From ea4b844c8ec1c45d445331489d486ebb67e379a2 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 6 Jan 2023 17:28:29 +0100
Subject: [PATCH] fix: broken selections

---
 rules/linux/builtin/lnx_susp_dev_tcp.yml                     | 2 +-
 .../msexchange/win_exchange_proxylogon_oabvirtualdir.yml     | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/linux/builtin/lnx_susp_dev_tcp.yml b/rules/linux/builtin/lnx_susp_dev_tcp.yml
index fc6257f2e..324126620 100644
--- a/rules/linux/builtin/lnx_susp_dev_tcp.yml
+++ b/rules/linux/builtin/lnx_susp_dev_tcp.yml
@@ -25,7 +25,7 @@ detection:
         - '(sh)0>/dev/tcp/'
         - 'bash -c ''bash -i >& /dev/tcp/'
         - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/'
-    condition: 1 of keywords
+    condition: keywords
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
index 2a95fa9fc..68b7cb97b 100644
--- a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
+++ b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
@@ -14,14 +14,15 @@ logsource:
     product: windows
     service: msexchange-management
 detection:
-    keywords:
+    keywords_cmdlet:
         - 'OabVirtualDirectory'
         - ' -ExternalUrl '
+    keywords_params:
         - 'eval(request'
         - 'http://f/<script'
         - '"unsafe"};'
         - 'function Page_Load()'
-    condition: all of keywords
+    condition: all of keywords_cmdlet and keywords_params
 falsepositives:
     - Unlikely
 level: critical