diff --git a/definitions/patterns_raw.txt b/definitions/patterns_raw.txt
index 2165fa3..3fae67d 100644
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -352,4 +352,8 @@ substr(md5(time()), 0, 8) . ".php"
 
 # webshell
 0byt3m1n1
-ZeroByte
\ No newline at end of file
+ZeroByte
+
+# obfuscated function name
+'str_' .'rot13'
+'st' .'rrev'
\ No newline at end of file
diff --git a/definitions/patterns_re.txt b/definitions/patterns_re.txt
index 7c0a792..4865477 100644
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -98,4 +98,7 @@ eval\(\$[a-z0-9_]+\(\$_POST
 php_uname\(["'asrvm]+\)
 
 # XOR decode POST-ed payload
-(\^\s*\$\w+\[\$\w+\s*%\s*strlen\(\$\w+\)\]\s*){2,}
\ No newline at end of file
+(\^\s*\$\w+\[\$\w+\s*%\s*strlen\(\$\w+\)\]\s*){2,}
+
+# uncommon function name underscore with many numbers
+function\s+_[0-9]{8,}\(
\ No newline at end of file