yara-normalize 0.0.0

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/Gemfile

@@ -0,0 +1,14 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+# Example:
+#   gem "activesupport", ">= 2.3.5"
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "shoulda", ">= 0"
+  gem "rdoc", "~> 3.12"
+  gem "bundler", "~> 1.1.5"
+  gem "jeweler", "~> 1.8.4"
+  gem "rcov", ">= 0"
+end

data/Gemfile.lock

@@ -0,0 +1,35 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activesupport (3.2.8)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    git (1.2.5)
+    i18n (0.6.0)
+    jeweler (1.8.4)
+      bundler (~> 1.0)
+      git (>= 1.2.5)
+      rake
+      rdoc
+    json (1.7.5)
+    multi_json (1.3.6)
+    rake (0.9.2.2)
+    rcov (1.0.0)
+    rdoc (3.12)
+      json (~> 1.4)
+    shoulda (3.1.1)
+      shoulda-context (~> 1.0)
+      shoulda-matchers (~> 1.2)
+    shoulda-context (1.0.0)
+    shoulda-matchers (1.2.0)
+      activesupport (>= 3.0.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.1.5)
+  jeweler (~> 1.8.4)
+  rcov
+  rdoc (~> 3.12)
+  shoulda

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2012 chrislee35
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,48 @@
+= yara-normalize
+
+Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made}
+To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.
+
+This modules takes just the strings from the strings section, sorts them, then generate a sha1 hash. 
+Then, in the conditions section, reorder the boolean expression to make groups first and then replace all variables
+with $a $b $c, etc.  Then hash the result of this.
+
+Then, the signature ID is the concatenation of the sha1 sum of the sorted strings and the sha1 sum of the normalized conditions.
+
+== Usage
+
+See test cases.
+
+  require 'yara-normalize'
+  sig =<<EOS
+  rule DataConversion__wide : IntegerParsing DataConversion {
+    meta:
+      weight = 1
+    strings:
+      $ = "wtoi" nocase
+      $ = "wtol" nocase
+      $ = "wtof" nocase
+      $ = "wtodb" nocase
+    condition:
+      any of them
+  }
+  EOS
+  yn = Yara::Normalizer.new
+  nrm = yn.normalize(sig)
+  puts nrm.hash_code # => dacfb7f79e2ad96cb66c4784323d91e09e8ad2f8c214c8ea0a52e3a3bda71e6612f02361609e0f7a
+
+== Contributing to yara-normalize
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet.
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it.
+* Fork the project.
+* Start a feature/bugfix branch.
+* Commit and push until you are happy with your contribution.
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+== Copyright
+
+Copyright (c) 2012 chrislee35. See LICENSE.txt for
+further details.
+

data/Rakefile

@@ -0,0 +1,54 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "yara-normalize"
+  gem.homepage = "http://github.com/chrislee35/yara-normalize"
+  gem.license = "MIT"
+  gem.summary = %Q{Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made}
+  gem.description = %Q{To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.}
+  gem.email = "rubygems@chrislee.dhs.org"
+  gem.authors = ["chrislee35"]
+	gem.signing_key = "#{File.dirname(__FILE__)}/../gem-private_key.pem"
+	gem.cert_chain  = ["#{File.dirname(__FILE__)}/../gem-public_cert.pem"]
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+require 'rcov/rcovtask'
+Rcov::RcovTask.new do |test|
+  test.libs << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+  test.rcov_opts << '--exclude "gems/*"'
+end
+
+task :default => :test
+
+require 'rdoc/task'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "yara-normalize #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.0.0

data/lib/yara-normalize.rb

@@ -0,0 +1 @@
+require 'yara-normalize/yara-normalize'

data/lib/yara-normalize/yara-normalize.rb

@@ -0,0 +1,84 @@
+require 'digest/sha1'
+
+module Yara
+	class Rule < Struct.new(:name, :tags, :meta, :strings, :condition)
+		def hash_code
+			normalized_strings = strings.map{|x| x.gsub(/^\s*\$\w+\s*=\s*/,'')}.sort.join("%")
+			strings_hash = Digest::SHA1.hexdigest(normalized_strings)
+			condition_hash = Digest::SHA1.hexdigest(normalized_condition)
+			#pp normalized_strings
+			#pp normalized_condition
+			"#{strings_hash}#{condition_hash}"
+		end
+		
+		def condition_var_replace(condition)
+			vars = {}
+			nextvar = 'a'
+			condition.gsub(/\$\w+/) do |x|
+				unless vars[x]
+					vars[x] = "\$#{nextvar}"
+					nextvar = (nextvar[0] + 1).chr
+				end
+				vars[x]
+			end
+		end
+		
+		# ($a and $b) or ($c and $d and ($e or $f)) => (($e or $f) and $c and $d) or ($a and $b)
+		# [['$a','and','$b'],'or',['$c','and','$d','and',['$e','or','$f']]]
+		def normalized_condition
+			return condition if condition =~ /(any of them|all of them|any \d+ of them)/i
+			condition_var_replace(condition_rearrange(condition_var_replace(self.condition)).join(","))
+		end
+		
+		def condition_rearrange(condition)
+			c = condition.gsub(/\(/,'[').gsub(/\)/,'],').gsub(/((\$\w+|and|or|not))/) do |x| "'#{x}',"; end.gsub(/,\]/,']').gsub(/,\s*$/,'')
+			arr = eval("[#{c}]")
+			condition_rearrange2(arr)
+		end
+		
+		def condition_rearrange2(subpart)
+			if subpart.is_a? Array
+				subpart.sort {|a,b| 
+					if a.is_a? Array and b.is_a? Array
+						b.flatten.length <=> a.flatten.length
+					elsif a.is_a? Array
+						-1
+					elsif b.is_a? Array
+						1
+					else
+						b.length <=> a.length
+					end
+				}.map{ |sp|
+					condition_rearrange2(sp)
+				}
+			else
+				subpart
+			end
+		end
+	end
+	
+	class Normalizer
+		def initialize
+		end
+		
+		def normalize(rule)
+			raise "Invalid rule: rules must begin with the word 'rule'" unless rule =~ /^\s*rule\s/
+			raise "Invalid rule: rules must end with a closing bracket, }" unless rule =~ /\}\s*$/
+			if rule =~ /^\s*rule\s+(\w+)(\s*:\s*(\w[\w\s]+\w))?\s*\{\s*meta:\s*(.*?)\s*strings:\s*(.*?)\s*condition:\s*(.*?)\s*\}\s*$/m
+				#pp $~.captures
+				name,_,tags,meta,strings,condition = $~.captures
+				tags = tags.split(/\s+/) if tags
+				metatags = {}
+				meta.split(/\n+/).each do |x|
+					a,b = x.split(/\s*=\s*/)
+					metatags[a.strip] = b.strip
+				end
+				strings = strings.split(/\n+/).map{|x| x.strip}
+				condition = condition.strip
+				Rule.new(name,tags,metatags,strings,condition)
+			else
+				nil
+			end
+		end
+	end
+end

data/test/helper.rb

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+require 'shoulda'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'yara-normalize'
+
+class Test::Unit::TestCase
+end

data/test/test_yara-normalize.rb

@@ -0,0 +1,172 @@
+require 'helper'
+class TestYaraNormalize < Test::Unit::TestCase
+	should "normalize a simple signature" do
+		sig =<<EOS
+rule newIE0daymshtmlExec
+{
+	meta:
+		author = "adnan.shukor@gmail.com"
+		ref = "http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/"
+		description = "Internet Explorer CMshtmlEd::Exec() 0day"
+		cve = "CVE-2012-XXXX"
+		version = "1"
+		impact = 4
+		hide = false
+	strings:
+		$mshtmlExec_1 = /document\.execCommand\(['"]selectAll['"]\)/ nocase fullword
+		$mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword
+		$mshtmlExec_3 = /\<body\son(load|select)=['"]\w*?\(\)\;['"]\son(load|select)=['"]\w*?\(\)['"]/ nocase
+		$mshtmlExec_4 = /var\s\w{1,}\s=\snew\sArray\(\)/ nocase
+		$mshtmlExec_5 = /window\.document\.createElement\(['"]img['"]\)/ nocase
+		$mshtmlExec_6 = /\w{1,}\[0\]\[['"]src['"]\]\s\=\s['"]\w{1,}['"]/ nocase
+		$mshtmlExec_7 = /\<iframe\ssrc=['"].*?['"]/ nocase
+	condition:
+		($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))
+}
+EOS
+		yn = Yara::Normalizer.new
+		nrm = yn.normalize(sig)
+		hash = {}
+		nrm.members.sort.each do |member|
+			hash[member] = nrm[member]
+		end
+		assert_equal({"condition"=>
+		  "($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))",
+		 "tags"=>nil,
+		 "name"=>"newIE0daymshtmlExec",
+		 "strings"=>
+		  ["$mshtmlExec_1 = /document.execCommand(['\"]selectAll['\"])/ nocase fullword",
+		   "$mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword",
+		   "$mshtmlExec_3 = /<body on(load|select)=['\"]w*?();['\"] on(load|select)=['\"]w*?()['\"]/ nocase",
+		   "$mshtmlExec_4 = /var w{1,} = new Array()/ nocase",
+		   "$mshtmlExec_5 = /window.document.createElement(['\"]img['\"])/ nocase",
+		   "$mshtmlExec_6 = /w{1,}[0][['\"]src['\"]] = ['\"]w{1,}['\"]/ nocase",
+		   "$mshtmlExec_7 = /<iframe src=['\"].*?['\"]/ nocase"],
+		 "meta"=>
+		  {"author"=>"\"adnan.shukor@gmail.com\"",
+		   "description"=>"\"Internet Explorer CMshtmlEd::Exec() 0day\"",
+		   "ref"=>
+		    "\"http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/\"",
+		   "impact"=>"4",
+		   "hide"=>"false",
+		   "cve"=>"\"CVE-2012-XXXX\"",
+		   "version"=>"\"1\""}}, hash)
+		assert_equal("ee2e32d623a0debca271cada22b35b3b904d6abd678cf2a48a87b43cd6302e73f67510c19ffe2f1a", nrm.hash_code)
+	end
+
+	should "normalize a simple signature with tags and spaces instead of tabs" do
+		sig =<<EOS
+rule newIE0daymshtmlExec : tag1 tag2 tag3
+{
+  meta:
+    author = "adnan.shukor@gmail.com"
+    ref = "http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/"
+    description = "Internet Explorer CMshtmlEd::Exec() 0day"
+    cve = "CVE-2012-XXXX"
+    version = "1"
+    impact = 4
+    hide = false
+  strings:
+    $mshtmlExec_1 = /document\.execCommand\(['"]selectAll['"]\)/ nocase fullword
+    $mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword
+    $mshtmlExec_3 = /\<body\son(load|select)=['"]\w*?\(\)\;['"]\son(load|select)=['"]\w*?\(\)['"]/ nocase
+    $mshtmlExec_4 = /var\s\w{1,}\s=\snew\sArray\(\)/ nocase
+    $mshtmlExec_5 = /window\.document\.createElement\(['"]img['"]\)/ nocase
+    $mshtmlExec_6 = /\w{1,}\[0\]\[['"]src['"]\]\s\=\s['"]\w{1,}['"]/ nocase
+    $mshtmlExec_7 = /\<iframe\ssrc=['"].*?['"]/ nocase
+  condition:
+    ($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))
+}
+EOS
+		yn = Yara::Normalizer.new
+		nrm = yn.normalize(sig)
+		hash = {}
+		nrm.members.sort.each do |member|
+			hash[member] = nrm[member]
+		end
+		assert_equal({"condition"=>
+		  "($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))",
+		 "tags"=>["tag1","tag2","tag3"],
+		 "name"=>"newIE0daymshtmlExec",
+		 "strings"=>
+		  ["$mshtmlExec_1 = /document.execCommand(['\"]selectAll['\"])/ nocase fullword",
+		   "$mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword",
+		   "$mshtmlExec_3 = /<body on(load|select)=['\"]w*?();['\"] on(load|select)=['\"]w*?()['\"]/ nocase",
+		   "$mshtmlExec_4 = /var w{1,} = new Array()/ nocase",
+		   "$mshtmlExec_5 = /window.document.createElement(['\"]img['\"])/ nocase",
+		   "$mshtmlExec_6 = /w{1,}[0][['\"]src['\"]] = ['\"]w{1,}['\"]/ nocase",
+		   "$mshtmlExec_7 = /<iframe src=['\"].*?['\"]/ nocase"],
+		 "meta"=>
+		  {"author"=>"\"adnan.shukor@gmail.com\"",
+		   "description"=>"\"Internet Explorer CMshtmlEd::Exec() 0day\"",
+		   "ref"=>
+		    "\"http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/\"",
+		   "impact"=>"4",
+		   "hide"=>"false",
+		   "cve"=>"\"CVE-2012-XXXX\"",
+		   "version"=>"\"1\""}}, hash)
+		assert_equal("ee2e32d623a0debca271cada22b35b3b904d6abd678cf2a48a87b43cd6302e73f67510c19ffe2f1a", nrm.hash_code)
+	end
+
+	should "normalize a simple signature that has been rearranged" do
+		sig =<<EOS
+rule newIE0daymshtmlExec
+{
+  meta:
+    author = "adnan.shukor@gmail.com"
+    ref = "http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/"
+    description = "Internet Explorer CMshtmlEd::Exec() 0day"
+    cve = "CVE-2012-XXXX"
+    version = "1"
+    impact = 4
+    hide = false
+  strings:
+    $mshtmlExec_3 = /\<body\son(load|select)=['"]\w*?\(\)\;['"]\son(load|select)=['"]\w*?\(\)['"]/ nocase
+    $mshtmlExec_5 = /window\.document\.createElement\(['"]img['"]\)/ nocase
+    $mshtmlExec_6 = /\w{1,}\[0\]\[['"]src['"]\]\s\=\s['"]\w{1,}['"]/ nocase
+    $mshtmlExec_4 = /var\s\w{1,}\s=\snew\sArray\(\)/ nocase
+    $mshtmlExec_1 = /document\.execCommand\(['"]selectAll['"]\)/ nocase fullword
+    $mshtmlExec_7 = /\<iframe\ssrc=['"].*?['"]/ nocase
+    $mshtmlExec_2 = /YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH/ nocase fullword
+  condition:
+    ($mshtmlExec_4 and ($mshtmlExec_6 or $mshtmlExec_7) and $mshtmlExec_5) or ($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3)
+}
+EOS
+		yn = Yara::Normalizer.new
+		nrm = yn.normalize(sig)
+		assert_equal("ee2e32d623a0debca271cada22b35b3b904d6abd678cf2a48a87b43cd6302e73f67510c19ffe2f1a", nrm.hash_code)
+	end
+	
+	should "normalize a simple signature that has been rearranged" do
+		sig =<<EOS
+rule DataConversion__wide : IntegerParsing DataConversion {
+	meta:
+		weight = 1
+	strings:
+		$ = "wtoi" nocase
+		$ = "wtol" nocase
+		$ = "wtof" nocase
+		$ = "wtodb" nocase
+	condition:
+		any of them
+}
+EOS
+		yn = Yara::Normalizer.new
+		nrm = yn.normalize(sig)
+		hash = {}
+		nrm.members.sort.each do |member|
+			hash[member] = nrm[member]
+		end
+		assert_equal({"tags"=>["IntegerParsing", "DataConversion"],
+		 "name"=>"DataConversion__wide",
+		 "condition"=>"any of them",
+		 "strings"=>
+		  ["$ = \"wtoi\" nocase",
+		   "$ = \"wtol\" nocase",
+		   "$ = \"wtof\" nocase",
+		   "$ = \"wtodb\" nocase"],
+		 "meta"=>{"weight"=>"1"}},hash)
+		assert_equal("dacfb7f79e2ad96cb66c4784323d91e09e8ad2f8c214c8ea0a52e3a3bda71e6612f02361609e0f7a", nrm.hash_code)
+	end
+end
+

