RubyGems - yara-normalize - Versions diffs - 0.2.0 → 0.4.0 - Mend

yara-normalize 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
metadata +40 -39
data/.document +0 -5
data/Gemfile +0 -14
data/Gemfile.lock +0 -88
data/Rakefile +0 -46
data/VERSION +0 -1
data/test/helper.rb +0 -20
data/test/test_yara-normalize.rb +0 -113
data/yara-normalize.gemspec +0 -60

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f56ffeec6846ec1ae4d2aea3bfa6cc89ca9643d4b31211b39e8381025377a2ff
-  data.tar.gz: 50aa592ac824fa3ee427f90c8279b92dc79c6dae1c4254b585e54df8c9a31ba3
+  metadata.gz: 3a345a64cbb92b8600dbed3abe6c92219d60a0d27bd04a49bc60f9e141023369
+  data.tar.gz: a7ee233ae22e1260789397a71ad1926f60d65e86714662b2b1e5a65e2ca27cb0
 SHA512:
-  metadata.gz: 6e9513389ae6008ae04f6b9c9ed4940c3ed5e49181930064c3c43fec3772ec7dde919cac1bab5ad7e979b1cdd1146d6e4220273f83131efa368d388f08069137
-  data.tar.gz: b9d19eb5019b239d877da6b6c42622b98cc214c407a6d4315f87ecd69b81140f42f80f8a2831b5cdf1c708b07caade83e2abe52e60f0bf15aff960707dc1274b
+  metadata.gz: a8cb5ab7710807545d146ac7c8d16928296b74dffce0be7963ea815247c8ab3671290c8b236d015ded9dd287eb3b008c8ca4c626279f32440c12b80716b4c9fd
+  data.tar.gz: b82a45e72917d4132aa0e6edaa2fac91b162660f8deb88140a05356efbf42ff8e531c786dd674ec31c96231317bef5d9f30c0bd4f1abed7143851b698bf167f9

metadata CHANGED Viewed

@@ -1,113 +1,115 @@
 --- !ruby/object:Gem::Specification
 name: yara-normalize
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.4.0
 platform: ruby
 authors:
-- chrislee35
-autorequire:
+- Chris Lee
 bindir: bin
 cert_chain: []
-date: 2022-05-01 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
 - !ruby/object:Gem::Dependency
   name: shoulda
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '4'
 - !ruby/object:Gem::Dependency
-  name: rdoc
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.4'
+        version: '3.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.4'
+        version: '3.12'
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '13.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '13.3'
 - !ruby/object:Gem::Dependency
-  name: jeweler
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.3.9
+        version: '2.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.3.9
+        version: '2.7'
 - !ruby/object:Gem::Dependency
-  name: test-unit
+  name: rdoc
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.5.3
+        version: '6.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.5.3
-description: To enable consistent comparisons between yara rules (signature), a uniform
-  hashing standard was needed.
-email: rubygems@chrislee.dhs.org
+        version: '6.6'
+description: Provides normalization and hashing utilities for Yara rule comparisons.
+email:
+- rubygems@chrislee.dhs.org
 executables:
 - yaratool
 extensions: []
-extra_rdoc_files:
-- LICENSE.txt
-- README.rdoc
+extra_rdoc_files: []
 files:
-- ".document"
-- Gemfile
-- Gemfile.lock
 - LICENSE.txt
 - README.rdoc
-- Rakefile
-- VERSION
 - bin/yaratool
 - lib/yara-normalize.rb
 - lib/yara-normalize/yara-normalize.rb
-- test/helper.rb
-- test/test_yara-normalize.rb
-- yara-normalize.gemspec
-homepage: http://github.com/chrislee35/yara-normalize
+homepage: https://github.com/chrislee35/yara-normalize
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -115,16 +117,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '3.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
-signing_key:
+rubygems_version: 3.7.2
 specification_version: 4
-summary: Normalizes Yara Signatures into a repeatable hash even when non-transforming
-  changes are made
+summary: Normalizes Yara signatures into a repeatable hash even when non-transforming
+  changes are made.
 test_files: []

data/.document DELETED Viewed

@@ -1,5 +0,0 @@
-lib/**/*.rb
-bin/*
--
-features/**/*.feature
-LICENSE.txt

data/Gemfile DELETED Viewed

@@ -1,14 +0,0 @@
-source "http://rubygems.org"
-# Add dependencies required to use your gem here.
-# Example:
-#   gem "activesupport", ">= 2.3.5"
-# Add dependencies to develop your gem here.
-# Include everything needed to run rake, tests, features, etc.
-group :development do
-  gem "shoulda", ">= 4"
-  gem "rdoc", "~> 6.4"
-  gem "bundler", "~> 2.3"
-  gem "jeweler", "~> 2.3.9"
-  gem "test-unit", "~> 3.5.3"
-end

data/Gemfile.lock DELETED Viewed

@@ -1,88 +0,0 @@
-GEM
-  remote: http://rubygems.org/
-  specs:
-    activesupport (7.0.2.4)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 1.6, < 2)
-      minitest (>= 5.1)
-      tzinfo (~> 2.0)
-    addressable (2.4.0)
-    builder (3.2.4)
-    concurrent-ruby (1.1.10)
-    descendants_tracker (0.0.4)
-      thread_safe (~> 0.3, >= 0.3.1)
-    faraday (0.9.2)
-      multipart-post (>= 1.2, < 3)
-    git (1.11.0)
-      rchardet (~> 1.8)
-    github_api (0.16.0)
-      addressable (~> 2.4.0)
-      descendants_tracker (~> 0.0.4)
-      faraday (~> 0.8, < 0.10)
-      hashie (>= 3.4)
-      mime-types (>= 1.16, < 3.0)
-      oauth2 (~> 1.0)
-    hashie (5.0.0)
-    highline (2.0.3)
-    i18n (1.10.0)
-      concurrent-ruby (~> 1.0)
-    jeweler (2.3.9)
-      builder
-      bundler
-      git (>= 1.2.5)
-      github_api (~> 0.16.0)
-      highline (>= 1.6.15)
-      nokogiri (>= 1.5.10)
-      psych
-      rake
-      rdoc
-      semver2
-    jwt (2.3.0)
-    mime-types (2.99.3)
-    minitest (5.15.0)
-    multi_json (1.15.0)
-    multi_xml (0.6.0)
-    multipart-post (2.1.1)
-    nokogiri (1.13.4-x86_64-linux)
-      racc (~> 1.4)
-    oauth2 (1.4.8)
-      faraday (>= 0.8, < 3.0)
-      jwt (>= 1.0, < 3.0)
-      multi_json (~> 1.3)
-      multi_xml (~> 0.5)
-      rack (>= 1.2, < 3)
-    power_assert (2.0.1)
-    psych (4.0.3)
-      stringio
-    racc (1.6.0)
-    rack (2.2.3)
-    rake (13.0.6)
-    rchardet (1.8.0)
-    rdoc (6.4.0)
-      psych (>= 4.0.0)
-    semver2 (3.4.2)
-    shoulda (4.0.0)
-      shoulda-context (~> 2.0)
-      shoulda-matchers (~> 4.0)
-    shoulda-context (2.0.0)
-    shoulda-matchers (4.5.1)
-      activesupport (>= 4.2.0)
-    stringio (3.0.1)
-    test-unit (3.5.3)
-      power_assert
-    thread_safe (0.3.6)
-    tzinfo (2.0.4)
-      concurrent-ruby (~> 1.0)
-PLATFORMS
-  x86_64-linux
-DEPENDENCIES
-  bundler (~> 2.3)
-  jeweler (~> 2.3.9)
-  rdoc (~> 6.4)
-  shoulda (>= 4)
-  test-unit (~> 3.5.3)
-BUNDLED WITH
-   2.3.12

data/Rakefile DELETED Viewed

@@ -1,46 +0,0 @@
-# encoding: utf-8
-require 'rubygems'
-require 'bundler'
-begin
-  Bundler.setup(:default, :development)
-rescue Bundler::BundlerError => e
-  $stderr.puts e.message
-  $stderr.puts "Run `bundle install` to install missing gems"
-  exit e.status_code
-end
-require 'rake'
-require 'jeweler'
-Jeweler::Tasks.new do |gem|
-  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
-  gem.name = "yara-normalize"
-  gem.homepage = "http://github.com/chrislee35/yara-normalize"
-  gem.license = "MIT"
-  gem.summary = %Q{Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made}
-  gem.description = %Q{To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.}
-  gem.email = "rubygems@chrislee.dhs.org"
-  gem.authors = ["chrislee35"]
-  #gem.signing_key = "#{File.dirname(__FILE__)}/../gem-private_key.pem"
-  #gem.cert_chain  = ["#{File.dirname(__FILE__)}/../gem-public_cert.pem"]
-end
-Jeweler::RubygemsDotOrgTasks.new
-require 'rake/testtask'
-Rake::TestTask.new(:test) do |test|
-  test.libs << 'test'
-  test.pattern = FileList['test/test*.rb']
-  test.verbose = true
-end
-task :default => :test
-require 'rdoc/task'
-Rake::RDocTask.new do |rdoc|
-  version = File.exist?('VERSION') ? File.read('VERSION') : ""
-  rdoc.rdoc_dir = 'rdoc'
-  rdoc.title = "yara-normalize #{version}"
-  rdoc.rdoc_files.include('README*')
-  rdoc.rdoc_files.include('lib/**/*.rb')
-end

