Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSON structure of events: malware.hash #732

Closed
cert-lv opened this issue Oct 11, 2016 · 5 comments
Closed

JSON structure of events: malware.hash #732

cert-lv opened this issue Oct 11, 2016 · 5 comments
Labels
bug Indicates an unexpected problem or unintended behavior data-format
Milestone
1.0.0

Comments

@cert-lv
Copy link
Contributor

cert-lv commented Oct 11, 2016

In the IntelMQ the event object (etc/harmonization.conf) mostly looks like a JSON object. For example classification.identifier, classification.taxonomy, destination.abuse_contact, destination.geolocation.cc etc., can be represented as:

event
    |
    +- classification
    |   |
    |   +- identifier
    |   +- taxonomy
    |
    +- destination
        |
        +- abuse_contact
        +- geolocation
            |
            +- cc

.. and so on.

But there is one field, called malware.hash, which is a string technically and an object logically at the same time:

malware.hash      - string (should be an object only)
malware.hash.md5  - string
malware.hash.sha1 - string

If someone will want to convert the whole event to the multilevel JSON object - he will fail because of this one field.

Could you replace malware.hash with malware.hash.other (if hash type is unknown) for example? Other name is acceptable.

On the one hand probably many Parsers will have to be updated, but on the other hand you will get a beautiful and correct JSON object.
@sebix sebix added bug Indicates an unexpected problem or unintended behavior data-format labels Oct 11, 2016
@sebix sebix added this to the v1.0 Stable Release milestone Oct 11, 2016
@dmth
Copy link
Contributor

dmth commented Oct 12, 2016

Thanks for reporting this. I think you are correct.

When this issue is fixed, migrations of the eventDB might become necessary.

@sebix sebix changed the title "event" JSON structure JSON structure of events: malware.hash Nov 16, 2016
@SYNchroACK
Copy link
Contributor

@dmth is it ok for you guys if we fix this in the next days or is there any current compatibility issue?

@aaronkaplan
Copy link
Member

aaronkaplan commented Dec 29, 2016 via email

@SYNchroACK
Copy link
Contributor

Email sent.
Subject: "IntelMQ Data Harmonization (DHO) - malware.hash key (issue 732)".

Will wait for feedback and then we will proceed with the fix.

@SYNchroACK
Copy link
Contributor

related to #394

@ghost ghost assigned ghost and unassigned aaronkaplan Feb 13, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Indicates an unexpected problem or unintended behavior data-format
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
4 participants
@sebix @aaronkaplan @dmth @SYNchroACK