Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fuzzy hashes (ssdeep) #1167

Closed
andrewstucki opened this issue Dec 3, 2020 · 0 comments · Fixed by #1169
Closed

Add fuzzy hashes (ssdeep) #1167

andrewstucki opened this issue Dec 3, 2020 · 0 comments · Fixed by #1169
Labels
enhancement New feature or request ready Issues we'd like to address in the future.

Comments

@andrewstucki
Copy link
Contributor

Summary

For file/large byte data we have fields for various popular hashing algorithms: md5, sha256, etc. While I'd want to keep entity-specific hashing algorithms isolated to field sets related to them (imphash to PE, ja3 to TLS, etc.), I think it would be worthwhile to add some standardized fuzzy byte hashes to hash. Specifically I think we could start with something like ssdeep. If there are others that folks think are worthwhile, we could likely add them at the same time.

Motivation:

Fuzzy hashes would allow us to group by similar entities rather than identical. Helpful for things like similar file identification, etc.

Detailed Design:

New fields:

Name Type Description
hash.ssdeep keyword SSDEEP hash.
@andrewstucki andrewstucki added the enhancement New feature or request label Dec 3, 2020
@andrewstucki andrewstucki mentioned this issue Dec 4, 2020
Merged
@ebeahan ebeahan added the ready Issues we'd like to address in the future. label Jan 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request ready Issues we'd like to address in the future.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add ssdeep hash andrewstucki/ecs
2 participants
@andrewstucki @ebeahan