed0721a6524d89d5545026cecff86a415fd6 Mon Sep 17 00:00:00 2001
From: Mikhail Larin <ms.larin@jet.su>
Date: Wed, 21 Oct 2020 18:25:22 +0300
Subject: [PATCH] fix rule logic

---
 rules/linux/macos_binary_padding.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos_binary_padding.yml
index 47669fd9..b4c676db 100644
--- a/rules/linux/macos_binary_padding.yml
+++ b/rules/linux/macos_binary_padding.yml
@@ -13,15 +13,17 @@ logsource:
     category: process_creation
 detection:
     selection1:
-        CommandLine|contains|all:
-             - 'truncate'
+        ProcessName|endswith:
+             - '/truncate'
+        CommandLine|contains:
              - '-s'
     selection2:
-        CommandLine|contains|all:
-             - 'dd'
+        ProcessName|endswith:
+             - '/dd'
+        CommandLine|contains:
              - 'if='
     filter:
-        keywords|contains: 'of='
+        CommandLine|contains: 'of='
     condition: selection1 or (selection2 and not filter)
 falsepositives:
     - 'Legitimate script work'