Summary
For file/large byte data we have fields for various popular hashing algorithms: md5, sha256, etc. While I'd want to keep entity-specific hashing algorithms isolated to field sets related to them (imphash to PE, ja3 to TLS, etc.), I think it would be worthwhile to add some standardized fuzzy byte hashes to hash. Specifically I think we could start with something like ssdeep. If there are others that folks think are worthwhile, we could likely add them at the same time.
Motivation:
Fuzzy hashes would allow us to group by similar entities rather than identical. Helpful for things like similar file identification, etc.
Detailed Design:
New fields:
| Name |
Type |
Description |
hash.ssdeep |
keyword |
SSDEEP hash. |
Summary
For file/large byte data we have fields for various popular hashing algorithms:
md5,sha256, etc. While I'd want to keep entity-specific hashing algorithms isolated to field sets related to them (imphashto PE,ja3to TLS, etc.), I think it would be worthwhile to add some standardized fuzzy byte hashes tohash. Specifically I think we could start with something likessdeep. If there are others that folks think are worthwhile, we could likely add them at the same time.Motivation:
Fuzzy hashes would allow us to group by similar entities rather than identical. Helpful for things like similar file identification, etc.
Detailed Design:
New fields:
hash.ssdeep