From 0248bd6615e29e8b4b910cfe854a73b6f3462499 Mon Sep 17 00:00:00 2001
From: Anton Yuzhaninov <citrin+git@citrin.ru>
Date: Thu, 5 Aug 2021 15:54:20 +0100
Subject: [PATCH] [Rules] Micro-optimize X_PHP_EVAL

Remove /i flag from regexp string "eval()'d code" is always in
lower case. While here use long string format for readability.
---
 rules/regexp/compromised_hosts.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua
index 97d80853e..0a9a9f0aa 100644
--- a/rules/regexp/compromised_hosts.lua
+++ b/rules/regexp/compromised_hosts.lua
@@ -92,7 +92,7 @@ reconf['HAS_X_ANTIABUSE'] = {
 }
 
 reconf['X_PHP_EVAL'] = {
-  re = "X-PHP-Script=/eval\\(\\)\\'d/Hi || X-PHP-Originating-Script=/eval\\(\\)\\'d/Hi",
+  re = [[X-PHP-Script=/eval\(\)'d code/H || X-PHP-Originating-Script=/eval\(\)'d code/H]],
   description = "Message sent using eval'd PHP",
   score = 4.0,
   group = "compromised_hosts"
-- 
2.39.5