diff options
| author | jvoisin | 2016-07-09 17:06:03 +0200 |
|---|---|---|
| committer | jvoisin | 2016-07-09 17:06:03 +0200 |
| commit | 8a24374f3e3544c3812064b305369aaad5fa24e1 (patch) | |
| tree | 2aa2769d35dbdf66d13d480b6aba3c4319140e0d | |
| parent | a8a09469f5c7b62431ba5c205ec108d6a341e530 (diff) | |
Reduce "too_many_chr" false positives
| -rw-r--r-- | php-malware-finder/php.yar | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index d4a77c1..fce5ea3 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -51,7 +51,7 @@ rule ObfuscatedPhp | |||
| 51 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | 51 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher |
| 52 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html | 52 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html |
| 53 | $variable_variable = /\${\$[0-9a-zA-z]+}/ | 53 | $variable_variable = /\${\$[0-9a-zA-z]+}/ |
| 54 | $too_many_chr = /(chr\([\d]+\)\.){5}/ // concatenation of more than two `chr()` | 54 | $too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()` |
| 55 | $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words | 55 | $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words |
| 56 | $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ | 56 | $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ |
| 57 | $gif = /^GIF89/ | 57 | $gif = /^GIF89/ |