yara-normalize 0.1.0 → 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f56ffeec6846ec1ae4d2aea3bfa6cc89ca9643d4b31211b39e8381025377a2ff
+  data.tar.gz: 50aa592ac824fa3ee427f90c8279b92dc79c6dae1c4254b585e54df8c9a31ba3
+SHA512:
+  metadata.gz: 6e9513389ae6008ae04f6b9c9ed4940c3ed5e49181930064c3c43fec3772ec7dde919cac1bab5ad7e979b1cdd1146d6e4220273f83131efa368d388f08069137
+  data.tar.gz: b9d19eb5019b239d877da6b6c42622b98cc214c407a6d4315f87ecd69b81140f42f80f8a2831b5cdf1c708b07caade83e2abe52e60f0bf15aff960707dc1274b

data/Gemfile

@@ -6,9 +6,9 @@ source "http://rubygems.org"
 # Add dependencies to develop your gem here.
 # Include everything needed to run rake, tests, features, etc.
 group :development do
-  gem "shoulda", ">= 0"
-  gem "rdoc", "~> 3.12"
-  gem "bundler", "~> 1.1.5"
-  gem "jeweler", "~> 1.8.4"
-  gem "rcov", ">= 0"
+  gem "shoulda", ">= 4"
+  gem "rdoc", "~> 6.4"
+  gem "bundler", "~> 2.3"
+  gem "jeweler", "~> 2.3.9"
+  gem "test-unit", "~> 3.5.3"
 end

data/Gemfile.lock

@@ -1,35 +1,88 @@
 GEM
   remote: http://rubygems.org/
   specs:
-    activesupport (3.2.8)
-      i18n (~> 0.6)
-      multi_json (~> 1.0)
-    git (1.2.5)
-    i18n (0.6.0)
-    jeweler (1.8.4)
-      bundler (~> 1.0)
+    activesupport (7.0.2.4)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+    addressable (2.4.0)
+    builder (3.2.4)
+    concurrent-ruby (1.1.10)
+    descendants_tracker (0.0.4)
+      thread_safe (~> 0.3, >= 0.3.1)
+    faraday (0.9.2)
+      multipart-post (>= 1.2, < 3)
+    git (1.11.0)
+      rchardet (~> 1.8)
+    github_api (0.16.0)
+      addressable (~> 2.4.0)
+      descendants_tracker (~> 0.0.4)
+      faraday (~> 0.8, < 0.10)
+      hashie (>= 3.4)
+      mime-types (>= 1.16, < 3.0)
+      oauth2 (~> 1.0)
+    hashie (5.0.0)
+    highline (2.0.3)
+    i18n (1.10.0)
+      concurrent-ruby (~> 1.0)
+    jeweler (2.3.9)
+      builder
+      bundler
       git (>= 1.2.5)
+      github_api (~> 0.16.0)
+      highline (>= 1.6.15)
+      nokogiri (>= 1.5.10)
+      psych
       rake
       rdoc
-    json (1.7.5)
-    multi_json (1.3.6)
-    rake (0.9.2.2)
-    rcov (1.0.0)
-    rdoc (3.12)
-      json (~> 1.4)
-    shoulda (3.1.1)
-      shoulda-context (~> 1.0)
-      shoulda-matchers (~> 1.2)
-    shoulda-context (1.0.0)
-    shoulda-matchers (1.2.0)
-      activesupport (>= 3.0.0)
+      semver2
+    jwt (2.3.0)
+    mime-types (2.99.3)
+    minitest (5.15.0)
+    multi_json (1.15.0)
+    multi_xml (0.6.0)
+    multipart-post (2.1.1)
+    nokogiri (1.13.4-x86_64-linux)
+      racc (~> 1.4)
+    oauth2 (1.4.8)
+      faraday (>= 0.8, < 3.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    power_assert (2.0.1)
+    psych (4.0.3)
+      stringio
+    racc (1.6.0)
+    rack (2.2.3)
+    rake (13.0.6)
+    rchardet (1.8.0)
+    rdoc (6.4.0)
+      psych (>= 4.0.0)
+    semver2 (3.4.2)
+    shoulda (4.0.0)
+      shoulda-context (~> 2.0)
+      shoulda-matchers (~> 4.0)
+    shoulda-context (2.0.0)
+    shoulda-matchers (4.5.1)
+      activesupport (>= 4.2.0)
+    stringio (3.0.1)
+    test-unit (3.5.3)
+      power_assert
+    thread_safe (0.3.6)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
 
