Update discovery_web_server_local_file_inclusion_activity.toml

Author: Aegrah

rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml

@@ -45,35 +45,35 @@ from
 
 | where
   /* 1) Relative traversal */
-  Esql.url_original_url_decoded_to_lower like "*../../../../*" or           // Unix-style traversal
-  Esql.url_original_url_decoded_to_lower like "*..\\\\..\\\\..\\\\..*" or           // Windows-style traversal
-  // Potential security check bypassing (enforcing multiple dots and shortening the pattern)
-  Esql.url_original_url_decoded_to_lower like "*..././*" or
-  Esql.url_original_url_decoded_to_lower like "*...\\*" or
-  Esql.url_original_url_decoded_to_lower like "*....\\*" or
+    Esql.url_original_url_decoded_to_lower like "*../../../../*" or           // Unix-style traversal
+    Esql.url_original_url_decoded_to_lower like "*..\\\\..\\\\..\\\\..*" or           // Windows-style traversal
+    // Potential security check bypassing (enforcing multiple dots and shortening the pattern)
+    Esql.url_original_url_decoded_to_lower like "*..././*" or
+    Esql.url_original_url_decoded_to_lower like "*...\\*" or
+    Esql.url_original_url_decoded_to_lower like "*....\\*" or
 
   /* 2) Linux system identity / basic info */
-  Esql.url_original_url_decoded_to_lower like "*etc/passwd*" or
-  Esql.url_original_url_decoded_to_lower like "*etc/shadow*" or
-  Esql.url_original_url_decoded_to_lower like "*etc/hosts*" or
-  Esql.url_original_url_decoded_to_lower like "*etc/os-release*" or
-  Esql.url_original_url_decoded_to_lower like "*etc/issue*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/passwd*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/shadow*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/hosts*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/os-release*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/issue*" or
 
   /* 3) Linux /proc enumeration */
-     Esql.url_original_url_decoded_to_lower like "*proc/self/environ*" or
-     Esql.url_original_url_decoded_to_lower like "*proc/self/cmdline*" or
-     Esql.url_original_url_decoded_to_lower like "*proc/self/fd*" or
-     Esql.url_original_url_decoded_to_lower like "*proc/self/exe*" or
+    Esql.url_original_url_decoded_to_lower like "*proc/self/environ*" or
+    Esql.url_original_url_decoded_to_lower like "*proc/self/cmdline*" or
+    Esql.url_original_url_decoded_to_lower like "*proc/self/fd*" or
+    Esql.url_original_url_decoded_to_lower like "*proc/self/exe*" or
 
   /* 4) Linux webroots, configs & logs */
-     Esql.url_original_url_decoded_to_lower like "*var/www*" or               // generic webroot
-     Esql.url_original_url_decoded_to_lower like "*wp-config.php*" or         // classic WP config
-     Esql.url_original_url_decoded_to_lower like "*etc/apache2*" or
-     Esql.url_original_url_decoded_to_lower like "*etc/httpd*" or
-     Esql.url_original_url_decoded_to_lower like "*etc/nginx*" or
-     Esql.url_original_url_decoded_to_lower like "*var/log/apache2*" or
-     Esql.url_original_url_decoded_to_lower like "*var/log/httpd*" or
-     Esql.url_original_url_decoded_to_lower like "*var/log/nginx*" or
+    Esql.url_original_url_decoded_to_lower like "*var/www*" or               // generic webroot
+    Esql.url_original_url_decoded_to_lower like "*wp-config.php*" or         // classic WP config
+    Esql.url_original_url_decoded_to_lower like "*etc/apache2*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/httpd*" or
+    Esql.url_original_url_decoded_to_lower like "*etc/nginx*" or
+    Esql.url_original_url_decoded_to_lower like "*var/log/apache2*" or
+    Esql.url_original_url_decoded_to_lower like "*var/log/httpd*" or
+    Esql.url_original_url_decoded_to_lower like "*var/log/nginx*" or
 
   /* 5) Windows core files / identity */
     Esql.url_original_url_decoded_to_lower like "*windows/panther/*unattend*" or