yara-normalize 0.0.0 → 0.1.0

data/README.rdoc

@@ -16,20 +16,34 @@ See test cases.
   require 'yara-normalize'
   sig =<<EOS
   rule DataConversion__wide : IntegerParsing DataConversion {
-    meta:
-      weight = 1
-    strings:
-      $ = "wtoi" nocase
-      $ = "wtol" nocase
-      $ = "wtof" nocase
-      $ = "wtodb" nocase
-    condition:
+     meta:
+      weight =1
+          strings:
+      $="wtoi" nocase
+          $ ="wtol" nocase
+      $= "wtof" nocase
+       $   =   "wtodb" nocase
+  condition:
       any of them
   }
   EOS
-  yn = Yara::Normalizer.new
-  nrm = yn.normalize(sig)
-  puts nrm.hash_code # => dacfb7f79e2ad96cb66c4784323d91e09e8ad2f8c214c8ea0a52e3a3bda71e6612f02361609e0f7a
+  yn = YaraTools::YaraRule.new(sig)
+  puts yn.hash # => yn01:488085c947cb22ed:d936fceffe
+  puts yn.normalize # => 
+    rule DataConversion__wide : IntegerParsing DataConversion {
+      meta:
+        weight = 1
+      strings:
+        $ = "wtoi" nocase
+        $ = "wtol" nocase
+        $ = "wtof" nocase
+        $ = "wtodb" nocase
+      condition:
+        any of them
+    }
+  puts yn.name # => DataConversion__wide
+  pp yn.tags # => ["IntegerParsing","DataConversion"]
+  
 
 == Contributing to yara-normalize
  

data/VERSION

@@ -1 +1 @@
-0.0.0
+0.1.0

data/bin/yaratool

@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+require 'rubygems'
+require 'yara-normalize'
+
+if __FILE__ == $0
+	count = duplicates = 0
+	hashes = {}
+	ARGV.each do |file|
+		buf = open(file).read
+		YaraTools::Splitter.split(buf).each do |rule|
+			count += 1
+			#puts rule.normalize
+			hash = rule.hash
+			puts "#{rule.name} #{hash} #{rule.normalized_strings.join("%")}"
+			if hashes[hash]
+				duplicate += 1
+			end
+			hashes[hash] = rule
+		end
+	end
+	puts "Count: #{count}, Duplicates: #{duplicates}"
+end
+		

data/lib/yara-normalize/yara-normalize.rb

@@ -1,84 +1,108 @@
-require 'digest/sha1'
-
-module Yara
-	class Rule < Struct.new(:name, :tags, :meta, :strings, :condition)
-		def hash_code
-			normalized_strings = strings.map{|x| x.gsub(/^\s*\$\w+\s*=\s*/,'')}.sort.join("%")
-			strings_hash = Digest::SHA1.hexdigest(normalized_strings)
-			condition_hash = Digest::SHA1.hexdigest(normalized_condition)
-			#pp normalized_strings
-			#pp normalized_condition
-			"#{strings_hash}#{condition_hash}"
-		end
-		
-		def condition_var_replace(condition)
-			vars = {}
-			nextvar = 'a'
-			condition.gsub(/\$\w+/) do |x|
-				unless vars[x]
-					vars[x] = "\$#{nextvar}"
-					nextvar = (nextvar[0] + 1).chr
+require 'digest/md5'
+require 'pp'
+module YaraTools
+	VERSION = "01"
+	class YaraRule
+		attr_reader :original, :name, :tags, :meta, :strings, :condition, :normalized_strings
+		def initialize(ruletext)
+			ruletext = ruletext.gsub(/[\r\n]+/,"\n").gsub(/^\s*\/\/.*$/,'')
+			@original = ruletext
+			@lookup_table = {}
+			@next_replacement = 'a'
+			
+			if ruletext =~ /rule\s+([\w\_\-]+)(\s*:\s*(\w[\w\s]+\w))?\s*\{\s*(meta:\s*(.*?))?strings:\s*(.*?)\s*condition:\s*(.*?)\s*\}/m
+				name,_,tags,ifmeta,meta,strings,condition = $~.captures
+				@name = name
+				@tags = tags.strip.split(/[,\s]+/) if tags
+				@meta = {}
+				meta.split(/\n/).each do |m|
+					k,v = m.strip.split(/\s*=\s*/,2)
+					if v
+						@meta[k] = v
+					end
 				end
-				vars[x]
+				@normalized_strings = []
+				@strings = strings.split(/\n/).map do |s|
+					# strip off the spaces from the edges and then replace the first = with ' = '.
+					s = s.strip
+					if s[/\s*=\s*/,0]
+						s[/\s*=\s*/,0] = " = "
+					end
+					if s =~ /= \{([0-9a-fA-F\s]+)\}/
+						# normalize the hex string
+						hexstr = $1.gsub(/\s+/,'').downcase.scan(/../).join(" ")
+						s = s.gsub(/= \{([0-9a-fA-F\s]+)\}/, "= { #{hexstr} }")
+					end
+					key, val = s.split(/ = /,2)
+					if val
+						@normalized_strings << val
+					else
+						@normalized_strings << s
+					end
+					s
+				end
+				@normalized_strings.sort!
+				@condition = condition.split(/\n/).map{|x| x.strip}
+				@normalized_condition = @condition.map{|x| _normalize_condition(x)}
 			end
 		end
 		
-		# ($a and $b) or ($c and $d and ($e or $f)) => (($e or $f) and $c and $d) or ($a and $b)
-		# [['$a','and','$b'],'or',['$c','and','$d','and',['$e','or','$f']]]
-		def normalized_condition
-			return condition if condition =~ /(any of them|all of them|any \d+ of them)/i
-			condition_var_replace(condition_rearrange(condition_var_replace(self.condition)).join(","))
-		end
-		
-		def condition_rearrange(condition)
-			c = condition.gsub(/\(/,'[').gsub(/\)/,'],').gsub(/((\$\w+|and|or|not))/) do |x| "'#{x}',"; end.gsub(/,\]/,']').gsub(/,\s*$/,'')
-			arr = eval("[#{c}]")
-			condition_rearrange2(arr)
+		def _normalize_condition(condition)
+			condition.gsub(/[\$\#]\w+/) do |x|
+				key = x[1,1000]
+				if not @lookup_table[key]
+					@lookup_table[key] = @next_replacement
+					@next_replacement = (@next_replacement[0] + 1).chr
+				end
+				x[0].chr+@lookup_table[key]
+			end
 		end
 		
-		def condition_rearrange2(subpart)
-			if subpart.is_a? Array
-				subpart.sort {|a,b| 
-					if a.is_a? Array and b.is_a? Array
-						b.flatten.length <=> a.flatten.length
-					elsif a.is_a? Array
-						-1
-					elsif b.is_a? Array
-						1
-					else
-						b.length <=> a.length
+		def normalize
+			text = "rule #{@name} "
+			if @tags and @tags.length > 0
+				text += ": #{@tags.join(' ')} "
+			end
+			text += "{\n"
+			if @meta and @meta.length > 0
+				text += "  meta:\n"
+				@meta.each do |k,v|
+					text += "    #{k} = #{v}\n"
+				end
+			end
+			if @strings and @strings.length > 0
+				text += "  strings:\n"
+				@strings.each do |s|
+					if s =~ /\w/
+						text += "    #{s}\n"
+					end
+				end
+			end
+			if @condition and @condition.length > 0
+				text += "  condition:\n"
+				@condition.each do |c|
+					if c =~ /\w/
+						text += "    #{c}\n"
 					end
-				}.map{ |sp|
-					condition_rearrange2(sp)
-				}
-			else
-				subpart
+				end
 			end
+			text + "}"
+		end
+		
+		def hash
+			normalized_strings = @normalized_strings.join("%")
+			normalized_condition = @normalized_condition.join("%")
+			strings_hash = Digest::MD5.hexdigest(normalized_strings)
+			condition_hash = Digest::MD5.hexdigest(normalized_condition)
+			"yn#{VERSION}:#{strings_hash[-16,16]}:#{condition_hash[-10,10]}"
 		end
 	end
 	
-	class Normalizer
-		def initialize
-		end
-		
-		def normalize(rule)
-			raise "Invalid rule: rules must begin with the word 'rule'" unless rule =~ /^\s*rule\s/
-			raise "Invalid rule: rules must end with a closing bracket, }" unless rule =~ /\}\s*$/
-			if rule =~ /^\s*rule\s+(\w+)(\s*:\s*(\w[\w\s]+\w))?\s*\{\s*meta:\s*(.*?)\s*strings:\s*(.*?)\s*condition:\s*(.*?)\s*\}\s*$/m
-				#pp $~.captures
-				name,_,tags,meta,strings,condition = $~.captures
-				tags = tags.split(/\s+/) if tags
-				metatags = {}
-				meta.split(/\n+/).each do |x|
-					a,b = x.split(/\s*=\s*/)
-					metatags[a.strip] = b.strip
-				end
-				strings = strings.split(/\n+/).map{|x| x.strip}
-				condition = condition.strip
-				Rule.new(name,tags,metatags,strings,condition)
-			else
-				nil
+	class Splitter
+		def Splitter.split(ruleset)
+			rules = ruleset.gsub(/[\r\n]+/,"\n").gsub(/^\s*\/\/.*$/,'').scan(/(rule\s+([\w\_\-]+)(\s*:\s*(\w[\w\s]+\w))?\s*\{\s*(meta:\s*(.*?))?strings:\s*(.*?)\s*condition:\s*(.*?)\s*\})/m).map do |rule|
+				YaraRule.new(rule[0])
 			end
 		end
 	end
-end
+end

data/ruby_results.txt

@@ -0,0 +1,24 @@
+CF_DOC_CVE_2012_1535_original yn01:06420b6c243181e8:a7e7b4fe3a { 45 78 61 6d 70 6c 65 0b 63 72 65 61 74 65 4c 69 6e 65 73 09 68 65 61 70 53 70 72 61 79 08 68 65 78 54 6f 42 69 6e 07 6d 78 2e 63 6f 72 65 0a 49 46 6c 65 78 41 73 73 65 74 09 46 6f 6e 74 41 73 73 65 74 0a 66 6c 61 73 68 2e 74 65 78 74 } /*Example.createLines.heapSpray.hexToBin.mx.core.IFlexAsset.FontAsset.flash.text*/%{ 4d 61 69 6e 2f 70 72 69 76 61 74 65 3a } /*Main/private:*/%{ 53 00 69 00 6d 00 53 00 75 00 6e 00 } /*S.i.m.S.u.n*/%{ 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 } /*Word.Document.8*/%{ 66 6c 61 73 68 2e 64 69 73 70 6c 61 79 06 53 70 72 69 74 65 06 4f 62 6a 65 63 74 0f 45 76 65 6e 74 44 69 73 70 61 74 63 68 65 72 0d 44 69 73 70 6c 61 79 4f 62 6a 65 63 74 } /*flash.display.Sprite.Object.EventDispatcher.DisplayObject*/%{ 68 69 6a 6b 6c 6d 6e 6f } /*hijklmno strings */
+CF_DOC_CVE_2012_1535_shellcode yn01:aed85d99267c6173:4be571de0b "9090909090E947010000C28F36D8A0DF16D5B5F0DE78D00589E91B28BF56BEF71ED697165FFAA1665256D0541988A5D913E98E3A172B9BB28253A2E362577E574F52444C2E746D7000"
+CVE_2012_1535_SWF yn01:d0b0e41fbb90ee63:0c2737ef53 "Edit the world in hex"%"FontAsset"%"PSpop"%"createTextLine"%"heapSpray"%"hexToBin"%{ 46 57 53 }
+cf_exe_dropper_sfx yn01:32c758a1635b4d6e:9534ef77f9 ";The comment below contains SFX script commands"%"Setup=" ascii wide%"Silent=1" ascii wide%"WinRAR" ascii wide
+cf_hlp_malicious_help_file yn01:22be215570105ad6:2edd241969 "CreateThread" nocase%/RR\(.KERNEL32.DLL.,/ nocase%{ 3f 5f 03 00 }%{ 4c 4e 02 00 }
+cf_html_IE8_CVE_2012_4969 yn01:18d1ab9564026f79:a7e7b4fe3a "YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH"%"document.execCommand(\\"
+cf_ie_cve_2012_1526 yn01:791760cc1bb44202:fa3fd96df1 /\.getElements?By/ nocase%/\.removeChild\(/ nocase%/document\..*?= ?null/ nocase%/mailto\:.{2000,}/ nocase fullword
+CF_JAVA_system_cmds yn01:9369881e5d91ae88:23497b0a75 "/bin/sh"%"Math.random"%"chmod"%"cmd.exe"%"indexOf" //usually used to get result of $fingerprint2%/(os.name|java.io.tmpdir)/%/* Payload */%/* System commands */%/get(Property|env)/%{ ca fe ba be }
+CF_JAVA_network_connectivity yn01:7c4e5171925f60dc:4ffbde1efc "ServerSocket"%"URLConnection" //URL class can also be used to access files in the local file system%"getMbeanServer" //used with MarshallObject%"host"%"lport"%"openConnection"%/* Network indicators */%/get(Input|Output)Stream/%/socket(lhost, lport)/%{ ca fe ba be }
+CF_JAVA_changing_security yn01:cf8a3ae054b77a6d:f6b1a6926b %"AccessController.doPrivileged"%"AllPermission"%"PrivilegedActionException"%"ProtectionDomain"%"file://"%/* Modifying local security : a class that allows applications to implement a security policy */%/[sg]etSecurityManager/%{ ca fe ba be }
+CF_JAVA_execute_write yn01:47d6a8c1cd7ca988:595f5c08f4 %%%"ArrayOfByte"%"Exception.printStackTrace"%"FileOutputStream" /*contains a byte stream with the serialized representation of an object given to its constructor*/%"HexDecode"%"InputStream"%"MarshalledObject"%"ObjectInputStream"%"OutputStreamWriter"%"Runtime.getRuntime"%"StringtoBytes"%"exec"%"getResourceAsStream"%"toByteArray"%"writeObject"%/* Exploit */%/* Loader indicators */%/* Local execution */%/arrayOf(Byte|String)/%/l(port|host)/%{ ca fe ba be }
+CF_JAVA_possible_exploit yn01:b58561333df5354e:e51d8cdbd7 %"ByteArrayInputStream"%"Character.digit"%"ProtectionDomain"%"String.charAt"%"StringBuilder"%"arrayOfByte"%"localPermissions"%"printStackTrace"%{ ca fe ba be }
+CF_PDF_CVE_2007_5659 yn01:ada07a590bb9b5b8:a7e7b4fe3a { 25 50 44 46 2d }%{ 65 70 61 63 73 65 6e 75 }%{ 6e 6f 69 74 63 6e 75 66 }%{ 79 61 72 70 73 }%{ 79 61 72 72 41 }
+CF_PDF_obfuscated_alphabetic_char_blackhole yn01:78654b53f1b3a0d3:c453df481f "%PDF-"%/[a-zA-Z]&#10[0-9];/%/[a-zA-Z]&#11[0-9];/%/[a-zA-Z]&#12[012];/%/[a-zA-Z]&#9[789];/
+CF_PDF_suspicious_js yn01:360cd6b36773334c:e0bbde6bd2 "%PDF-"%/(\(|\[)(.{1,4}(,|-)){64}/
+CF_RTF_ACTOR_CVE_2012_0158_tnauthor_John_Doe yn01:e82aa6a75f86469c:78c8a3f51c { 07 74 6e 61 75 74 68 6f 72 20 4a 6f 68 6e 20 44 6f 65 7d } /* tnauthor John Doe}*/
+CF_RTF_CVE_2012_1856 yn01:0bffc7a0c3656c46:aea71fc2f5 "0CF11E0A1B" nocase%"4d53436f6d63746c4c69622e546162537472697" nocase%"9665fb1e7c85d111b16a00c0f0283628" nocase%"D0CF11E0A1B11AE1" nocase%"D\x0a0\x0aC\x0aF" nocase%"MSComctlLib.TabStrip"%"{\\rt"%"}0105000002000000"%/objdata[[:space:].]{1,20}01.{0,1}05.{0,1}00.{0,1}00.{0,1}02.{0,1}00.{0,1}00.{0,1}00/
+CF_RTF_CVE_2010_3333 yn01:5d18fb7b42dfd5c0:3873ea4382 "\\shp " nocase%"\\shp\\" nocase%"\\sp \\" nocase%"\\sp\\" nocase%"pFragments" nocase%"{\\rt"  /* RTF specs */ nocase
+CF_RTF_CVE_2010_3333_rare_ge_type yn01:5bbb6168467e0386:3873ea4382 "\\shp " nocase%"\\shp\\" nocase%"\\sp \\" nocase%"\\sp\\" nocase%"pFragments" nocase%"{\\ge"  /* RTF specs */ nocase
+CF_RTF_CVE_2012_0158_var1_objocx yn01:dd9b4fb8c95de7f6:c32f773f84 "\\object" nocase%"\\objemb" nocase%"\\objocx" nocase%"{\\rt"  /* RTF specs */ nocase%{ d0 cf 11 e0 a1 b1 1a e1 }
+CF_RTF_CVE_2012_0158_var2_MSComctlLib yn01:cbf14eb4327aae3e:19df01f1b8 "4C697374566965774374726C" nocase%"4D53436F6D63746C4C69622E" nocase%"54726565566965774374726C" nocase
+CF_RTF_CVE_2012_0158_var3_fchars yn01:5a65c8be3acd5373:a7e7b4fe3a /(\\\'[a-f0-9]{2}){30}/%{ 5c 2a 5c 66 63 68 61 72 73 }%{ 7b 5c 72 74 }
+CF_XDP_embedded_PDF yn01:d3a748381610c2e1:bd721f6929 "%PDF"%"</pdf>"%"<chunk>"%"<pdf xmlns="%"JVBERi0"
+Count: 23, Duplicates: 0

