diff --git a/patterns_raw.txt b/patterns_raw.txt
index 45e7e8b..7d6c9a8 100644
--- a/patterns_raw.txt
+++ b/patterns_raw.txt
@@ -1,74 +1,108 @@
-uname -a
-/etc/shadow
-/etc/passwd
-WSOstripslashes
-PD9waH
-w/cGhw
-8P3Boc
-c3lzdGVt
-N5c3Rlb
-zeXN0ZW
-\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
-cmVwbGFjZ
-JlcGxhY2
-yZXBsYWNl
-\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
-ZXhlYy
-V4ZWMo
-leGVjK
-\x65\x78\x65\x63' /* dec/hex issue? */, // exec
-='base'.(32*2).'_de'.'code'
-"base64_decode"
-YmFzZTY0X2RlY29kZ
-Jhc2U2NF9kZWNvZG
-iYXNlNjRfZGVjb2Rl
-"p"."r"."e"."g"."_"
-eval("?>
-ev\x61l
-\x65\166\x61\154\x28' /* dec/hex issue? */,
-\x65\x76\x61\x6C' /* case, dec/hex issue? */,
-ZXZhbC
-V2YWwo
-ldmFsK
-'ev'.'al'.'
-eval(base64_decode(
-\x47\x4c\x4f\x42\x41LS
-SFRUUF9VU0VSX0FHRU5U
-hUVFBfVVNFUl9BR0VOV
-IVFRQX1VTRVJfQUdFTl
-YWxsb3dfdXJsX2ZvcGVu
-FsbG93X3VybF9mb3Blb
-hbGxvd191cmxfZm9wZW
-${${
-file_get_contents('http://codepad.org
-PHPJiaMi
+#Raw string patterns
+#All strings in this file are case sensitive
+#Comments are support, but '#' must be the first character on the line.
+#More critical patterns should be higher in the file as only the first pattern match is reported.
+
+#Backdoor patterns
+@eval($_POST['
+Backdoor
 @include($_GET[
 system($_GET[
 md5($_GET[
-ShellBOT
-bgeteam
-DisablePHP=
-moban.html
-<?php eval
-$data = base64_decode("
-a,b,c,d,e,f,g
- freetellafriend.com
+fwrite($fpsetv, getenv("HTTP_COOKIE")
+system\"$cmd 1> /tmp/
+
+#Web-Shell patterns
+$sh3llColor
+w4ck1ng shell
+private Shell by m4rco
+Shell by Mawar_Hitam
 SHELL_PASSWORD
+ConnectBackShell
+ShellBOT
+== "bindshell"
+
+#Remote Code
 curl_get_from_webpage
-base=base64_encode
-@x0powo
-@preg_replace
-1@1.com
-META http-equiv="refresh" content="0;
-="create_";global
+file_get_contents('http://codepad.org
+
+
+#Base64 String Samples.  Each plain text string should have 3 base64 equivalents
+
+# "shell" in base64
+c2hlbG
+NoZWxs
+zaGVsb
+
+# "<?php" in base64
+PD9waH
+w/cGhw
+8P3Boc
+
+# "system" in base64
+c3lzdGVt
+N5c3Rlb
+zeXN0ZW
+
+# "replace" in base64
+cmVwbGFjZ
+JlcGxhY2
+yZXBsYWNl
+
+# "exec" in base64
+ZXhlYy
+V4ZWMo
+leGVjK
+
+# "base64_decode" in base64
+YmFzZTY0X2RlY29kZ
+Jhc2U2NF9kZWNvZG
+iYXNlNjRfZGVjb2Rl
+
+# "eval(" in base64
+ZXZhbC
+V2YWwo
+ldmFsK
+
+# "HTTP_USER_AGENT" in base64
+SFRUUF9VU0VSX0FHRU5U
+hUVFBfVVNFUl9BR0VOV
+IVFRQX1VTRVJfQUdFTl
+
+# "allow_url_fopen" in base64
+YWxsb3dfdXJsX2ZvcGVu
+FsbG93X3VybF9mb3Blb
+hbGxvd191cmxfZm9wZW
+
+# "anyresults.net" in base64 ... this one may be too specific ?
