From d7fe8589b0c57dfc436bc45b0b8caf27bbd7416f Mon Sep 17 00:00:00 2001
From: Gabor Gyorvari <scr34m@gmail.com>
Date: Sat, 22 Sep 2018 18:30:02 +0200
Subject: [PATCH] Signature update reported in #25

---
 definitions/patterns_raw.txt | 6 +++++-
 definitions/patterns_re.txt  | 5 ++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/definitions/patterns_raw.txt b/definitions/patterns_raw.txt
index 2165fa3..3fae67d 100644
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -352,4 +352,8 @@ substr(md5(time()), 0, 8) . ".php"
 
 # webshell
 0byt3m1n1
-ZeroByte
\ No newline at end of file
+ZeroByte
+
+# obfuscated function name
+'str_' .'rot13'
+'st' .'rrev'
\ No newline at end of file
diff --git a/definitions/patterns_re.txt b/definitions/patterns_re.txt
index 7c0a792..4865477 100644
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -98,4 +98,7 @@ eval\(\$[a-z0-9_]+\(\$_POST
 php_uname\(["'asrvm]+\)
 
 # XOR decode POST-ed payload
-(\^\s*\$\w+\[\$\w+\s*%\s*strlen\(\$\w+\)\]\s*){2,}
\ No newline at end of file
+(\^\s*\$\w+\[\$\w+\s*%\s*strlen\(\$\w+\)\]\s*){2,}
+
+# uncommon function name underscore with many numbers
+function\s+_[0-9]{8,}\(
\ No newline at end of file