From 4cd99e71bf71c9dfd9d2cd3545602a7abdc88942 Mon Sep 17 00:00:00 2001
From: neu5ron <>
Date: Sat, 14 Mar 2020 15:02:06 -0400
Subject: [PATCH] use the taxonomy which states to use `c-uri` instead of
 `c-uri-path`

---
 rules/web/web_citrix_cve_2019_19781_exploit.yml  | 4 ++--
 rules/web/web_cve_2018_2894_weblogic_exploit.yml | 3 ++-
 rules/web/web_pulsesecure_cve-2019-11510.yml     | 3 ++-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/rules/web/web_citrix_cve_2019_19781_exploit.yml b/rules/web/web_citrix_cve_2019_19781_exploit.yml
index 8f4cc5d0d..0c814d105 100644
--- a/rules/web/web_citrix_cve_2019_19781_exploit.yml
+++ b/rules/web/web_citrix_cve_2019_19781_exploit.yml
@@ -10,13 +10,13 @@ references:
 author: Arnim Rupp, Florian Roth
 status: experimental
 date: 2020/01/02
-modified: 2020/01/15
+modified: 2020/03/14
 logsource:
     category: webserver
     description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
 detection:
     selection:
-        c-uri-path: 
+        c-uri: 
             - '*/../vpns/*'
             - '*/vpns/cfg/smb.conf'
             - '*/vpns/portal/scripts/*.pl*'
diff --git a/rules/web/web_cve_2018_2894_weblogic_exploit.yml b/rules/web/web_cve_2018_2894_weblogic_exploit.yml
index cad3f2972..5bc8b193e 100644
--- a/rules/web/web_cve_2018_2894_weblogic_exploit.yml
+++ b/rules/web/web_cve_2018_2894_weblogic_exploit.yml
@@ -3,6 +3,7 @@ id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000
 description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
 author: Florian Roth
 date: 2018/07/22
+modified: 2020/03/14
 status: experimental
 references:
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
@@ -12,7 +13,7 @@ logsource:
     category: webserver
 detection:
     selection:
-        c-uri-path: 
+        c-uri: 
             - '*/config/keystore/*.js*'
     condition: selection
 fields:
diff --git a/rules/web/web_pulsesecure_cve-2019-11510.yml b/rules/web/web_pulsesecure_cve-2019-11510.yml
index b01247163..ac5073613 100644
--- a/rules/web/web_pulsesecure_cve-2019-11510.yml
+++ b/rules/web/web_pulsesecure_cve-2019-11510.yml
@@ -5,11 +5,12 @@ references:
     - https://www.exploit-db.com/exploits/47297
 author: Florian Roth
 date: 2019/11/18
+modified: 2020/03/14
 logsource:
     category: webserver
 detection:
     selection:
-        c-uri-path: '*?/dana/html5acc/guacamole/*'
+        c-uri: '*?/dana/html5acc/guacamole/*'
     condition: selection
 fields:
     - client_ip