data/test/test_yara-normalize.rb

@@ -1,11 +1,13 @@
 require 'helper'
+require 'pp'
+
 class TestYaraNormalize < Test::Unit::TestCase
 	should "normalize a simple signature" do
 		sig =<<EOS
 rule newIE0daymshtmlExec
 {
 	meta:
-		author = "adnan.shukor@gmail.com"
+		author = "redacted @ gmail.com"
 		ref = "http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/"
 		description = "Internet Explorer CMshtmlEd::Exec() 0day"
 		cve = "CVE-2012-XXXX"
@@ -24,42 +26,27 @@ rule newIE0daymshtmlExec
 		($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))
 }
 EOS
-		yn = Yara::Normalizer.new
-		nrm = yn.normalize(sig)
-		hash = {}
-		nrm.members.sort.each do |member|
-			hash[member] = nrm[member]
-		end
-		assert_equal({"condition"=>
-		  "($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))",
-		 "tags"=>nil,
-		 "name"=>"newIE0daymshtmlExec",
-		 "strings"=>
-		  ["$mshtmlExec_1 = /document.execCommand(['\"]selectAll['\"])/ nocase fullword",
-		   "$mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword",
-		   "$mshtmlExec_3 = /<body on(load|select)=['\"]w*?();['\"] on(load|select)=['\"]w*?()['\"]/ nocase",
-		   "$mshtmlExec_4 = /var w{1,} = new Array()/ nocase",
-		   "$mshtmlExec_5 = /window.document.createElement(['\"]img['\"])/ nocase",
-		   "$mshtmlExec_6 = /w{1,}[0][['\"]src['\"]] = ['\"]w{1,}['\"]/ nocase",
-		   "$mshtmlExec_7 = /<iframe src=['\"].*?['\"]/ nocase"],
-		 "meta"=>
-		  {"author"=>"\"adnan.shukor@gmail.com\"",
-		   "description"=>"\"Internet Explorer CMshtmlEd::Exec() 0day\"",
-		   "ref"=>
-		    "\"http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/\"",
-		   "impact"=>"4",
-		   "hide"=>"false",
-		   "cve"=>"\"CVE-2012-XXXX\"",
-		   "version"=>"\"1\""}}, hash)
-		assert_equal("ee2e32d623a0debca271cada22b35b3b904d6abd678cf2a48a87b43cd6302e73f67510c19ffe2f1a", nrm.hash_code)
-	end
-
-	should "normalize a simple signature with tags and spaces instead of tabs" do
+		yn = YaraTools::YaraRule.new(sig)
+		assert_equal("yn01:3c0de1ad64681376:3ff75e9945", yn.hash)
+		assert_equal("newIE0daymshtmlExec", yn.name)
+		assert_equal("\"redacted @ gmail.com\"", yn.meta['author'])
+		assert_equal(["$mshtmlExec_1 = /document.execCommand(['\"]selectAll['\"])/ nocase fullword",
+		 "$mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword",
+		 "$mshtmlExec_3 = /<body on(load|select)=['\"]w*?();['\"] on(load|select)=['\"]w*?()['\"]/ nocase",
+		 "$mshtmlExec_4 = /var w{1,} = new Array()/ nocase",
+		 "$mshtmlExec_5 = /window.document.createElement(['\"]img['\"])/ nocase",
+		 "$mshtmlExec_6 = /w{1,}[0][['\"]src['\"]] = ['\"]w{1,}['\"]/ nocase",
+		 "$mshtmlExec_7 = /<iframe src=['\"].*?['\"]/ nocase"], yn.strings)
+		assert_equal(
+			["($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))"], 
+			yn.condition
+		)
+		hash1 = yn.hash
 		sig =<<EOS
 rule newIE0daymshtmlExec : tag1 tag2 tag3
 {
   meta:
-    author = "adnan.shukor@gmail.com"
+    author = "redacted @ gmail.com"
     ref = "http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/"
     description = "Internet Explorer CMshtmlEd::Exec() 0day"
     cve = "CVE-2012-XXXX"
@@ -78,66 +65,25 @@ rule newIE0daymshtmlExec : tag1 tag2 tag3
     ($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))
 }
 EOS
-		yn = Yara::Normalizer.new
-		nrm = yn.normalize(sig)
-		hash = {}
-		nrm.members.sort.each do |member|
