Implement SSDEEP / Fuzzy hash parameter for File object

securitiz commented 2 years ago

Use case

Implementing an ssdeep / fuzzy hashes parameter for the File object would allow analysts to link File observables that are not exactly the same , but extremely similar.

Current Workaround

N/a

Proposed Solution

Implement a parameter for the File observable to record a file's ssdeep hash.

File observables that share ssdeep hashes should be linked in some way, whether by direct relationship or inference. Additionally, it would be useful to view all File observables that share an ssdeep hash at once.

Additional Information

https://ssdeep-project.github.io/ssdeep/index.html

If the feature request is approved, would you be willing to submit a PR?

Yes / No (Help can be provided if you need assistance submitting a PR)

securitiz commented 2 years ago

@SamuelHassine I'm curious to get an update on this issue, just because when I export file observables from the platform, I see that there is a column in the resulting CSV for SSDEEP hashes, yet the parameter isn't represented in the GUI.

SamuelHassine commented 1 year ago

2 major evolutions here:

Implement all supported fuzzy hashes directly in the UI (display and edition)
Be able to quickly pivot on the fuzzy hashes to display all observables with the same fuzzy hashes

OpenCTI-Platform / opencti