From 376d0414d8cc05eecd629e2481a2a5ec04056ecb Mon Sep 17 00:00:00 2001 From: Sherif Eldeeb Date: Sun, 28 Jan 2018 16:16:00 +0300 Subject: [PATCH] Condition is a `str`, not a `list` To be consistent with schema and all the other rules: - `condition` should be a `str` - if an `or` condition needs to be applied, use parentheses and literal `or` instead of a `list` --- rules/network/net_susp_network_scan.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml index c0de5d6fa..64eaa8621 100644 --- a/rules/network/net_susp_network_scan.yml +++ b/rules/network/net_susp_network_scan.yml @@ -7,9 +7,7 @@ detection: selection: action: denied timeframe: 24h - condition: - - selection | count(dst_port) by src_ip > 10 - - selection | count(dst_ip) by src_ip > 10 + condition: ( selection | count(dst_port) by src_ip > 10 ) or ( selection | count(dst_ip) by src_ip > 10 ) fields: - src_ip - dst_ip