diff options
| author | jvoisin | 2016-01-04 15:15:56 +0100 |
|---|---|---|
| committer | jvoisin | 2016-01-04 15:15:56 +0100 |
| commit | 79bdee48721c6a023cbea9c66e825f0b8834038f (patch) | |
| tree | 32ee7ca9580debc23d7742f5d07cd0a2d8964ac1 | |
| parent | ccbefed99a639c5c91463bf3edc343cc13b65d36 (diff) | |
Simplify a bit some rules
- Remove `b64_concat` since it was close to useless
- Make `too_many_chr` non-greddy
Those changes will make our malwares.yara rules
yara-git friendly.
| -rw-r--r-- | malwares.yara | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/malwares.yara b/malwares.yara index 73195da..4f08a9b 100644 --- a/malwares.yara +++ b/malwares.yara | |||
| @@ -64,8 +64,7 @@ rule ObfuscatedPhp | |||
| 64 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | 64 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher |
| 65 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html | 65 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html |
| 66 | $strange_arg = /\${\$[0-9a-zA-z]+}/ | 66 | $strange_arg = /\${\$[0-9a-zA-z]+}/ |
| 67 | $too_many_chr = /(chr\([\d]+\)\.){2,}?/ | 67 | $too_many_chr = /(chr\([\d]+\)\.){2,}/ |
| 68 | $b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/ | ||
| 69 | condition: | 68 | condition: |
| 70 | any of them and not IsWhitelisted | 69 | any of them and not IsWhitelisted |
| 71 | } | 70 | } |