data/VERSION DELETED Viewed

	@@ -1 +0,0 @@
1	- 0.2.0

data/test/helper.rb DELETED Viewed

@@ -1,20 +0,0 @@
-require 'rubygems'
-require 'bundler'
-begin
-  Bundler.setup(:default, :development)
-rescue Bundler::BundlerError => e
-  $stderr.puts e.message
-  $stderr.puts "Run `bundle install` to install missing gems"
-  exit e.status_code
-end
-require 'test/unit'
-require 'shoulda'
-$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
-$LOAD_PATH.unshift(File.dirname(__FILE__))
-require 'yara-normalize'
-class Test::Unit::TestCase
-end

data/test/test_yara-normalize.rb DELETED Viewed

@@ -1,113 +0,0 @@
-require 'helper'
-require 'pp'
-class TestYaraNormalize < Test::Unit::TestCase
-	should "normalize a simple signature" do
-		sig =<<EOS
-rule newIE0daymshtmlExec
-{
-	meta:
-		author = "redacted @ gmail.com"
-		ref = "http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/"
-		description = "Internet Explorer CMshtmlEd::Exec() 0day"
-		cve = "CVE-2012-XXXX"
-		version = "1"
-		impact = 4
-		hide = false
-	strings:
-		$mshtmlExec_1 = /document\.execCommand\(['"]selectAll['"]\)/ nocase fullword
-		$mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword
-		$mshtmlExec_3 = /\<body\son(load|select)=['"]\w*?\(\)\;['"]\son(load|select)=['"]\w*?\(\)['"]/ nocase
-		$mshtmlExec_4 = /var\s\w{1,}\s=\snew\sArray\(\)/ nocase
-		$mshtmlExec_5 = /window\.document\.createElement\(['"]img['"]\)/ nocase
-		$mshtmlExec_6 = /\w{1,}\[0\]\[['"]src['"]\]\s\=\s['"]\w{1,}['"]/ nocase
-		$mshtmlExec_7 = /\<iframe\ssrc=['"].*?['"]/ nocase
-	condition:
-		($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))
-}
-EOS
-		puts sig
-		yn = YaraTools::YaraRule.new(sig)
-		assert_equal("yn01:66dd624d64a79f17:ecf1725295", yn.hash)
-		assert_equal("newIE0daymshtmlExec", yn.name)
-		assert_equal("\"redacted @ gmail.com\"", yn.meta['author'])
-		assert_equal(["$mshtmlExec_1 = /document.execCommand(['\"]selectAll['\"])/ nocase fullword",
-		 "$mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword",
-		 "$mshtmlExec_3 = /<body on(load|select)=['\"]w*?();['\"] on(load|select)=['\"]w*?()['\"]/ nocase",
-		 "$mshtmlExec_4 = /var w{1,} = new Array()/ nocase",
-		 "$mshtmlExec_5 = /window.document.createElement(['\"]img['\"])/ nocase",
-		 "$mshtmlExec_6 = /w{1,}[0][['\"]src['\"]] = ['\"]w{1,}['\"]/ nocase",
-		 "$mshtmlExec_7 = /<iframe src=['\"].*?['\"]/ nocase"], yn.strings)
-		assert_equal(
-			["($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))"],
-			yn.condition
-		)
-		hash1 = yn.hash
-		sig =<<EOS
-rule newIE0daymshtmlExec : tag1 tag2 tag3
-{
-  meta:
-    author = "redacted @ gmail.com"
-    ref = "http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/"
-    description = "Internet Explorer CMshtmlEd::Exec() 0day"
-    cve = "CVE-2012-XXXX"
-    version = "1"
-    impact = 4
-    hide = false
-  strings:
-    $mshtmlExec_1 = /document\.execCommand\(['"]selectAll['"]\)/ nocase fullword
-    $mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword
-    $mshtmlExec_3 = /\<body\son(load|select)=['"]\w*?\(\)\;['"]\son(load|select)=['"]\w*?\(\)['"]/ nocase
-    $mshtmlExec_4 = /var\s\w{1,}\s=\snew\sArray\(\)/ nocase
-    $mshtmlExec_5 = /window\.document\.createElement\(['"]img['"]\)/ nocase
-    $mshtmlExec_6 = /\w{1,}\[0\]\[['"]src['"]\]\s\=\s['"]\w{1,}['"]/ nocase
-    $mshtmlExec_7 = /\<iframe\ssrc=['"].*?['"]/ nocase
-  condition:
-    ($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))
-}
-EOS
-		yn = YaraTools::YaraRule.new(sig)
-		assert_equal(hash1, yn.hash)
-		assert_equal("newIE0daymshtmlExec", yn.name)
-		assert_equal(["tag1","tag2","tag3"], yn.tags)
-		assert_equal("\"redacted @ gmail.com\"", yn.meta['author'])
-		assert_equal(["$mshtmlExec_1 = /document.execCommand(['\"]selectAll['\"])/ nocase fullword",
-		 "$mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword",
-		 "$mshtmlExec_3 = /<body on(load|select)=['\"]w*?();['\"] on(load|select)=['\"]w*?()['\"]/ nocase",
-		 "$mshtmlExec_4 = /var w{1,} = new Array()/ nocase",
-		 "$mshtmlExec_5 = /window.document.createElement(['\"]img['\"])/ nocase",
-		 "$mshtmlExec_6 = /w{1,}[0][['\"]src['\"]] = ['\"]w{1,}['\"]/ nocase",
-		 "$mshtmlExec_7 = /<iframe src=['\"].*?['\"]/ nocase"], yn.strings)
-		assert_equal(
-			["($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))"],
-			yn.condition
-		)
-	end
-	should "normalize a simple signature that has a condition of 'any of them'" do
-		sig =<<EOS
-rule DataConversion__wide : IntegerParsing DataConversion {
-	meta:
-		weight = 1
-	strings:
-		$ = "wtoi" nocase
-		$ = "wtol" nocase
-		$ = "wtof" nocase
-		$ = "wtodb" nocase
-	condition:
-		any of them
-}
-EOS
-		yn = YaraTools::YaraRule.new(sig)
-		assert_equal("yn01:a5fd8576f2da34e2:d936fceffe", yn.hash)
-		assert_equal("1", yn.meta['weight'])
-		assert_equal("DataConversion__wide", yn.name)
-		assert_equal(["IntegerParsing", "DataConversion"], yn.tags)
-		assert_equal(["$ = \"wtoi\" nocase",
-		 "$ = \"wtol\" nocase",
-		 "$ = \"wtof\" nocase",
-		 "$ = \"wtodb\" nocase"], yn.strings)
-		assert_equal(["any of them"], yn.condition)
-	end
-end

