From b456ace96e2bfea050d6991082773a183e476d5f Mon Sep 17 00:00:00 2001
From: Mathieu Deous
Date: Wed, 14 Oct 2015 13:48:20 +0200
Subject: signatures: eval can be prefixed by an open square bracket

---
 php-malware-finder/malwares.yara | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 3bc15c2..866aa66 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/  // ;eval( <- this is dodgy
+        $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/  // ;eval( <- this is dodgy
         $b374k = /'ev'\.'al'/
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
-- 
cgit v1.3