[Intelmq-dev] IntelMQ Data Harmonization (DHO) - malware.hash key (issue 732)

Pavel Kácha ph at cesnet.cz
Fri Jan 6 09:47:29 CET 2017 

Hi,

   again, just speaking based on our experience - in a year or two there
will be another set of popular hashes, and you will probably start
considering adding another explicit keys (malware.hash.newone) - requiring
changing the harmonization in the process.
   We have also found out that types hashes of hashes, which are not in
standard format, but have their own intrinsic unextractable properties,
appear over the time.  This could validate adding its own "name", for
example bittorrent BTIH hash.
   We also thought that hash type is part of information, and thus should be
part of data field, not key name.
   So, we have just used one key, using solely URN namespace for adding new
hash types.

   (It is also necessary to say that one contents can be identified by more
hashes, so you may find out over time that just single scalar field may not
be enough. But I digress here. :) )

Cheers
-- Pavel

> From: Tomás Lima <synchroack at gmail.com>, Date: Jan 05, 2017
>
>    Dustin, yes, the syntax looks good but how you can apply it to intelmq
>    DHO or  you're saying to use it in 'malware.hash.other' key?
>    From my point of view we should go for:
>    - malware.hash.md5'
>    - 'malware.hash.sha1'
>    - 'malware.hash.sha256'
>    - 'malware.hash.other' -> using URN syntax
>    Make sense?
>    On Thu, Jan 5, 2017 at 9:30 AM, Dustin Demuth
>    <[1]dustin.demuth at intevation.de> wrote:
> 
>      Hi,
>      Am Montag 02 Januar 2017 14:43:56 schrieb Pavel Kácha:
> 
>      >    my few cents - in Idea we adopted URN syntax (as hash is basically
>      > content based resource identifier, so the hash name can denote the
>      > namespace).  Which happens to be the same, just with the colon
>      separator:
>      >
>      >    sha256:79e18f...
>      >
> 
>      IMHO this syntax is a good idea. Thank you Pavel.
> 
>      Tomás: Do you need more input?
> 
>      Ideas so far:
> 
>      * An additional field for sha256
>      * A convention to store the hash in ".other" like "sha256:79e18..."
> 
>      BR
>      Dustin
> 
>      --
>      [2]dustin.demuth at intevation.de  [3]https://intevation.de/   OpenPGP
>      key: B40D2EFF
>      Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B
>      18998
>      Geschäftsführer:   Frank Koormann,  Bernhard Reiter,  Dr. Jan-Oliver
>      Wagner
>      _______________________________________________
>      Intelmq-dev mailing list
>      [4]Intelmq-dev at lists.cert.at
>      [5]http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
> 
>    --
>     Tomás Lima ,     »-« SYNchroACK »-«
> 
> References
> 
>    Visible links
>    1. mailto:dustin.demuth at intevation.de
>    2. mailto:dustin.demuth at intevation.de
>    3. https://intevation.de/
>    4. mailto:Intelmq-dev at lists.cert.at
>    5. http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev

> _______________________________________________
> Intelmq-dev mailing list
> Intelmq-dev at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev

More information about the Intelmq-dev mailing list