On 01.02.2017 11:38, Tomás Lima wrote:
Thank you Pavel for the excellent feedback.
Well, I really want to have option to specify sha1, sha256 and md5 in same message since I'm planning to use results from sources like VirusTotal which will be useful to correlate information like Aaron mention on that issue:
"assume you are given a hash (sha1) of a piece of malware and you want to find it in the events table. However, you only stored the md5 since that is what you received even though the sender sent you both fields (sha1 and md4 - such as the n6 feed). Then you can not ever find the right entry again."
I vote for: { ... "malware.hash.md5": "<md5 hash>", "malware.hash.sha1": "<sha1 hash>", "malware.hash.sha256": "<sha256 hash>" ... }
instead of: { ... "malware.hash": "md5:<md5 hash>,sha1:<sha1 hash>,sha256:<sha256 hash>" ... }
I agree.
IMHO it boils down to whether you just store the info or whether you will ever want to search for the info.
Right now the eventdb is a traditional relational DB without native json or multivalue support.
As long that is the case it is much better to stick to "one value in one field".
otmar