From 8a24374f3e3544c3812064b305369aaad5fa24e1 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Sat, 9 Jul 2016 17:06:03 +0200
Subject: Reduce "too_many_chr" false positives

---
 php-malware-finder/php.yar | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index d4a77c1..fce5ea3 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -51,7 +51,7 @@ rule ObfuscatedPhp
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $variable_variable = /\${\$[0-9a-zA-z]+}/
-        $too_many_chr = /(chr\([\d]+\)\.){5}/  // concatenation of more than two `chr()`
+        $too_many_chr = /(chr\([\d]+\)\.){8}/  // concatenation of more than eight `chr()`
         $concat = /(\$[^\n\r]+\.){5}/  // concatenation of more than 5 words
         $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/
         $gif = /^GIF89/
-- 
cgit v1.3