Merge branch 'master' into travis-test

rules/linux/lnx_shellshock.yml

@@ -4,7 +4,8 @@ reference: http://rubular.com/r/zxBfjWfFYs
 logsource:
     product: linux
 detection:
-    expression: /\(\)\s*\t*\{.*;\s*\}\s*;/ 
+    expression:
+        - /\(\)\s*\t*\{.*;\s*\}\s*;/
     condition: expression
 falsepositives:
     - Unknown

rules/windows/builtin/win_susp_dhcp_config.yml

@@ -11,8 +11,10 @@ logsource:
     product: windows
     service: system
 detection:
-    EventLog: System
-    EventID: 1033
+    selection:
+        EventLog: System
+        EventID: 1033
+    condition: selection
 falsepositives: 
     - Unknown
 level: critical

rules/windows/builtin/win_susp_sam_dump.yml

@@ -9,7 +9,8 @@ logsource:
 detection:
     selection:
         EventID: 16
-    keywords: '*\AppData\Local\Temp\SAM-*.dmp *'    
+    keywords:
+        - '*\AppData\Local\Temp\SAM-*.dmp *'
     condition: selection and keywords
 falsepositives: 
     - Penetration testing

rules/windows/powershell/powershell_prompt_credentials.yml

@@ -12,7 +12,8 @@ logsource:
 detection:
     selection:
         EventID: 4104
-    keyword: 'PromptForCredential'
+    keyword:
+        - 'PromptForCredential'
     condition: selection and keyword
 falsepositives:
     - Unknown

rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml

@@ -14,7 +14,7 @@ detection:
             - '*\cscript.exe'
         Image:
             - '*\powershell.exe'
-    falsepositives:
+    falsepositive:
         CurrentDirectory: '*\Health Service State\*'
     condition: selection and not falsepositive
 falsepositives: