updated query

Author: terrancedejesus

rules/network/execution_potential_rce_via_toolshell.toml

@@ -36,9 +36,10 @@ query = '''
 data_stream.dataset : "network_traffic.http" and
     network.direction: "ingress" and
     http.request.method: "POST" and
+    http.request.referrer: *SignOut.aspx and
     http.request.body.content: *__VIEWSTATE=* and
     http.request.headers.content-type: "application/x-www-form-urlencoded" and
-    http.request.body.bytes >= 20 and
+    http.request.body.bytes >= 500 and
     http.response.headers.server: Microsoft-IIS*
 '''