[ https://issues.apache.org/jira/browse/METRON-1052?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16186169#comment-16186169 ]
ASF GitHub Bot commented on METRON-1052: ---------------------------------------- Github user cestella commented on a diff in the pull request: https://github.com/apache/metron/pull/781#discussion_r141931953 --- Diff: metron-stellar/stellar-common/src/main/java/org/apache/metron/stellar/common/utils/hashing/TLSHHasher.java --- @@ -0,0 +1,203 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.metron.stellar.common.utils.hashing; + +import com.fasterxml.jackson.core.type.TypeReference; +import com.google.common.base.Joiner; +import com.google.common.collect.ImmutableList; +import com.trendmicro.tlsh.BucketOption; +import com.trendmicro.tlsh.ChecksumOption; +import com.trendmicro.tlsh.Tlsh; +import com.trendmicro.tlsh.TlshCreator; +import org.apache.commons.codec.DecoderException; +import org.apache.commons.codec.EncoderException; +import org.apache.commons.codec.binary.Hex; +import org.apache.metron.stellar.common.utils.ConversionUtils; +import org.apache.metron.stellar.common.utils.JSONUtils; +import org.apache.metron.stellar.common.utils.SerDeUtils; + +import java.io.File; +import java.io.IOException; +import java.nio.file.Files; +import java.security.NoSuchAlgorithmException; +import java.util.*; +import java.util.function.Function; + +public class TLSHHasher implements Hasher { + public static final String TLSH_KEY = "tlsh"; + public static final String TLSH_BIN_KEY = "tlsh_bin"; + public enum Config implements EnumConfigurable { + BUCKET_SIZE("bucketSize"), + CHECKSUM("checksumBytes"), + HASHES("hashes"), + FORCE("force") + ; + final public String key; + Config(String key) { + this.key = key; + } + + @Override + public String getKey() { + return key; + } + } + + BucketOption bucketOption = BucketOption.BUCKETS_128; + ChecksumOption checksumOption = ChecksumOption.CHECKSUM_1B; + Boolean force = true; + List<Integer> hashes = new ArrayList<>(); + + /** + * Returns an encoded string representation of the hash value of the input. It is expected that + * this implementation does throw exceptions when the input is null. + * + * @param o The value to hash. + * @return A hash of {@code toHash} that has been encoded. + * @throws EncoderException If unable to encode the hash then this exception occurs. + * @throws NoSuchAlgorithmException If the supplied algorithm is not known. + */ + @Override + public Object getHash(Object o) throws EncoderException, NoSuchAlgorithmException { + TlshCreator creator = new TlshCreator(bucketOption, checksumOption); --- End diff -- yeah, actually, that's a damned fine suggestion. > Add forensic similarity hash functions to Stellar > ------------------------------------------------- > > Key: METRON-1052 > URL: https://issues.apache.org/jira/browse/METRON-1052 > Project: Metron > Issue Type: Improvement > Reporter: Jon Zeolla > > This is a follow-on to METRON-539. Currently we have Stellar functions to > perform cryptographic hashing operations. It would be useful to expand this > to support forensic similarity hash functions so we could compare the > similarity of inputs. I can see two main components of this, and one > secondary/lower priority thought: > (1) Support of LSH and/or CCTP hash functions (aka forensic similarity hash > functions) such as sdhash or spamsum/ssdeep. I quickly found some code > examples[1][2] in Java that have compatible licenses, in case that is > appealing. > (2) An approximate string matching function to establish a similarity rating > between n hashes. ssdeep currently has this via its -x and -k options, and > there are some other thoughts[3] on how to best do this, but I'm aware there > are numerous ways that we may want to consider comparing strings for > similarity (damerau-levenshtein distance, longest common subsequence, etc.). > (3) Similar to 2, I could see some applicability as a streaming enrichment, > but as a native feature this would be a much lower priority/potentially a > separate PR. > 1: > https://github.com/pcbje/autopsy-ahbm/blob/master/src/com/pcbje/ahbm/Sdhash.java > 2: https://github.com/tdebatty/java-spamsum > 3: > https://www.virusbulletin.com/virusbulletin/2015/11/optimizing-ssdeep-use-scale -- This message was sent by Atlassian JIRA (v6.4.14#64029)