data/yara-normalize.gemspec

@@ -0,0 +1,66 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{yara-normalize}
+  s.version = "0.0.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["chrislee35"]
+  s.cert_chain = ["/Users/chris/Documents/projects/rubygems/yara-normalize/../gem-public_cert.pem"]
+  s.date = %q{2012-09-30}
+  s.description = %q{To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.}
+  s.email = %q{rubygems@chrislee.dhs.org}
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+    "Gemfile",
+    "Gemfile.lock",
+    "LICENSE.txt",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION",
+    "lib/yara-normalize.rb",
+    "lib/yara-normalize/yara-normalize.rb",
+    "test/helper.rb",
+    "test/test_yara-normalize.rb",
+    "yara-normalize.gemspec"
+  ]
+  s.homepage = %q{http://github.com/chrislee35/yara-normalize}
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.6}
+  s.signing_key = %q{/Users/chris/Documents/projects/rubygems/yara-normalize/../gem-private_key.pem}
+  s.summary = %q{Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made}
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<shoulda>, [">= 0"])
+      s.add_development_dependency(%q<rdoc>, ["~> 3.12"])
+      s.add_development_dependency(%q<bundler>, ["~> 1.1.5"])
+      s.add_development_dependency(%q<jeweler>, ["~> 1.8.4"])
+      s.add_development_dependency(%q<rcov>, [">= 0"])
+    else
+      s.add_dependency(%q<shoulda>, [">= 0"])
+      s.add_dependency(%q<rdoc>, ["~> 3.12"])
+      s.add_dependency(%q<bundler>, ["~> 1.1.5"])
+      s.add_dependency(%q<jeweler>, ["~> 1.8.4"])
+      s.add_dependency(%q<rcov>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<shoulda>, [">= 0"])
+    s.add_dependency(%q<rdoc>, ["~> 3.12"])
+    s.add_dependency(%q<bundler>, ["~> 1.1.5"])
+    s.add_dependency(%q<jeweler>, ["~> 1.8.4"])
+    s.add_dependency(%q<rcov>, [">= 0"])
+  end
+end
+

