Support FuzzyHashStructure

CybOXProject / python-cybox

A Python library for parsing, manipulating, and generating CybOX content.

http://cybox.readthedocs.org/

BSD 3-Clause "New" or "Revised" License

77 stars 42 forks source link

Support FuzzyHashStructure #166

Open ikiril01 opened 10 years ago

ikiril01 commented 10 years ago

Currently the Hash class in common/hashes.py only supports simple hash values; since fuzzy hash values are also supported in CybOX, we should add the corresponding classes for capturing these.

gtback commented 10 years ago

We do support the single, String-valued Fuzzy_Hash_Value:

https://github.com/CybOXProject/python-cybox/blob/master/cybox/common/hashes.py#L43

We don't support the entire Fuzzy Hash structure, however.

brlogan commented 7 years ago

I'd like to be able to more easily grab a SSDEEP out of a File Object.

gtback commented 7 years ago

@brlogan, do you think that the FuzzyHashStructure (a complex object) is easier to parse than the FuzzyHashValue (a simple string)? We already support the latter, but not the former. I'll update the issue title to reflect this.

brlogan commented 7 years ago

For the specific use-case I was seeing, I had a FileObject with various hashes that I could access as properties of the FileObject. However, "ssdeep" was not one of the properties. I could see the value listed in the STIX document alongside the other hashes, but had to do something messy like this to pull it out:

for h in file_obj.hashes.hashes:
    if h.type_ == 'SSDEEP':
        ssdeep = h.fuzzy_hash_value

If FuzzyHashValue can support that, then I think I'm fine with it. I think I mainly just want SSDEEP in the HashList and File classes.

gtback commented 7 years ago

Ahh, so we can definitely add ssdeep properties to the HashList and File classes (the latter case is really just a subset of the former).

That's a bit of a separate issue than what's being described here. Even though I think it's unlikely we'll ever get around to what's described in this issue, I'll create a separate one.

brlogan commented 7 years ago

Okay, that's kinda what I figured. I think this issue originally was a better fit, prior to the title change.

gtback commented 7 years ago

Ahh, I realize I totally interpreted @ikiril01's original comment as being about Fuzzy_Hash_Structure, not about ssdeep properties on the Hash class, but now I can see it both ways. Regardless of which he meant (if he even remembers), we now have separate issues for both now. 😉