Project

yara-normalize

0.0
Low commit activity in last 3 years
No release in over a year
yara-normalizechrislee35/yara-normalizeHomepageDocumentationSource CodeBug TrackerWiki
To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
8,051
Stars
2
Forks
2
Watchers
4
 Releases
Current version
0.2.0
Total releases
3
First release
2012-09-30
Latest release
2022-05-01
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2016-10-06
Reverse Dependencies
0

 Dependencies

Development

bundler
~> 2.3
jeweler
~> 2.3.9
rdoc
~> 6.4
shoulda
>= 4
test-unit
~> 3.5.3
 Project Readme

yara-normalize¶ ↑

Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made} To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.

This modules takes just the strings from the strings section, sorts them, then generate a sha1 hash. Then, in the conditions section, reorder the boolean expression to make groups first and then replace all variables with $a $b $c, etc. Then hash the result of this.

Then, the signature ID is the concatenation of the truncated md5 sum of the sorted strings and the truncated md5 sum of the normalized conditions. E.g., yn01:488085c947cb22ed:d936fceffe.

Usage¶ ↑

See test cases.

require 'yara-normalize'
sig =<<EOS
rule DataConversion__wide : IntegerParsing DataConversion {
   meta:
    weight =1
        strings:
    $="wtoi" nocase
        $ ="wtol" nocase
    $= "wtof" nocase
     $   =   "wtodb" nocase
condition:
    any of them
}
EOS
yn = YaraTools::YaraRule.new(sig)
puts yn.hash # => yn01:488085c947cb22ed:d936fceffe
puts yn.normalize # => 
  rule DataConversion__wide : IntegerParsing DataConversion {
    meta:
      weight = 1
    strings:
      $ = "wtoi" nocase
      $ = "wtol" nocase
      $ = "wtof" nocase
      $ = "wtodb" nocase
    condition:
      any of them
  }
puts yn.name # => DataConversion__wide
pp yn.tags # => ["IntegerParsing","DataConversion"]

Contributing to yara-normalize¶ ↑

  • Check out the latest master to make sure the feature hasn’t been implemented or the bug hasn’t been fixed yet.

  • Check out the issue tracker to make sure someone already hasn’t requested it and/or contributed it.

  • Fork the project.

  • Start a feature/bugfix branch.

  • Commit and push until you are happy with your contribution.

  • Make sure to add tests for it. This is important so I don’t break it in a future version unintentionally.

  • Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.

Copyright¶ ↑

Copyright © 2012 chrislee35. See LICENSE.txt for further details.