diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml
index 31879c528..70cae6654 100644
--- a/rules/linux/auditd/lnx_network_sniffing.yml
+++ b/rules/linux/auditd/lnx_network_sniffing.yml
@@ -23,7 +23,7 @@ detection:
         a0: 'tshark'
         a1: '-c'
         a3: '-i'
-    condition: 1 of them
+    condition: selection1 or selection2
 falsepositives:
     - Admin activity
 level: low