From 5ef64e4e99ca0dd6b14ed3aca7286e848aca0720 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 13 Jan 2020 20:13:32 +0100
Subject: [PATCH] rule: changes at Shitrix rule

---
 rules/web/web_citrix_cve_2019_19781_exploit.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/web/web_citrix_cve_2019_19781_exploit.yml b/rules/web/web_citrix_cve_2019_19781_exploit.yml
index 25e8a9c26..2d63d3fe6 100644
--- a/rules/web/web_citrix_cve_2019_19781_exploit.yml
+++ b/rules/web/web_citrix_cve_2019_19781_exploit.yml
@@ -5,10 +5,11 @@ references:
     - https://support.citrix.com/article/CTX267679
     - https://support.citrix.com/article/CTX267027
     - https://isc.sans.edu/diary/25686
+    - https://twitter.com/mpgn_x64/status/1216787131210829826
 author: Arnim Rupp, Florian Roth
 status: experimental
 date: 2020/01/02
-modified: 2020/01/11
+modified: 2020/01/13
 logsource:
     category: webserver
     description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt)'
@@ -18,6 +19,8 @@ detection:
             - '*/../vpns/*'
             - '*/vpns/cfg/smb.conf'
             - '*/vpns/portal/scripts/newbm.pl*'
+            - '*/vpns/portal/scripts/rmbm.pl*'
+            - '*/vpns/portal/scripts/picktheme.pl*'
     condition: selection
 fields:
     - client_ip