From 446a4a0733099a70b8a5e04e6f52be1036998363 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Str=C3=B6mberg?= <t+github@chainguard.dev>
Date: Sat, 22 Jun 2024 10:28:43 -0400
Subject: [PATCH] Remove rot13_str_replace, lower criticality of
 base64_str_replace (#278)

* Add test file

* Revert "Add test file"

This reverts commit 01102fc408f2ff4c019c00a2655311c1dee72c08.

* Remove rot13 obfuscation rule, detune base64 rule
---
 rules/evasion/script-obfuscation.yara | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/rules/evasion/script-obfuscation.yara b/rules/evasion/script-obfuscation.yara
index 5757a2af5..7ad172fc1 100644
--- a/rules/evasion/script-obfuscation.yara
+++ b/rules/evasion/script-obfuscation.yara
@@ -120,7 +120,7 @@ rule php_obfuscated_concat_multiple : critical {
 		filesize < 5MB and $php and any of ($o*)
 }
 
-rule base64_str_replace : critical {
+rule base64_str_replace : medium {
 	meta:
 	   description = "creatively hidden forms of the term 'base64'"
 	strings:
@@ -131,17 +131,6 @@ rule base64_str_replace : critical {
 		any of them
 }
 
-rule rot13_str_replace : critical {
-	meta:
-	   description = "creatively hidden forms of the term 'rot13'"
-	strings:
-		$a = /r.o.t13/
-		$b = /r.o.t.1.3/
-		$c = /r.o.t1.3/
-	condition:
-		any of them
-}
-
 rule gzinflate_str_replace : critical {
 	meta:
 	   description = "creatively hidden forms of the term 'gzinflate'"