Proposal: New malware hashes fields for harmonization

certtools / intelmq

IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol.

https://docs.intelmq.org/latest/

GNU Affero General Public License v3.0

967 stars 295 forks source link

Proposal: New malware hashes fields for harmonization #927

Closed navtej closed 7 years ago

navtej commented 7 years ago

I see currently harmonization provides

malware.hash.sha256
malware.hash.sha1
malware.hash.md5

Can it be kept generic by providing two fields

malware.hash.type
malware.hash.value

where malware.hash.type can be one of md5, sha1, sha256, ssdeep, imphash and malware.hash.value is a string

aaronkaplan commented 7 years ago

But if you get a sha256 and a sha-1 of something, which one will you keep?

dmth commented 7 years ago

Thanks for your suggestion. I agree on Aarons doubt from two days ago. In addition I'd like to remind of the discussion we had on the mailing list which provided different possibilities to keep track of the type.

ghost commented 7 years ago

Please see here: https://lists.cert.at/pipermail/intelmq-dev/2016-December/000143.html and https://lists.cert.at/pipermail/intelmq-dev/2017-January/000144.html