From c30a4585353f2de0d1bd4df1e855c85dabbea1d4 Mon Sep 17 00:00:00 2001
From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com>
Date: Wed, 1 Sep 2021 15:51:35 +0700
Subject: [PATCH] Update web_cve_2021_26084_confluence_rce_exploit.yml

---
 .../web/web_cve_2021_26084_confluence_rce_exploit.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml
index 25cb014c3..17baa3e77 100644
--- a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml
+++ b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml
@@ -2,7 +2,7 @@ title: Atlassian Confluence RCE Exploit CVE-2021-26084
 id: 38825179-3c78-4fed-b222-2e2166b926b1
 description: Detects CVE-2021-260841 Confluence Server Webwork OGNL injection
 status: experimental
-reference:
+references:
     - https://twitter.com/wvuuuuuuuuuuuuu/status/1432918959389614083
     - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
     - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
@@ -21,7 +21,14 @@ detection:
            - '/doenterpagevariables.action'
            - 'queryString='
            - 'u0027'
-    condition: selection_exploit and keywords
+    selection_req:
+        cs-method: 'POST'
+        sc-status: '200'
+        c-uri|contains|all:
+        - '/doenterpagevariables.action'
+    keywords:
+        - 'u0027'
+    condition: selection_exploit or (selection_req and keywords)
 fields:
     - c-ip
     - c-uri