diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 7e666add..a1851a2d 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2658,7 +2658,7 @@
 
 - rule: Raw packet created in container
   desc: Detect new raw packets at the device driver (OSI Layer 2) level in a container. raw packets could be used to do ARP Spoofing by attacker.
-  condition: consider_raw_packet_communication and evt.type=socket and evt.arg[0] in (AF_PACKET, PF_PACKET) and container and not proc.name in (user_known_raw_packet_binaries)
+  condition: consider_raw_packet_communication and evt.type=socket and evt.arg[0]=AF_PACKET and container and not proc.name in (user_known_raw_packet_binaries)
   output: Raw packet was created in a container (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: NOTICE
   tags: [network, mitre_discovery]