-			hash[member] = nrm[member]
-		end
-		assert_equal({"condition"=>
-		  "($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))",
-		 "tags"=>["tag1","tag2","tag3"],
-		 "name"=>"newIE0daymshtmlExec",
-		 "strings"=>
-		  ["$mshtmlExec_1 = /document.execCommand(['\"]selectAll['\"])/ nocase fullword",
-		   "$mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword",
-		   "$mshtmlExec_3 = /<body on(load|select)=['\"]w*?();['\"] on(load|select)=['\"]w*?()['\"]/ nocase",
-		   "$mshtmlExec_4 = /var w{1,} = new Array()/ nocase",
-		   "$mshtmlExec_5 = /window.document.createElement(['\"]img['\"])/ nocase",
-		   "$mshtmlExec_6 = /w{1,}[0][['\"]src['\"]] = ['\"]w{1,}['\"]/ nocase",
-		   "$mshtmlExec_7 = /<iframe src=['\"].*?['\"]/ nocase"],
-		 "meta"=>
-		  {"author"=>"\"adnan.shukor@gmail.com\"",
-		   "description"=>"\"Internet Explorer CMshtmlEd::Exec() 0day\"",
-		   "ref"=>
-		    "\"http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/\"",
-		   "impact"=>"4",
-		   "hide"=>"false",
-		   "cve"=>"\"CVE-2012-XXXX\"",
-		   "version"=>"\"1\""}}, hash)
-		assert_equal("ee2e32d623a0debca271cada22b35b3b904d6abd678cf2a48a87b43cd6302e73f67510c19ffe2f1a", nrm.hash_code)
-	end
-
-	should "normalize a simple signature that has been rearranged" do
-		sig =<<EOS
-rule newIE0daymshtmlExec
-{
-  meta:
-    author = "adnan.shukor@gmail.com"
-    ref = "http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/"
-    description = "Internet Explorer CMshtmlEd::Exec() 0day"
-    cve = "CVE-2012-XXXX"
-    version = "1"
-    impact = 4
-    hide = false
-  strings:
-    $mshtmlExec_3 = /\<body\son(load|select)=['"]\w*?\(\)\;['"]\son(load|select)=['"]\w*?\(\)['"]/ nocase
-    $mshtmlExec_5 = /window\.document\.createElement\(['"]img['"]\)/ nocase
-    $mshtmlExec_6 = /\w{1,}\[0\]\[['"]src['"]\]\s\=\s['"]\w{1,}['"]/ nocase
-    $mshtmlExec_4 = /var\s\w{1,}\s=\snew\sArray\(\)/ nocase
-    $mshtmlExec_1 = /document\.execCommand\(['"]selectAll['"]\)/ nocase fullword
-    $mshtmlExec_7 = /\<iframe\ssrc=['"].*?['"]/ nocase
-    $mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword
-  condition:
-    ($mshtmlExec_4 and ($mshtmlExec_6 or $mshtmlExec_7) and $mshtmlExec_5) or ($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3)
-}
-EOS
-		yn = Yara::Normalizer.new
-		nrm = yn.normalize(sig)
-		assert_equal("ee2e32d623a0debca271cada22b35b3b904d6abd678cf2a48a87b43cd6302e73f67510c19ffe2f1a", nrm.hash_code)
+		yn = YaraTools::YaraRule.new(sig)
+		assert_equal(hash1, yn.hash)
+		assert_equal("newIE0daymshtmlExec", yn.name)
+		assert_equal(["tag1","tag2","tag3"], yn.tags)
+		assert_equal("\"redacted @ gmail.com\"", yn.meta['author'])
+		assert_equal(["$mshtmlExec_1 = /document.execCommand(['\"]selectAll['\"])/ nocase fullword",
+		 "$mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword",
+		 "$mshtmlExec_3 = /<body on(load|select)=['\"]w*?();['\"] on(load|select)=['\"]w*?()['\"]/ nocase",
+		 "$mshtmlExec_4 = /var w{1,} = new Array()/ nocase",
+		 "$mshtmlExec_5 = /window.document.createElement(['\"]img['\"])/ nocase",
+		 "$mshtmlExec_6 = /w{1,}[0][['\"]src['\"]] = ['\"]w{1,}['\"]/ nocase",
+		 "$mshtmlExec_7 = /<iframe src=['\"].*?['\"]/ nocase"], yn.strings)
+		assert_equal(
+			["($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))"], 
+			yn.condition
+		)
 	end
 	