 YW55cmVzdWx0cy5uZX
 FueXJlc3VsdHMubmV0
 hbnlyZXN1bHRzLm5ld
-ZOBUGTEL
+
+# Obfuscation related code
+eval("?>
+"base64_decode"
+='base'.(32*2).'_de'.'code'
+"p"."r"."e"."g"."_"
+WSOstripslashes
+\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
+\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
+\x65\x78\x65\x63' /* dec/hex issue? */, // exec
+ev\x61l
+\x65\166\x61\154\x28' /* dec/hex issue? */,
+\x65\x76\x61\x6C' /* case, dec/hex issue? */,
+'ev'.'al'.'
+eval(base64_decode(
+<?php eval
+$data = base64_decode("
+edoced_46esab
+base=base64_encode
+
+
+#Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
 //rasta//
 Baby_Drakon
-Net@ddress Mail
 Created By EMMA
 3xp1r3
 NinjaVirus Here
@@ -79,17 +113,66 @@ Zed0x
 darkminz
 ReaL_PuNiShEr
 OoN_Boy
-__VIEWSTATEENCRYPTED
-M4ll3r
-createFilesForInputOutput
 Pashkela
-== "bindshell"
 Webcommander at
 YENI3ERI
 d3lete
 Made by Delorean
-R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
 Cybester90
+K!LL3r
+MrHazem
+BY MMNBOBZ
+Hackeado
+bgeteam
+VOBRA GANGO
+Asmodeus
+Cautam fisierele de configurare
+BRUTEFORCING
+FaTaLisTiCz_Fx Fx29Sh
+DX_Header_drawn
+Dr.abolalh
+C0derz.com
+Mr.HiTman
+IrSecTeam
+#Spammer gives a lot of false positives... maybe worth dropping
+Spammer
+FLoodeR
+eriuqer
+zehirhacker
+freetellafriend.com
+casus15
+temp_r57_table
+By Psych0
+c99ftpbrutecheck
+d3b~X
+profexor.hell
+ZOBUGTEL
+The Dark Raver
+<kuku>
+M4ll3r
+itsoknoproblembro
+tmhapbzcerff
+
+
+#Miscellaneous
+uname -a
+/etc/shadow
+/etc/passwd
+\x47\x4c\x4f\x42\x41LS
+${${
+PHPJiaMi
+DisablePHP=
+moban.html
+a,b,c,d,e,f,g
+@x0powo
+@preg_replace
+1@1.com
+META http-equiv="refresh" content="0;
+="create_";global
+Net@ddress Mail
+__VIEWSTATEENCRYPTED
+createFilesForInputOutput
+R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
 ayu pr1 pr2 pr3 pr4 pr5 pr6
 f0VMRgEBAQA
 0d0a0d0a676c6f62616c20246d795f736d7
@@ -97,62 +180,29 @@ etalfnizg
 JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf
 R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
 kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
-edoced_46esab
-VOBRA GANGO
-itsoknoproblembro
 HTTP flood complete after
 exploitcookie
 az88pix00q98
-The Dark Raver
 Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP
 463839610c000b00800100ffffffffffff21f90401000001002c000
 AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA
 HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra
 Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N
 DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ
-Asmodeus
-Cautam fisierele de configurare
-BRUTEFORCING
-FaTaLisTiCz_Fx Fx29Sh
-w4ck1ng shell
-private Shell by m4rco
-Shell by Mawar_Hitam
 LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=
 5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk
 X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW
-zehirhacker
 R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA
 m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX
 CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp
-DX_Header_drawn
 BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA
-casus15
-temp_r57_table
-By Psych0
-c99ftpbrutecheck
-K!LL3r
-MrHazem
-BY MMNBOBZ
-ConnectBackShell
-Hackeado
-d3b~X
 REREFER_PTTH
 Joomla_brute_Force
 /usr/sbin/httpd
-tmhapbzcerff
-IrSecTeam
-Spammer
-FLoodeR
-eriuqer
 sshkeys
-<kuku>
-Backdoor
 eggdrop
 rwxrwxrwx
-profexor.hell
 GIF89A;<?php
-$sh3llColor
-fwrite($fpsetv, getenv("HTTP_COOKIE")
 putbot $bot
 bind join - *
 privmsg $chan
@@ -163,12 +213,7 @@ find / \-type f \-name \.htpasswd
 find / \-type f \-perm \-02000 \-ls
 find / \-type f \-perm \-04000 \-ls
 if(''==($df=@ini_get('disable_functions
-system\"$cmd 1> /tmp/
 ncftpput -u
 wsoEx(
 WSOsetcookie(
-Dr.abolalh
-C0derz.com
-Mr.HiTman
 \x47\x4c\x4f\x42\x41\x4c\x53
-@eval($_POST['