falco: double qoute in rule's condition is not working as expected

Describe the bug

We use Falco custom rules defined in the Cloud Native Security Hub. For example, we noticed that there is a rule defined for CVE-2019-5736 contains a list of binary names to bypass Falco rules like the following:

items: [dockerd, containerd-shim, "runc:[1:CHILD]"]

These are the proc.name’s.

We’ve fixed it by adding an and condition to the rule.

and proc.name=runc\:\[1\:CHILD\]

When a proc.name escaping the special character such as ", Falco couldn’t apply the rule against it and triggers the rule which it shouldn’t.

How to reproduce it

Apply the following rule I mentioned above and see it triggers an alert based on that rule even proc.name field equals "runc:[1:CHILD]".

Expected behaviour

It should not trigger an alert

Screenshots

`falco-d2lgx falco {"priority":"Critical","rule":"Modify container entrypoint (CVE-2019-5736)","source":"syscall","tags":[],"time":"2022-01-19T10:51:15.706952699Z", "output_fields": {"container.id":"3ae6b31f8538","evt.time":1642589475706952699,"fd.name":"/proc/self/fd/5","k8s.ns.name":null,"k8s.pod.name":null,"proc.exeline":"runc init","proc.name":"runc:[1:CHILD]"}}`

Environment

• Falco version: 0.30.0
• Falco Chart version: 1.16.3

• System info:

• Cloud provider or hardware configuration:
• OS:

• Kernel:

• Installation method: Kubernetes

Additional context