[Intelmq-dev] IntelMQ Data Harmonization (DHO) - malware.hash key (issue 732)
Tomás Lima
synchroack at gmail.com
Fri Dec 30 01:57:37 CET 2016
Folks,
In the current DHO there are 3 fields related to malware hash ('
*malware.hash*', '*malware.hash.md5*' and '*malware.hash.sha1*') but one of
them ('*malware.hash*') is not compliant with the current internal message
structure (technical details can be found on the issue 732
<https://github.com/certtools/intelmq/issues/732#issuecomment-269602721>).
Since it's a bug that needs to be fixed and affects the DHO, I would like
to propose the only three approaches that I see (maybe there are more...)
to solve this issue and would like to have your feedback to achieve an
agreement.
*Approaches**:*
1. Rename the key 'malware.hash' to something like 'malware.hash.other' for
situations where we see a feed providing a different type of hash
2. Remove the key 'malware.hash' and keep with the other two ones
3. Remove the keys 'malware.hash.md5' and 'malware.hash.sha1' and only use
the key 'malware.hash' for all types of hash. With this approach, if the
feed provides a md5 and sha1 hashes in the same event, we will not be able
to store both.
The chosen approach is the first one. If you have chance, please take some
minutes to give your feedback in order to understand if everyone is
comfortable with that.
Thank you in advance.
Cheers!
--
Tomás Lima* , * »-«* SYNchroACK *»-«
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20161230/93308333/attachment.html>
More information about the Intelmq-dev
mailing list