[Intelmq-dev] IntelMQ Data Harmonization (DHO) - malware.hash key (issue 732)

L. Aaron Kaplan kaplan at cert.at
Tue Jan 17 12:08:42 CET 2017 

> On 11 Jan 2017, at 10:36, Sebastian Wagner <wagner at cert.at> wrote:
> 
> I also think that adding one field per hash type is not feasible as
> there are a lot of hash types and they change over time. That's why we
> used malware.hash and the Crypt (C) names.
> I wasn't aware of URN at this time and it is definitely better - easier
> to understand and supports more hash types. Consequently malware.hash
> needs to be a list (could be made comma separated for postgres?).
> 

agreed

> Sebastian
> 
> 
> On 01/06/2017 09:47 AM, Pavel Kácha wrote:
>> Hi,
>> 
>>   again, just speaking based on our experience - in a year or two there
>> will be another set of popular hashes, and you will probably start
>> considering adding another explicit keys (malware.hash.newone) - requiring
>> changing the harmonization in the process.
>>   We have also found out that types hashes of hashes, which are not in
>> standard format, but have their own intrinsic unextractable properties,
>> appear over the time.  This could validate adding its own "name", for
>> example bittorrent BTIH hash.
>>   We also thought that hash type is part of information, and thus should be
>> part of data field, not key name.
>>   So, we have just used one key, using solely URN namespace for adding new
>> hash types.
>> 
>>   (It is also necessary to say that one contents can be identified by more
>> hashes, so you may find out over time that just single scalar field may not
>> be enough. But I digress here. :) )
>> 
>> Cheers
>> -- Pavel
> 
> --
> // Sebastian Wagner <wagner at cert.at> - T: +43 1 50564167201
> // CERT Austria - http://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
> 
> 
> _______________________________________________
> Intelmq-dev mailing list
> Intelmq-dev at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev


--
//  CERT Austria
//  L. Aaron Kaplan <kaplan at cert.at>
//  T: +43 1 505 64 16 78
//  http://www.cert.at
//  Eine Initiative der nic.at GmbH
//  http://www.nic.at/ - Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20170117/463c71f2/attachment.sig>

More information about the Intelmq-dev mailing list