From 79bdee48721c6a023cbea9c66e825f0b8834038f Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 15:15:56 +0100
Subject: Simplify a bit some rules

- Remove `b64_concat` since it was close to useless
- Make `too_many_chr` non-greddy

Those changes will make our malwares.yara rules
yara-git friendly.
---
 malwares.yara | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 73195da..4f08a9b 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -64,8 +64,7 @@ rule ObfuscatedPhp
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $strange_arg = /\${\$[0-9a-zA-z]+}/
-        $too_many_chr = /(chr\([\d]+\)\.){2,}?/
-        $b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/
+        $too_many_chr = /(chr\([\d]+\)\.){2,}/
     condition:
         any of them and not IsWhitelisted
 }
-- 
cgit v1.3