data/yara-normalize.gemspec DELETED Viewed

@@ -1,60 +0,0 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in rakefile, and run 'rake gemspec'
-# -*- encoding: utf-8 -*-
-# stub: yara-normalize 0.2.0 ruby lib
-Gem::Specification.new do |s|
-  s.name = "yara-normalize".freeze
-  s.version = "0.2.0"
-  s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
-  s.require_paths = ["lib".freeze]
-  s.authors = ["chrislee35".freeze]
-  s.date = "2022-05-01"
-  s.description = "To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.".freeze
-  s.email = "rubygems@chrislee.dhs.org".freeze
-  s.executables = ["yaratool".freeze]
-  s.extra_rdoc_files = [
-    "LICENSE.txt",
-    "README.rdoc"
-  ]
-  s.files = [
-    ".document",
-    "Gemfile",
-    "Gemfile.lock",
-    "LICENSE.txt",
-    "README.rdoc",
-    "Rakefile",
-    "VERSION",
-    "bin/yaratool",
-    "lib/yara-normalize.rb",
-    "lib/yara-normalize/yara-normalize.rb",
-    "test/helper.rb",
-    "test/test_yara-normalize.rb",
-    "yara-normalize.gemspec"
-  ]
-  s.homepage = "http://github.com/chrislee35/yara-normalize".freeze
-  s.licenses = ["MIT".freeze]
-  s.rubygems_version = "3.2.3".freeze
-  s.summary = "Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made".freeze
-  if s.respond_to? :specification_version then
-    s.specification_version = 4
-  end
-  if s.respond_to? :add_runtime_dependency then
-    s.add_development_dependency(%q<shoulda>.freeze, [">= 4"])
-    s.add_development_dependency(%q<rdoc>.freeze, ["~> 6.4"])
-    s.add_development_dependency(%q<bundler>.freeze, ["~> 2.3"])
-    s.add_development_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
-    s.add_development_dependency(%q<test-unit>.freeze, ["~> 3.5.3"])
-  else
-    s.add_dependency(%q<shoulda>.freeze, [">= 4"])
-    s.add_dependency(%q<rdoc>.freeze, ["~> 6.4"])
-    s.add_dependency(%q<bundler>.freeze, ["~> 2.3"])
-    s.add_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
-    s.add_dependency(%q<test-unit>.freeze, ["~> 3.5.3"])
-  end
-end