 PLATFORMS
-  ruby
+  x86_64-linux
 
 DEPENDENCIES
-  bundler (~> 1.1.5)
-  jeweler (~> 1.8.4)
-  rcov
-  rdoc (~> 3.12)
-  shoulda
+  bundler (~> 2.3)
+  jeweler (~> 2.3.9)
+  rdoc (~> 6.4)
+  shoulda (>= 4)
+  test-unit (~> 3.5.3)
+
+BUNDLED WITH
+   2.3.12

data/README.rdoc

@@ -7,7 +7,7 @@ This modules takes just the strings from the strings section, sorts them, then g
 Then, in the conditions section, reorder the boolean expression to make groups first and then replace all variables
 with $a $b $c, etc.  Then hash the result of this.
 
-Then, the signature ID is the concatenation of the sha1 sum of the sorted strings and the sha1 sum of the normalized conditions.
+Then, the signature ID is the concatenation of the truncated md5 sum of the sorted strings and the truncated md5 sum of the normalized conditions. E.g., yn01:488085c947cb22ed:d936fceffe.
 
 == Usage
 

data/Rakefile

@@ -21,24 +21,16 @@ Jeweler::Tasks.new do |gem|
   gem.description = %Q{To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.}
   gem.email = "rubygems@chrislee.dhs.org"
   gem.authors = ["chrislee35"]
-	gem.signing_key = "#{File.dirname(__FILE__)}/../gem-private_key.pem"
-	gem.cert_chain  = ["#{File.dirname(__FILE__)}/../gem-public_cert.pem"]
+  #gem.signing_key = "#{File.dirname(__FILE__)}/../gem-private_key.pem"
+  #gem.cert_chain  = ["#{File.dirname(__FILE__)}/../gem-public_cert.pem"]
 end
 Jeweler::RubygemsDotOrgTasks.new
 
 require 'rake/testtask'
 Rake::TestTask.new(:test) do |test|
-  test.libs << 'lib' << 'test'
-  test.pattern = 'test/**/test_*.rb'
-  test.verbose = true
-end
-
-require 'rcov/rcovtask'
-Rcov::RcovTask.new do |test|
   test.libs << 'test'
-  test.pattern = 'test/**/test_*.rb'
+  test.pattern = FileList['test/test*.rb']
   test.verbose = true
-  test.rcov_opts << '--exclude "gems/*"'
 end
 
 task :default => :test

data/VERSION

@@ -1 +1 @@
-0.1.0
+0.2.0

data/bin/yaratool

@@ -2,22 +2,18 @@
 require 'rubygems'
 require 'yara-normalize'
 
-if __FILE__ == $0
-	count = duplicates = 0
-	hashes = {}
-	ARGV.each do |file|
-		buf = open(file).read
-		YaraTools::Splitter.split(buf).each do |rule|
-			count += 1
-			#puts rule.normalize
-			hash = rule.hash
-			puts "#{rule.name} #{hash} #{rule.normalized_strings.join("%")}"
-			if hashes[hash]
-				duplicate += 1
-			end
-			hashes[hash] = rule
-		end
-	end
-	puts "Count: #{count}, Duplicates: #{duplicates}"
+count = duplicates = 0
+hashes = {}
+ARGV.each do |file|
+  buf = open(file).read
+  YaraTools::Splitter.split(buf).each do |rule|
+    count += 1
+    hash = rule.hash
+    puts "#{rule.name} #{hash} #{rule.normalized_strings.join("%")}"
+    if hashes[hash]
+      duplicates += 1
+    end
+    hashes[hash] = rule
+  end
 end
-		
+puts "Count: #{count}, Duplicates: #{duplicates}"

data/lib/yara-normalize/yara-normalize.rb

@@ -8,19 +8,21 @@ module YaraTools
 			ruletext = ruletext.gsub(/[\r\n]+/,"\n").gsub(/^\s*\/\/.*$/,'')
 			@original = ruletext
 			@lookup_table = {}
-			@next_replacement = 'a'
+			@next_replacement = 0
 			
-			if ruletext =~ /rule\s+([\w\_\-]+)(\s*:\s*(\w[\w\s]+\w))?\s*\{\s*(meta:\s*(.*?))?strings:\s*(.*?)\s*condition:\s*(.*?)\s*\}/m
-				name,_,tags,ifmeta,meta,strings,condition = $~.captures
+			if ruletext =~ /rule\s+([\w\-]+)(\s*:\s*(\w[\w\s]+\w))?\s*\{\s*(meta:\s*(.*?))?strings:\s*(.*?)\s*condition:\s*(.*?)\s*\}/m
+                name,_,tags,_,meta,strings,condition = $~.captures
 				@name = name
 				@tags = tags.strip.split(/[,\s]+/) if tags
 				@meta = {}
-				meta.split(/\n/).each do |m|
-					k,v = m.strip.split(/\s*=\s*/,2)
-					if v
-						@meta[k] = v
-					end
-				end
+                if meta
+                    meta.split(/\n/).each do |m|
+                        k,v = m.strip.split(/\s*=\s*/,2)
+                        if v
+                            @meta[k] = v
+                        end
+                    end
+                end
 				@normalized_strings = []
 				@strings = strings.split(/\n/).map do |s|
 					# strip off the spaces from the edges and then replace the first = with ' = '.
@@ -33,7 +35,7 @@ module YaraTools
 						hexstr = $1.gsub(/\s+/,'').downcase.scan(/../).join(" ")
 						s = s.gsub(/= \{([0-9a-fA-F\s]+)\}/, "= { #{hexstr} }")
 					end
-					key, val = s.split(/ = /,2)
+					_, val = s.split(/ = /,2)
 					if val
 						@normalized_strings << val
 					else
@@ -51,8 +53,8 @@ module YaraTools
 			condition.gsub(/[\$\#]\w+/) do |x|
 				key = x[1,1000]
 				if not @lookup_table[key]
-					@lookup_table[key] = @next_replacement
-					@next_replacement = (@next_replacement[0] + 1).chr
+					@lookup_table[key] = @next_replacement.to_s
+					@next_replacement += 1
 				end
 				x[0].chr+@lookup_table[key]
 			end
@@ -100,7 +102,7 @@ module YaraTools
 	
 	class Splitter
 		def Splitter.split(ruleset)
-			rules = ruleset.gsub(/[\r\n]+/,"\n").gsub(/^\s*\/\/.*$/,'').scan(/(rule\s+([\w\_\-]+)(\s*:\s*(\w[\w\s]+\w))?\s*\{\s*(meta:\s*(.*?))?strings:\s*(.*?)\s*condition:\s*(.*?)\s*\})/m).map do |rule|
+			ruleset.gsub(/[\r\n]+/,"\n").gsub(/^\s*\/\/.*$/,'').scan(/(rule\s+([\w\-]+)(\s*:\s*(\w[\w\s]+\w))?\s*\{\s*(meta:\s*(.*?))?strings:\s*(.*?)\s*condition:\s*(.*?)\s*\})/m).map do |rule|
 				YaraRule.new(rule[0])
 			end
 		end

data/test/helper.rb

@@ -7,11 +7,13 @@ rescue Bundler::BundlerError => e
   $stderr.puts "Run `bundle install` to install missing gems"
   exit e.status_code
 end
+
 require 'test/unit'
 require 'shoulda'
 
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
+
 require 'yara-normalize'
 
 class Test::Unit::TestCase

data/test/test_yara-normalize.rb

@@ -26,8 +26,9 @@ rule newIE0daymshtmlExec
 		($mshtmlExec_1 and $mshtmlExec_2 and $mshtmlExec_3) or ($mshtmlExec_4 and $mshtmlExec_5 and ($mshtmlExec_6 or $mshtmlExec_7))
 }
 EOS
+		puts sig
 		yn = YaraTools::YaraRule.new(sig)
-		assert_equal("yn01:3c0de1ad64681376:3ff75e9945", yn.hash)
+		assert_equal("yn01:66dd624d64a79f17:ecf1725295", yn.hash)
 		assert_equal("newIE0daymshtmlExec", yn.name)
 		assert_equal("\"redacted @ gmail.com\"", yn.meta['author'])
 		assert_equal(["$mshtmlExec_1 = /document.execCommand(['\"]selectAll['\"])/ nocase fullword",
@@ -98,7 +99,7 @@ rule DataConversion__wide : IntegerParsing DataConversion {
 }
 EOS
 		yn = YaraTools::YaraRule.new(sig)
-		assert_equal("yn01:488085c947cb22ed:d936fceffe", yn.hash)
+		assert_equal("yn01:a5fd8576f2da34e2:d936fceffe", yn.hash)
 		assert_equal("1", yn.meta['weight'])
 		assert_equal("DataConversion__wide", yn.name)
 		assert_equal(["IntegerParsing", "DataConversion"], yn.tags)

data/yara-normalize.gemspec

@@ -1,20 +1,20 @@
 # Generated by jeweler
 # DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# Instead, edit Jeweler::Tasks in rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
+# stub: yara-normalize 0.2.0 ruby lib
 
 Gem::Specification.new do |s|
-  s.name = %q{yara-normalize}
-  s.version = "0.1.0"
+  s.name = "yara-normalize".freeze
+  s.version = "0.2.0"
 
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["chrislee35"]
-  s.cert_chain = ["/Users/chris/Documents/projects/rubygems/yara-normalize/../gem-public_cert.pem"]
-  s.date = %q{2012-10-29}
-  s.default_executable = %q{yaratool}
-  s.description = %q{To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.}
-  s.email = %q{rubygems@chrislee.dhs.org}
-  s.executables = ["yaratool"]
+  s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib".freeze]
+  s.authors = ["chrislee35".freeze]
+  s.date = "2022-05-01"
+  s.description = "To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.".freeze
+  s.email = "rubygems@chrislee.dhs.org".freeze
+  s.executables = ["yaratool".freeze]
   s.extra_rdoc_files = [
     "LICENSE.txt",
     "README.rdoc"
@@ -30,41 +30,31 @@ Gem::Specification.new do |s|
     "bin/yaratool",
     "lib/yara-normalize.rb",
     "lib/yara-normalize/yara-normalize.rb",
-    "ruby_results.txt",
     "test/helper.rb",
     "test/test_yara-normalize.rb",
     "yara-normalize.gemspec"
   ]
-  s.homepage = %q{http://github.com/chrislee35/yara-normalize}
-  s.licenses = ["MIT"]
-  s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.6}
-  s.signing_key = %q{/Users/chris/Documents/projects/rubygems/yara-normalize/../gem-private_key.pem}
-  s.summary = %q{Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made}
+  s.homepage = "http://github.com/chrislee35/yara-normalize".freeze
+  s.licenses = ["MIT".freeze]
+  s.rubygems_version = "3.2.3".freeze
+  s.summary = "Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made".freeze
 
   if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
-    s.specification_version = 3
+    s.specification_version = 4
+  end
 
-    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
-      s.add_development_dependency(%q<shoulda>, [">= 0"])
-      s.add_development_dependency(%q<rdoc>, ["~> 3.12"])
-      s.add_development_dependency(%q<bundler>, ["~> 1.1.5"])
-      s.add_development_dependency(%q<jeweler>, ["~> 1.8.4"])
-      s.add_development_dependency(%q<rcov>, [">= 0"])
-    else
-      s.add_dependency(%q<shoulda>, [">= 0"])
-      s.add_dependency(%q<rdoc>, ["~> 3.12"])
-      s.add_dependency(%q<bundler>, ["~> 1.1.5"])
-      s.add_dependency(%q<jeweler>, ["~> 1.8.4"])
-      s.add_dependency(%q<rcov>, [">= 0"])
-    end
+  if s.respond_to? :add_runtime_dependency then
+    s.add_development_dependency(%q<shoulda>.freeze, [">= 4"])
+    s.add_development_dependency(%q<rdoc>.freeze, ["~> 6.4"])
+    s.add_development_dependency(%q<bundler>.freeze, ["~> 2.3"])
+    s.add_development_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
+    s.add_development_dependency(%q<test-unit>.freeze, ["~> 3.5.3"])
   else
-    s.add_dependency(%q<shoulda>, [">= 0"])
-    s.add_dependency(%q<rdoc>, ["~> 3.12"])
-    s.add_dependency(%q<bundler>, ["~> 1.1.5"])
-    s.add_dependency(%q<jeweler>, ["~> 1.8.4"])
-    s.add_dependency(%q<rcov>, [">= 0"])
+    s.add_dependency(%q<shoulda>.freeze, [">= 4"])
+    s.add_dependency(%q<rdoc>.freeze, ["~> 6.4"])
+    s.add_dependency(%q<bundler>.freeze, ["~> 2.3"])
+    s.add_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
+    s.add_dependency(%q<test-unit>.freeze, ["~> 3.5.3"])
   end
 end
 

metadata

@@ -1,120 +1,96 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: yara-normalize
-version: !ruby/object:Gem::Version 
-  prerelease: false
-  segments: 
-  - 0
-  - 1
-  - 0
-  version: 0.1.0
+version: !ruby/object:Gem::Version
+  version: 0.2.0
 platform: ruby
-authors: 
+authors:
 - chrislee35
 autorequire: 
 bindir: bin
-cert_chain: 
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIDYjCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQUFADBXMREwDwYDVQQDDAhydWJ5
-  Z2VtczEYMBYGCgmSJomT8ixkARkWCGNocmlzbGVlMRMwEQYKCZImiZPyLGQBGRYD
-  ZGhzMRMwEQYKCZImiZPyLGQBGRYDb3JnMB4XDTExMDIyNzE1MzAxOVoXDTEyMDIy
-  NzE1MzAxOVowVzERMA8GA1UEAwwIcnVieWdlbXMxGDAWBgoJkiaJk/IsZAEZFghj
-  aHJpc2xlZTETMBEGCgmSJomT8ixkARkWA2RoczETMBEGCgmSJomT8ixkARkWA29y
-  ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNM1Hjs6q58sf7Jp64A
-  vEY2cnRWDdFpD8UWpwaJK5kgSHOVgs+0mtszn+YlYjmx8kpmuYpyU4g9mNMImMQe
-  ow8pVsL4QBBK/1Ozgdxrsptk3IiTozMYA+g2I/+WvZSEDu9uHkKe8pvMBEMrg7RJ
-  IN7+jWaPnSzg3DbFwxwOdi+QRw33DjK7oFWcOaaBqWTUpI4epdi/c/FE1I6UWULJ
-  ZF/Uso0Sc2Pp/YuVhuMHGrUbn7zrWWo76nnK4DTLfXFDbZF5lIXT1w6BtIiN6Ho9
-  Rdr/W6663hYUo3WMsUSa3I5+PJXEBKmGHIZ2TNFnoFIRHha2fmm1HC9+BTaKwcO9
-  PLcCAwEAAaM5MDcwCQYDVR0TBAIwADAdBgNVHQ4EFgQURzsNkZo2rv86Ftc+hVww
-  RNICMrwwCwYDVR0PBAQDAgSwMA0GCSqGSIb3DQEBBQUAA4IBAQBRRw/iNA/PdnvW
-  OBoNCSr/IiHOGZqMHgPJwyWs68FhThnLc2EyIkuLTQf98ms1/D3p0XX9JsxazvKT
-  W/in8Mm/R2fkVziSdzqChtw/4Z4bW3c+RF7TgX6SP5cKxNAfKmAPuItcs2Y+7bdS
-  hr/FktVtT2iAmISRnlEbdaTpfl6N2ZWNT83khV6iOs5xRkX/+0e+GgAv9mE6nqr1
-  AkuDXMhposxcnFZUrZ3UtMPEe/JnyP7Vv6pvr3qtZm8FidFZU91+rX/fwdyBU8RP
-  /5l8uLWXXNt1wEbtu4N1I66LwTK2iRrQZE8XtlgZGbxYDFUkiurq3OafF2YwRs6W
-  6yhklP75
-  -----END CERTIFICATE-----
-
-date: 2012-10-29 00:00:00 -04:00
-default_executable: yaratool
-dependencies: 
-- !ruby/object:Gem::Dependency 
-  prerelease: false
-  type: :development
+cert_chain: []
+date: 2022-05-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: shoulda
-  version_requirements: &id001 !ruby/object:Gem::Requirement 
-    requirements: 
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        version: "0"
-  requirement: *id001
-- !ruby/object:Gem::Dependency 
-  prerelease: false
+      - !ruby/object:Gem::Version
+        version: '4'
   type: :development
-  name: rdoc
-  version_requirements: &id002 !ruby/object:Gem::Requirement 
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 3
-        - 12
-        version: "3.12"
-  requirement: *id002
-- !ruby/object:Gem::Dependency 
   prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.4'
   type: :development
-  name: bundler
-  version_requirements: &id003 !ruby/object:Gem::Requirement 
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 1
-        - 1
-        - 5
-        version: 1.1.5
-  requirement: *id003
-- !ruby/object:Gem::Dependency 
   prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.4'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
   type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
   name: jeweler
-  version_requirements: &id004 !ruby/object:Gem::Requirement 
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 1
-        - 8
-        - 4
-        version: 1.8.4
-  requirement: *id004
-- !ruby/object:Gem::Dependency 
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.3.9
+  type: :development
   prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.3.9
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.5.3
   type: :development
-  name: rcov
-  version_requirements: &id005 !ruby/object:Gem::Requirement 
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        version: "0"
-  requirement: *id005
-description: To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.5.3
+description: To enable consistent comparisons between yara rules (signature), a uniform
+  hashing standard was needed.
 email: rubygems@chrislee.dhs.org
-executables: 
+executables:
 - yaratool
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - LICENSE.txt
 - README.rdoc
-files: 
-- .document
+files:
+- ".document"
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -124,39 +100,31 @@ files:
 - bin/yaratool
 - lib/yara-normalize.rb
 - lib/yara-normalize/yara-normalize.rb
-- ruby_results.txt
 - test/helper.rb
 - test/test_yara-normalize.rb
 - yara-normalize.gemspec
-has_rdoc: true
 homepage: http://github.com/chrislee35/yara-normalize
-licenses: 
+licenses:
 - MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  requirements: 
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  requirements: 
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      segments: 
-      - 0
-      version: "0"
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
-rubyforge_project: 
-rubygems_version: 1.3.6
+rubygems_version: 3.2.3
 signing_key: 
-specification_version: 3
-summary: Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made
+specification_version: 4
+summary: Normalizes Yara Signatures into a repeatable hash even when non-transforming
+  changes are made
 test_files: []
-

data/ruby_results.txt

@@ -1,24 +0,0 @@
-CF_DOC_CVE_2012_1535_original yn01:06420b6c243181e8:a7e7b4fe3a { 45 78 61 6d 70 6c 65 0b 63 72 65 61 74 65 4c 69 6e 65 73 09 68 65 61 70 53 70 72 61 79 08 68 65 78 54 6f 42 69 6e 07 6d 78 2e 63 6f 72 65 0a 49 46 6c 65 78 41 73 73 65 74 09 46 6f 6e 74 41 73 73 65 74 0a 66 6c 61 73 68 2e 74 65 78 74 } /*Example.createLines.heapSpray.hexToBin.mx.core.IFlexAsset.FontAsset.flash.text*/%{ 4d 61 69 6e 2f 70 72 69 76 61 74 65 3a } /*Main/private:*/%{ 53 00 69 00 6d 00 53 00 75 00 6e 00 } /*S.i.m.S.u.n*/%{ 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 } /*Word.Document.8*/%{ 66 6c 61 73 68 2e 64 69 73 70 6c 61 79 06 53 70 72 69 74 65 06 4f 62 6a 65 63 74 0f 45 76 65 6e 74 44 69 73 70 61 74 63 68 65 72 0d 44 69 73 70 6c 61 79 4f 62 6a 65 63 74 } /*flash.display.Sprite.Object.EventDispatcher.DisplayObject*/%{ 68 69 6a 6b 6c 6d 6e 6f } /*hijklmno strings */
-CF_DOC_CVE_2012_1535_shellcode yn01:aed85d99267c6173:4be571de0b "9090909090E947010000C28F36D8A0DF16D5B5F0DE78D00589E91B28BF56BEF71ED697165FFAA1665256D0541988A5D913E98E3A172B9BB28253A2E362577E574F52444C2E746D7000"
-CVE_2012_1535_SWF yn01:d0b0e41fbb90ee63:0c2737ef53 "Edit the world in hex"%"FontAsset"%"PSpop"%"createTextLine"%"heapSpray"%"hexToBin"%{ 46 57 53 }
-cf_exe_dropper_sfx yn01:32c758a1635b4d6e:9534ef77f9 ";The comment below contains SFX script commands"%"Setup=" ascii wide%"Silent=1" ascii wide%"WinRAR" ascii wide
-cf_hlp_malicious_help_file yn01:22be215570105ad6:2edd241969 "CreateThread" nocase%/RR\(.KERNEL32.DLL.,/ nocase%{ 3f 5f 03 00 }%{ 4c 4e 02 00 }
-cf_html_IE8_CVE_2012_4969 yn01:18d1ab9564026f79:a7e7b4fe3a "YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH"%"document.execCommand(\\"
-cf_ie_cve_2012_1526 yn01:791760cc1bb44202:fa3fd96df1 /\.getElements?By/ nocase%/\.removeChild\(/ nocase%/document\..*?= ?null/ nocase%/mailto\:.{2000,}/ nocase fullword
-CF_JAVA_system_cmds yn01:9369881e5d91ae88:23497b0a75 "/bin/sh"%"Math.random"%"chmod"%"cmd.exe"%"indexOf" //usually used to get result of $fingerprint2%/(os.name|java.io.tmpdir)/%/* Payload */%/* System commands */%/get(Property|env)/%{ ca fe ba be }
-CF_JAVA_network_connectivity yn01:7c4e5171925f60dc:4ffbde1efc "ServerSocket"%"URLConnection" //URL class can also be used to access files in the local file system%"getMbeanServer" //used with MarshallObject%"host"%"lport"%"openConnection"%/* Network indicators */%/get(Input|Output)Stream/%/socket(lhost, lport)/%{ ca fe ba be }
-CF_JAVA_changing_security yn01:cf8a3ae054b77a6d:f6b1a6926b %"AccessController.doPrivileged"%"AllPermission"%"PrivilegedActionException"%"ProtectionDomain"%"file://"%/* Modifying local security : a class that allows applications to implement a security policy */%/[sg]etSecurityManager/%{ ca fe ba be }
