From 1aca73db10609a548fb8d1ceee7fcdbfc1319a81 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 18 Sep 2024 16:45:26 +0200
Subject: [PATCH] Update gen_webshells.yar

fix: avoid too many regular expression fibers error
---
 yara/gen_webshells.yar | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yara/gen_webshells.yar b/yara/gen_webshells.yar
index 3ef7da2d..49094abb 100644
--- a/yara/gen_webshells.yar
+++ b/yara/gen_webshells.yar
@@ -926,7 +926,7 @@ rule WEBSHELL_PHP_Generic_Eval
         id = "79cfbd88-f6f7-5cba-a325-0a99962139ca"
     strings:
         // new: eval($GLOBALS['_POST'
-        $geval = /\b(exec|shell_exec|passthru|system|popen|proc_open|pcntl_exec|eval|assert)[\t ]{0,500}(\(base64_decode)?(\(stripslashes)?[\t ]{0,500}(\(trim)?[\t ]{0,500}\(\$(_POST|_GET|_REQUEST|_SERVER\s?\[['"]HTTP_|GLOBALS\[['"]_(POST|GET|REQUEST))/ wide ascii
+        $geval = /\b(exec|shell_exec|passthru|system|popen|proc_open|pcntl_exec|eval|assert)[\t ]{0,300}(\(base64_decode)?(\(stripslashes)?[\t ]{0,300}(\(trim)?[\t ]{0,300}\(\$(_POST|_GET|_REQUEST|_SERVER\s?\[['"]HTTP_|GLOBALS\[['"]_(POST|GET|REQUEST))/ wide ascii
 
         //strings from private rule php_false_positive
         // try to use only strings which would be flagged by themselves as suspicious by other rules, e.g. eval