Open ikiril01 opened 10 years ago
We do support the single, String-valued Fuzzy_Hash_Value:
https://github.com/CybOXProject/python-cybox/blob/master/cybox/common/hashes.py#L43
We don't support the entire Fuzzy Hash structure, however.
I'd like to be able to more easily grab a SSDEEP out of a File Object.
@brlogan, do you think that the FuzzyHashStructure (a complex object) is easier to parse than the FuzzyHashValue (a simple string)? We already support the latter, but not the former. I'll update the issue title to reflect this.
For the specific use-case I was seeing, I had a FileObject with various hashes that I could access as properties of the FileObject. However, "ssdeep" was not one of the properties. I could see the value listed in the STIX document alongside the other hashes, but had to do something messy like this to pull it out:
for h in file_obj.hashes.hashes:
if h.type_ == 'SSDEEP':
ssdeep = h.fuzzy_hash_value
If FuzzyHashValue can support that, then I think I'm fine with it. I think I mainly just want SSDEEP in the HashList
and File
classes.
Ahh, so we can definitely add ssdeep
properties to the HashList
and File
classes (the latter case is really just a subset of the former).
That's a bit of a separate issue than what's being described here. Even though I think it's unlikely we'll ever get around to what's described in this issue, I'll create a separate one.
Okay, that's kinda what I figured. I think this issue originally was a better fit, prior to the title change.
Ahh, I realize I totally interpreted @ikiril01's original comment as being about Fuzzy_Hash_Structure, not about ssdeep
properties on the Hash class, but now I can see it both ways. Regardless of which he meant (if he even remembers), we now have separate issues for both now. 😉
Currently the Hash class in common/hashes.py only supports simple hash values; since fuzzy hash values are also supported in CybOX, we should add the corresponding classes for capturing these.