Hi,
again, just speaking based on our experience - in a year or two there will be another set of popular hashes, and you will probably start considering adding another explicit keys (malware.hash.newone) - requiring changing the harmonization in the process. We have also found out that types hashes of hashes, which are not in standard format, but have their own intrinsic unextractable properties, appear over the time. This could validate adding its own "name", for example bittorrent BTIH hash. We also thought that hash type is part of information, and thus should be part of data field, not key name. So, we have just used one key, using solely URN namespace for adding new hash types.
(It is also necessary to say that one contents can be identified by more hashes, so you may find out over time that just single scalar field may not be enough. But I digress here. :) )
Cheers -- Pavel
From: Tomás Lima synchroack@gmail.com, Date: Jan 05, 2017
Dustin, yes, the syntax looks good but how you can apply it to intelmq DHO or you're saying to use it in 'malware.hash.other' key? From my point of view we should go for:
- malware.hash.md5'
- 'malware.hash.sha1'
- 'malware.hash.sha256' - 'malware.hash.other' -> using URN syntax Make sense? On Thu, Jan 5, 2017 at 9:30 AM, Dustin Demuth <[1]dustin.demuth@intevation.de> wrote:
Hi, Am Montag 02 Januar 2017 14:43:56 schrieb Pavel Kácha: > my few cents - in Idea we adopted URN syntax (as hash is basically > content based resource identifier, so the hash name can denote the > namespace). Which happens to be the same, just with the colon separator: > > sha256:79e18f... > IMHO this syntax is a good idea. Thank you Pavel. Tomás: Do you need more input? Ideas so far: * An additional field for sha256 * A convention to store the hash in ".other" like "sha256:79e18..." BR Dustin -- [2]dustin.demuth@intevation.de [3]https://intevation.de/ OpenPGP key: B40D2EFF Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Intelmq-dev mailing list [4]Intelmq-dev@lists.cert.at [5]http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev-- Tomás Lima , »-« SYNchroACK »-«
References
Visible links
- mailto:dustin.demuth@intevation.de
- mailto:dustin.demuth@intevation.de
- https://intevation.de/
- mailto:Intelmq-dev@lists.cert.at
- http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
Intelmq-dev mailing list Intelmq-dev@lists.cert.at http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev