[Intelmq-dev] IntelMQ Data Harmonization (DHO) - malware.hash key (issue 732)
Otmar Lendl
lendl at cert.at
Wed Feb 1 18:00:24 CET 2017
On 01.02.2017 11:38, Tomás Lima wrote:
> Thank you Pavel for the excellent feedback.
>
> Well, I really want to have option to specify sha1, sha256 and md5 in
> same message since I'm planning to use results from sources like
> VirusTotal which will be useful to correlate information like Aaron
> mention on that issue:
>
> "assume you are given a hash (sha1) of a piece of malware and you
> want to find it in the events table. However, you only stored the md5
> since that is what you received even though the sender sent you both
> fields (sha1 and md4 - such as the n6 feed). Then you can not ever
> find the right entry again."
>
> I vote for: { ... "malware.hash.md5": "<md5 hash>",
> "malware.hash.sha1": "<sha1 hash>", "malware.hash.sha256": "<sha256
> hash>" ... }
>
> instead of: { ... "malware.hash": "md5:<md5 hash>,sha1:<sha1
> hash>,sha256:<sha256 hash>" ... }
I agree.
IMHO it boils down to whether you just store the info or whether you
will ever want to search for the info.
Right now the eventdb is a traditional relational DB without native json
or multivalue support.
As long that is the case it is much better to stick to "one value in one
field".
otmar
--
// Otmar Lendl <lendl at cert.at> - T: +43 1 5056416 711
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20170201/d0add6e5/attachment.sig>
More information about the Intelmq-dev
mailing list