From 620ec0de2e39a7b0db8cbae75e16de455a7229fc Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Wed, 23 Mar 2016 17:18:30 +0100
Subject: Make PMF work on yara-git

---
 php-malware-finder/malwares.yara | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 929164b..f4e2dac 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -68,8 +68,8 @@ rule ObfuscatedPhp
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $variable_variable = /\${\$[0-9a-zA-z]+}/
-        $too_many_chr = /(chr\([\d]+\)\.){2,}?/  // concatenation of more than two `chr()`
-        $concat = /(\$[^\n\r]+\.){5,}?/  // concatenation of more than 5 words
+        $too_many_chr = /(chr\([\d]+\)\.){2}/  // concatenation of more than two `chr()`
+        $concat = /(\$[^\n\r]+\.){5}/  // concatenation of more than 5 words
         $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/
         $gif = /^GIF89/
 condition:
-- 
cgit v1.3