From f768bf3d6182086363ec22822f38867d0bd5ca45 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Wed, 2 Aug 2017 22:49:15 +0200
Subject: [PATCH] Fixed parse errors

---
 rules/linux/lnx_shellshock.yml                              | 3 ++-
 rules/windows/builtin/win_susp_dhcp_config.yml              | 6 ++++--
 rules/windows/builtin/win_susp_sam_dump.yml                 | 3 ++-
 rules/windows/powershell/powershell_prompt_credentials.yml  | 3 ++-
 .../windows/sysmon/sysmon_susp_powershell_parent_combo.yml  | 2 +-
 5 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml
index fd6ba35f8..f1fe1fa2f 100644
--- a/rules/linux/lnx_shellshock.yml
+++ b/rules/linux/lnx_shellshock.yml
@@ -4,7 +4,8 @@ reference: http://rubular.com/r/zxBfjWfFYs
 logsource:
     product: linux
 detection:
-    expression: /\(\)\s*\t*\{.*;\s*\}\s*;/ 
+    expression:
+        - /\(\)\s*\t*\{.*;\s*\}\s*;/
     condition: expression
 falsepositives:
     - Unknown
diff --git a/rules/windows/builtin/win_susp_dhcp_config.yml b/rules/windows/builtin/win_susp_dhcp_config.yml
index 7e2afe788..72e1e9e62 100644
--- a/rules/windows/builtin/win_susp_dhcp_config.yml
+++ b/rules/windows/builtin/win_susp_dhcp_config.yml
@@ -11,8 +11,10 @@ logsource:
     product: windows
     service: system
 detection:
-    EventLog: System
-    EventID: 1033
+    selection:
+        EventLog: System
+        EventID: 1033
+    condition: selection
 falsepositives: 
     - Unknown
 level: critical
diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml
index 2bd3d0791..f63470c8c 100644
--- a/rules/windows/builtin/win_susp_sam_dump.yml
+++ b/rules/windows/builtin/win_susp_sam_dump.yml
@@ -9,7 +9,8 @@ logsource:
 detection:
     selection:
         EventID: 16
-    keywords: '*\AppData\Local\Temp\SAM-*.dmp *'    
+    keywords:
+        - '*\AppData\Local\Temp\SAM-*.dmp *'
     condition: selection and keywords
 falsepositives: 
     - Penetration testing
diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml
index 2e7a67629..4930e515c 100644
--- a/rules/windows/powershell/powershell_prompt_credentials.yml
+++ b/rules/windows/powershell/powershell_prompt_credentials.yml
@@ -12,7 +12,8 @@ logsource:
 detection:
     selection:
         EventID: 4104
-    keyword: 'PromptForCredential'
+    keyword:
+        - 'PromptForCredential'
     condition: selection and keyword
 falsepositives:
     - Unknown
diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml
index ca555af4e..13fa6bebe 100644
--- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml
+++ b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml
@@ -14,7 +14,7 @@ detection:
             - '*\cscript.exe'
         Image:
             - '*\powershell.exe'
-    falsepositives:
+    falsepositive:
         CurrentDirectory: '*\Health Service State\*'
     condition: selection and not falsepositive
 falsepositives: