diff --git a/rules/linux/process_creation/clear_syslog.yml b/rules/linux/process_creation/clear_syslog.yml index 6365f46a3..44c782049 100644 --- a/rules/linux/process_creation/clear_syslog.yml +++ b/rules/linux/process_creation/clear_syslog.yml @@ -15,13 +15,13 @@ logsource: detection: selection: CommandLine|contains: - - 'rm /var/log/syslog' - - 'rm -r /var/log/syslog' - - 'rm -f /var/log/syslog' - - 'rm -rf /var/log/syslog' - - 'mv /var/log/syslog' - - ' >/var/log/syslog' - - ' > /var/log/syslog' + - 'rm /var/log/syslog' + - 'rm -r /var/log/syslog' + - 'rm -f /var/log/syslog' + - 'rm -rf /var/log/syslog' + - 'mv /var/log/syslog' + - ' >/var/log/syslog' + - ' > /var/log/syslog' condition: selection falsepositives: - Log rotation. diff --git a/rules/linux/process_creation/clipboard_collection.yml b/rules/linux/process_creation/clipboard_collection.yml index a2d26ff39..f46c302f5 100644 --- a/rules/linux/process_creation/clipboard_collection.yml +++ b/rules/linux/process_creation/clipboard_collection.yml @@ -17,12 +17,12 @@ detection: Image|contains: 'xclip' selection2: CommandLine|contains: - - '-selection' - - '-sel' + - '-selection' + - '-sel' selection3: CommandLine|contains: - - 'clipboard' - - 'clip' + - 'clipboard' + - 'clip' selection4: CommandLine|contains: '-o' condition: selection1 and selection2 and selection3 and selection4 diff --git a/rules/linux/process_creation/dd_file_overwrite.yml b/rules/linux/process_creation/dd_file_overwrite.yml index 368086735..1d6e3ee17 100644 --- a/rules/linux/process_creation/dd_file_overwrite.yml +++ b/rules/linux/process_creation/dd_file_overwrite.yml @@ -19,8 +19,8 @@ detection: CommandLine|contains: 'of=' selection3: CommandLine|contains: - - 'if=/dev/zero' - - 'if=/dev/null' + - 'if=/dev/zero' + - 'if=/dev/null' condition: selection1 and selection2 and selection3 falsepositives: - Any user deleting files that way.