[Intelmq-dev] IntelMQ Data Harmonization (DHO) - malware.hash key (issue 732)
Dustin Demuth
dustin.demuth at intevation.de
Mon Jan 2 13:05:37 CET 2017
Dear all,
happy new year!
Tomás, thanks for your E-Mail.
> *Approaches**:*
>
> 1. Rename the key 'malware.hash' to something like 'malware.hash.other' for
> situations where we see a feed providing a different type of hash
> 2. Remove the key 'malware.hash' and keep with the other two ones
> 3. Remove the keys 'malware.hash.md5' and 'malware.hash.sha1' and only use
> the key 'malware.hash' for all types of hash. With this approach, if the
> feed provides a md5 and sha1 hashes in the same event, we will not be able
> to store both.
>
> The chosen approach is the first one. If you have chance, please take some
> minutes to give your feedback in order to understand if everyone is
> comfortable with that.
I also prefer the first approach.
Does anyone see a necessity or possibility how a "type annotation" could be
added?
For instance as a "rule":
"When writing to the 'malware.hash.other' field, the type of the hash must be
written first, followed by one space and the hash"
Example:
malware.hash.other = "SHA256
79e18f00a39f45ca2b87c9d2f27efaa08ef68701d01b2729450900a4651f81b9"
Best Regards
Dustin
--
dustin.demuth at intevation.de https://intevation.de/ OpenPGP key: B40D2EFF
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20170102/3c59c5f2/attachment.sig>
More information about the Intelmq-dev
mailing list