From 0c6db48ceb5b02893900437f1042064e3b48b2d2 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 19 Aug 2021 08:27:15 +0200
Subject: [PATCH] Update web_fortinet_cve_2021_22123_exploit.yml

---
 .../web/web_fortinet_cve_2021_22123_exploit.yml  | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/rules/web/web_fortinet_cve_2021_22123_exploit.yml b/rules/web/web_fortinet_cve_2021_22123_exploit.yml
index 42615b9d..f50aa501 100644
--- a/rules/web/web_fortinet_cve_2021_22123_exploit.yml
+++ b/rules/web/web_fortinet_cve_2021_22123_exploit.yml
@@ -1,10 +1,11 @@
 title: Fortinet CVE-2021-22123 Exploitation
 description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
 id: f425637f-891c-4191-a6c4-3bb1b70513b4
+status: experimental
 references:
     - https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection
-author: Bhabesh Raj
-date: 2021/08/18
+author: Bhabesh Raj, Florian Roth
+date: 2021/08/19
 tags:
     - attack.initial_access
     - attack.t1190
@@ -16,11 +17,12 @@ detection:
             - '/api/v2.0/user/remoteserver.saml'
         cs-method:
             - POST
-        content-type|startswith:
-            - 'multipart/form-data;'
-        content-disposition|contains:
-            - '`'
-    condition: selection
+    filter1:
+        cs-referer|contains: '/root/user/remote-user/saml-user/'
+    filter2:
+        cs-referer:
+            - null
+    condition: selection and not filter1 and not filter2
 fields:
     - client_ip
     - url