metadata

@@ -0,0 +1,160 @@
+--- !ruby/object:Gem::Specification 
+name: yara-normalize
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 0
+  version: 0.0.0
+platform: ruby
+authors: 
+- chrislee35
+autorequire: 
+bindir: bin
+cert_chain: 
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDYjCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQUFADBXMREwDwYDVQQDDAhydWJ5
+  Z2VtczEYMBYGCgmSJomT8ixkARkWCGNocmlzbGVlMRMwEQYKCZImiZPyLGQBGRYD
+  ZGhzMRMwEQYKCZImiZPyLGQBGRYDb3JnMB4XDTExMDIyNzE1MzAxOVoXDTEyMDIy
+  NzE1MzAxOVowVzERMA8GA1UEAwwIcnVieWdlbXMxGDAWBgoJkiaJk/IsZAEZFghj
+  aHJpc2xlZTETMBEGCgmSJomT8ixkARkWA2RoczETMBEGCgmSJomT8ixkARkWA29y
+  ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNM1Hjs6q58sf7Jp64A
+  vEY2cnRWDdFpD8UWpwaJK5kgSHOVgs+0mtszn+YlYjmx8kpmuYpyU4g9mNMImMQe
+  ow8pVsL4QBBK/1Ozgdxrsptk3IiTozMYA+g2I/+WvZSEDu9uHkKe8pvMBEMrg7RJ
+  IN7+jWaPnSzg3DbFwxwOdi+QRw33DjK7oFWcOaaBqWTUpI4epdi/c/FE1I6UWULJ
+  ZF/Uso0Sc2Pp/YuVhuMHGrUbn7zrWWo76nnK4DTLfXFDbZF5lIXT1w6BtIiN6Ho9
+  Rdr/W6663hYUo3WMsUSa3I5+PJXEBKmGHIZ2TNFnoFIRHha2fmm1HC9+BTaKwcO9
+  PLcCAwEAAaM5MDcwCQYDVR0TBAIwADAdBgNVHQ4EFgQURzsNkZo2rv86Ftc+hVww
+  RNICMrwwCwYDVR0PBAQDAgSwMA0GCSqGSIb3DQEBBQUAA4IBAQBRRw/iNA/PdnvW
+  OBoNCSr/IiHOGZqMHgPJwyWs68FhThnLc2EyIkuLTQf98ms1/D3p0XX9JsxazvKT
+  W/in8Mm/R2fkVziSdzqChtw/4Z4bW3c+RF7TgX6SP5cKxNAfKmAPuItcs2Y+7bdS
+  hr/FktVtT2iAmISRnlEbdaTpfl6N2ZWNT83khV6iOs5xRkX/+0e+GgAv9mE6nqr1
+  AkuDXMhposxcnFZUrZ3UtMPEe/JnyP7Vv6pvr3qtZm8FidFZU91+rX/fwdyBU8RP
+  /5l8uLWXXNt1wEbtu4N1I66LwTK2iRrQZE8XtlgZGbxYDFUkiurq3OafF2YwRs6W
+  6yhklP75
+  -----END CERTIFICATE-----
+
+date: 2012-09-30 00:00:00 -04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  prerelease: false
+  type: :development
+  name: shoulda
+  version_requirements: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  requirement: *id001
+- !ruby/object:Gem::Dependency 
+  prerelease: false
+  type: :development
+  name: rdoc
+  version_requirements: &id002 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 3
+        - 12
+        version: "3.12"
+  requirement: *id002
+- !ruby/object:Gem::Dependency 
+  prerelease: false
+  type: :development
+  name: bundler
+  version_requirements: &id003 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 1
+        - 5
+        version: 1.1.5
+  requirement: *id003
+- !ruby/object:Gem::Dependency 
+  prerelease: false
+  type: :development
+  name: jeweler
+  version_requirements: &id004 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 8
+        - 4
+        version: 1.8.4
+  requirement: *id004
+- !ruby/object:Gem::Dependency 
+  prerelease: false
+  type: :development
+  name: rcov
+  version_requirements: &id005 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  requirement: *id005
+description: To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.
+email: rubygems@chrislee.dhs.org
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE.txt
+- README.rdoc
+files: 
+- .document
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/yara-normalize.rb
+- lib/yara-normalize/yara-normalize.rb
+- test/helper.rb
+- test/test_yara-normalize.rb
+- yara-normalize.gemspec
+has_rdoc: true
+homepage: http://github.com/chrislee35/yara-normalize
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made
+test_files: []
+