Remove rot13_str_replace, lower criticality of base64_str_replace (ch…

…ainguard-dev#278) * Add test file * Revert "Add test file" This reverts commit 01102fc. * Remove rot13 obfuscation rule, detune base64 rule
egibs · Jun 22, 2024 · 446a4a0 · 446a4a0
1 parent fd85587
commit 446a4a0
Showing 1 changed file with 1 addition and 12 deletions.
diff --git a/rules/evasion/script-obfuscation.yara b/rules/evasion/script-obfuscation.yara
@@ -120,7 +120,7 @@ rule php_obfuscated_concat_multiple : critical {
 		filesize < 5MB and $php and any of ($o*)
 }
 
-rule base64_str_replace : critical {
+rule base64_str_replace : medium {
 	meta:
 	   description = "creatively hidden forms of the term 'base64'"
 	strings:
@@ -131,17 +131,6 @@ rule base64_str_replace : critical {
 		any of them
 }
 
-rule rot13_str_replace : critical {
-	meta:
-	   description = "creatively hidden forms of the term 'rot13'"
-	strings:
-		$a = /r.o.t13/
-		$b = /r.o.t.1.3/
-		$c = /r.o.t1.3/
-	condition:
-		any of them
-}
-
 rule gzinflate_str_replace : critical {
 	meta:
 	   description = "creatively hidden forms of the term 'gzinflate'"