-	should "normalize a simple signature that has been rearranged" do
+	should "normalize a simple signature that has a condition of 'any of them'" do
 		sig =<<EOS
 rule DataConversion__wide : IntegerParsing DataConversion {
 	meta:
@@ -151,22 +97,16 @@ rule DataConversion__wide : IntegerParsing DataConversion {
 		any of them
 }
 EOS
-		yn = Yara::Normalizer.new
-		nrm = yn.normalize(sig)
-		hash = {}
-		nrm.members.sort.each do |member|
-			hash[member] = nrm[member]
-		end
-		assert_equal({"tags"=>["IntegerParsing", "DataConversion"],
-		 "name"=>"DataConversion__wide",
-		 "condition"=>"any of them",
-		 "strings"=>
-		  ["$ = \"wtoi\" nocase",
-		   "$ = \"wtol\" nocase",
-		   "$ = \"wtof\" nocase",
-		   "$ = \"wtodb\" nocase"],
-		 "meta"=>{"weight"=>"1"}},hash)
-		assert_equal("dacfb7f79e2ad96cb66c4784323d91e09e8ad2f8c214c8ea0a52e3a3bda71e6612f02361609e0f7a", nrm.hash_code)
+		yn = YaraTools::YaraRule.new(sig)
+		assert_equal("yn01:488085c947cb22ed:d936fceffe", yn.hash)
+		assert_equal("1", yn.meta['weight'])
+		assert_equal("DataConversion__wide", yn.name)
+		assert_equal(["IntegerParsing", "DataConversion"], yn.tags)
+		assert_equal(["$ = \"wtoi\" nocase",
+		 "$ = \"wtol\" nocase",
+		 "$ = \"wtof\" nocase",
+		 "$ = \"wtodb\" nocase"], yn.strings)
+		assert_equal(["any of them"], yn.condition)
 	end
 end
 

