From e6c04caba89f6915c84b247990382461851e08f3 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 17:34:54 +0100
Subject: Add a rule to match multiplescomments

---
 malwares.yara | 1 +
 1 file changed, 1 insertion(+)

diff --git a/malwares.yara b/malwares.yara
index 7167708..ee6ea07 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -65,6 +65,7 @@ rule ObfuscatedPhp
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $strange_arg = /\${\$[0-9a-zA-z]+}/
         $too_many_chr = /(chr\([\d]+\)\.){2,}/
+        $many_comments = /\/\*.{,28}\*\/[^\/]*\/\*/  // Something like as/* */ser/* */t
     condition:
         any of them and not IsWhitelisted
 }
-- 
cgit v1.3