From c97707653e73f44d21dc44b77c1eec7b27293d1a Mon Sep 17 00:00:00 2001
From: Julien "shaddai" Reveret
Date: Fri, 17 Jun 2016 10:20:45 +0200
Subject: typo fix, sha1 hashes are 40 chars long

---
 php-malware-finder/php.yar | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index dad427b..ab63da5 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -48,7 +48,7 @@ rule PasswordProtection
 {
     strings:
         $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
-        $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
+        $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase
     condition:
         any of them
 }
-- 
cgit v1.3