data/yara-normalize.gemspec

@@ -5,14 +5,16 @@
 
 Gem::Specification.new do |s|
   s.name = %q{yara-normalize}
-  s.version = "0.0.0"
+  s.version = "0.1.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["chrislee35"]
   s.cert_chain = ["/Users/chris/Documents/projects/rubygems/yara-normalize/../gem-public_cert.pem"]
-  s.date = %q{2012-09-30}
+  s.date = %q{2012-10-29}
+  s.default_executable = %q{yaratool}
   s.description = %q{To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.}
   s.email = %q{rubygems@chrislee.dhs.org}
+  s.executables = ["yaratool"]
   s.extra_rdoc_files = [
     "LICENSE.txt",
     "README.rdoc"
@@ -25,8 +27,10 @@ Gem::Specification.new do |s|
     "README.rdoc",
     "Rakefile",
     "VERSION",
+    "bin/yaratool",
     "lib/yara-normalize.rb",
     "lib/yara-normalize/yara-normalize.rb",
+    "ruby_results.txt",
     "test/helper.rb",
     "test/test_yara-normalize.rb",
     "yara-normalize.gemspec"

metadata

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 0
+  - 1
   - 0
-  - 0
-  version: 0.0.0
+  version: 0.1.0
 platform: ruby
 authors: 
 - chrislee35
@@ -36,8 +36,8 @@ cert_chain:
   6yhklP75
   -----END CERTIFICATE-----
 
-date: 2012-09-30 00:00:00 -04:00
-default_executable: 
+date: 2012-10-29 00:00:00 -04:00
+default_executable: yaratool
 dependencies: 
 - !ruby/object:Gem::Dependency 
   prerelease: false
@@ -106,8 +106,8 @@ dependencies:
   requirement: *id005
 description: To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.
 email: rubygems@chrislee.dhs.org
-executables: []
-
+executables: 
+- yaratool
 extensions: []
 
 extra_rdoc_files: 
@@ -121,8 +121,10 @@ files:
 - README.rdoc
 - Rakefile
 - VERSION
+- bin/yaratool
 - lib/yara-normalize.rb
 - lib/yara-normalize/yara-normalize.rb
+- ruby_results.txt
 - test/helper.rb
 - test/test_yara-normalize.rb
 - yara-normalize.gemspec