yara-normalize
Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made} To enable consistent comparisons between yara rules (signature), a uniform hashing standard was needed.
This modules takes just the strings from the strings section, sorts them, then generate a sha1 hash. Then, in the conditions section, reorder the boolean expression to make groups first and then replace all variables with $a $b $c, etc. Then hash the result of this.
Then, the signature ID is the concatenation of the truncated md5 sum of the sorted strings and the truncated md5 sum of the normalized conditions. E.g., yn01:488085c947cb22ed:d936fceffe.
Usage
See test cases.
require 'yara-normalize'
sig =<<EOS
rule DataConversion__wide : IntegerParsing DataConversion {
meta:
weight =1
strings:
$="wtoi" nocase
$ ="wtol" nocase
$= "wtof" nocase
$ = "wtodb" nocase
condition:
any of them
}
EOS
yn = YaraTools::YaraRule.new(sig)
puts yn.hash # => yn01:488085c947cb22ed:d936fceffe
puts yn.normalize # =>
rule DataConversion__wide : IntegerParsing DataConversion {
meta:
weight = 1
strings:
$ = "wtoi" nocase
$ = "wtol" nocase
$ = "wtof" nocase
$ = "wtodb" nocase
condition:
any of them
}
puts yn.name # => DataConversion__wide
pp yn.tags # => ["IntegerParsing","DataConversion"]
Contributing to yara-normalize
-
Check out the latest master to make sure the feature hasn’t been implemented or the bug hasn’t been fixed yet.
-
Check out the issue tracker to make sure someone already hasn’t requested it and/or contributed it.
-
Fork the project.
-
Start a feature/bugfix branch.
-
Commit and push until you are happy with your contribution.
-
Make sure to add tests for it. This is important so I don’t break it in a future version unintentionally.
-
Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
Copyright
Copyright © 2012 chrislee35. See LICENSE.txt for further details.