From a9f22696d8cbfcb5770fbc4f384d733d8d9ee2b0 Mon Sep 17 00:00:00 2001
From: Gott <47673777+danielgottt@users.noreply.github.com>
Date: Thu, 18 Aug 2022 12:27:58 -0400
Subject: [PATCH] Update web_cve_2022_27925_exploit.yml

consolidated selection logic and stripped "cs-cookie: 'ZM_AUTH_TOKEN'", as it is most likely not logged
---
 rules/web/web_cve_2022_27925_exploit.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/rules/web/web_cve_2022_27925_exploit.yml b/rules/web/web_cve_2022_27925_exploit.yml
index 71f031bfa..fd0030e5a 100644
--- a/rules/web/web_cve_2022_27925_exploit.yml
+++ b/rules/web/web_cve_2022_27925_exploit.yml
@@ -17,15 +17,12 @@ logsource:
 detection:
     selection_servlet:
         cs-method: 'POST'
-        c-uri|contains: '/service/extension/backup/mboximport?'
-    selection_uri:
+        c-uri|contains: '/service/extension/backup/mboximport\?'
         c-uri|contains|all:
             - 'account-name'
             - 'ow'
             - 'no-switch'
             - 'append'
-        cs-cookie: 'ZM_AUTH_TOKEN'
-    selection_status:
         sc-status:
             - '401'
             - '200'
@@ -33,7 +30,7 @@ detection:
         cs-uri|contains: '/zimbraAdmin/'
         cs-uri|endswith: '.jsp'
         cs-status|contains: '200'
-    condition: all of selection* or selection_shell
+    condition: all of selection_servlet or selection_shell
 falsepositives:
     - Unknown
 level: medium