-CF_JAVA_execute_write yn01:47d6a8c1cd7ca988:595f5c08f4 %%%"ArrayOfByte"%"Exception.printStackTrace"%"FileOutputStream" /*contains a byte stream with the serialized representation of an object given to its constructor*/%"HexDecode"%"InputStream"%"MarshalledObject"%"ObjectInputStream"%"OutputStreamWriter"%"Runtime.getRuntime"%"StringtoBytes"%"exec"%"getResourceAsStream"%"toByteArray"%"writeObject"%/* Exploit */%/* Loader indicators */%/* Local execution */%/arrayOf(Byte|String)/%/l(port|host)/%{ ca fe ba be }
-CF_JAVA_possible_exploit yn01:b58561333df5354e:e51d8cdbd7 %"ByteArrayInputStream"%"Character.digit"%"ProtectionDomain"%"String.charAt"%"StringBuilder"%"arrayOfByte"%"localPermissions"%"printStackTrace"%{ ca fe ba be }
-CF_PDF_CVE_2007_5659 yn01:ada07a590bb9b5b8:a7e7b4fe3a { 25 50 44 46 2d }%{ 65 70 61 63 73 65 6e 75 }%{ 6e 6f 69 74 63 6e 75 66 }%{ 79 61 72 70 73 }%{ 79 61 72 72 41 }
-CF_PDF_obfuscated_alphabetic_char_blackhole yn01:78654b53f1b3a0d3:c453df481f "%PDF-"%/[a-zA-Z]&#10[0-9];/%/[a-zA-Z]&#11[0-9];/%/[a-zA-Z]&#12[012];/%/[a-zA-Z]&#9[789];/
-CF_PDF_suspicious_js yn01:360cd6b36773334c:e0bbde6bd2 "%PDF-"%/(\(|\[)(.{1,4}(,|-)){64}/
-CF_RTF_ACTOR_CVE_2012_0158_tnauthor_John_Doe yn01:e82aa6a75f86469c:78c8a3f51c { 07 74 6e 61 75 74 68 6f 72 20 4a 6f 68 6e 20 44 6f 65 7d } /* tnauthor John Doe}*/
-CF_RTF_CVE_2012_1856 yn01:0bffc7a0c3656c46:aea71fc2f5 "0CF11E0A1B" nocase%"4d53436f6d63746c4c69622e546162537472697" nocase%"9665fb1e7c85d111b16a00c0f0283628" nocase%"D0CF11E0A1B11AE1" nocase%"D\x0a0\x0aC\x0aF" nocase%"MSComctlLib.TabStrip"%"{\\rt"%"}0105000002000000"%/objdata[[:space:].]{1,20}01.{0,1}05.{0,1}00.{0,1}00.{0,1}02.{0,1}00.{0,1}00.{0,1}00/
-CF_RTF_CVE_2010_3333 yn01:5d18fb7b42dfd5c0:3873ea4382 "\\shp " nocase%"\\shp\\" nocase%"\\sp \\" nocase%"\\sp\\" nocase%"pFragments" nocase%"{\\rt"  /* RTF specs */ nocase
-CF_RTF_CVE_2010_3333_rare_ge_type yn01:5bbb6168467e0386:3873ea4382 "\\shp " nocase%"\\shp\\" nocase%"\\sp \\" nocase%"\\sp\\" nocase%"pFragments" nocase%"{\\ge"  /* RTF specs */ nocase
-CF_RTF_CVE_2012_0158_var1_objocx yn01:dd9b4fb8c95de7f6:c32f773f84 "\\object" nocase%"\\objemb" nocase%"\\objocx" nocase%"{\\rt"  /* RTF specs */ nocase%{ d0 cf 11 e0 a1 b1 1a e1 }
-CF_RTF_CVE_2012_0158_var2_MSComctlLib yn01:cbf14eb4327aae3e:19df01f1b8 "4C697374566965774374726C" nocase%"4D53436F6D63746C4C69622E" nocase%"54726565566965774374726C" nocase
-CF_RTF_CVE_2012_0158_var3_fchars yn01:5a65c8be3acd5373:a7e7b4fe3a /(\\\'[a-f0-9]{2}){30}/%{ 5c 2a 5c 66 63 68 61 72 73 }%{ 7b 5c 72 74 }
-CF_XDP_embedded_PDF yn01:d3a748381610c2e1:bd721f6929 "%PDF"%"</pdf>"%"<chunk>"%"<pdf xmlns="%"JVBERi0"
-Count: 23, Duplicates: 0

metadata.gz.sig

@@ -1,3 +0,0 @@
-����:V��Cm�A�X��2�!�X&�[���F�UY�,�W�lDG���)D�5����iM؃�x��ا�pm{PE��ftX(p>��pu���Q�}�}�
-�Jr8[�٠;�q̮zE��W�&@�K@�}�����ؐ�t��ӊ{D�osϷ>�:��D��f�>+�Y�ʾ.e�M~՝��+'���3��6����Ł*�@�Xsp����?������3��5�m�c*�n޻�_��6�
-ι�c�"�f�7�4���.�.z��