[Intelmq-dev] IntelMQ Data Harmonization (DHO) - malware.hash key (issue 732)
Thomas Hungenberg
th at cert-bund.de
Mon Jan 2 13:54:14 CET 2017
Hi all,
SHA256 hashes are quite common today, so I'd suggest adding
malware.hash.sha256 to the DHO in addition to md5 and sha1.
For other hashes that might be used, I like Dustins suggestion
for the malware.hash.other rule.
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
On 02.01.2017 13:05, Dustin Demuth wrote:
> Dear all,
>
> happy new year!
>
> Tomás, thanks for your E-Mail.
>
>> *Approaches**:*
>>
>> 1. Rename the key 'malware.hash' to something like 'malware.hash.other' for
>> situations where we see a feed providing a different type of hash
>> 2. Remove the key 'malware.hash' and keep with the other two ones
>> 3. Remove the keys 'malware.hash.md5' and 'malware.hash.sha1' and only use
>> the key 'malware.hash' for all types of hash. With this approach, if the
>> feed provides a md5 and sha1 hashes in the same event, we will not be able
>> to store both.
>>
>> The chosen approach is the first one. If you have chance, please take some
>> minutes to give your feedback in order to understand if everyone is
>> comfortable with that.
>
> I also prefer the first approach.
> Does anyone see a necessity or possibility how a "type annotation" could be
> added?
>
> For instance as a "rule":
> "When writing to the 'malware.hash.other' field, the type of the hash must be
> written first, followed by one space and the hash"
>
> Example:
> malware.hash.other = "SHA256
> 79e18f00a39f45ca2b87c9d2f27efaa08ef68701d01b2729450900a4651f81b9"
>
>
> Best Regards
> Dustin
>
>
>
> _______________________________________________
> Intelmq-dev mailing list
> Intelmq-dev at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
>
More information about the Intelmq-dev
mailing list