[
https://issues.apache.org/jira/browse/METRON-1052?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16186169#comment-16186169
]
ASF GitHub Bot commented on METRON-1052:
----------------------------------------
Github user cestella commented on a diff in the pull request:
https://github.com/apache/metron/pull/781#discussion_r141931953
--- Diff:
metron-stellar/stellar-common/src/main/java/org/apache/metron/stellar/common/utils/hashing/TLSHHasher.java
---
@@ -0,0 +1,203 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.metron.stellar.common.utils.hashing;
+
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.google.common.base.Joiner;
+import com.google.common.collect.ImmutableList;
+import com.trendmicro.tlsh.BucketOption;
+import com.trendmicro.tlsh.ChecksumOption;
+import com.trendmicro.tlsh.Tlsh;
+import com.trendmicro.tlsh.TlshCreator;
+import org.apache.commons.codec.DecoderException;
+import org.apache.commons.codec.EncoderException;
+import org.apache.commons.codec.binary.Hex;
+import org.apache.metron.stellar.common.utils.ConversionUtils;
+import org.apache.metron.stellar.common.utils.JSONUtils;
+import org.apache.metron.stellar.common.utils.SerDeUtils;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.security.NoSuchAlgorithmException;
+import java.util.*;
+import java.util.function.Function;
+
+public class TLSHHasher implements Hasher {
+ public static final String TLSH_KEY = "tlsh";
+ public static final String TLSH_BIN_KEY = "tlsh_bin";
+ public enum Config implements EnumConfigurable {
+ BUCKET_SIZE("bucketSize"),
+ CHECKSUM("checksumBytes"),
+ HASHES("hashes"),
+ FORCE("force")
+ ;
+ final public String key;
+ Config(String key) {
+ this.key = key;
+ }
+
+ @Override
+ public String getKey() {
+ return key;
+ }
+ }
+
+ BucketOption bucketOption = BucketOption.BUCKETS_128;
+ ChecksumOption checksumOption = ChecksumOption.CHECKSUM_1B;
+ Boolean force = true;
+ List<Integer> hashes = new ArrayList<>();
+
+ /**
+ * Returns an encoded string representation of the hash value of the
input. It is expected that
+ * this implementation does throw exceptions when the input is null.
+ *
+ * @param o The value to hash.
+ * @return A hash of {@code toHash} that has been encoded.
+ * @throws EncoderException If unable to encode the hash then
this exception occurs.
+ * @throws NoSuchAlgorithmException If the supplied algorithm is not
known.
+ */
+ @Override
+ public Object getHash(Object o) throws EncoderException,
NoSuchAlgorithmException {
+ TlshCreator creator = new TlshCreator(bucketOption, checksumOption);
--- End diff --
yeah, actually, that's a damned fine suggestion.
> Add forensic similarity hash functions to Stellar
> -------------------------------------------------
>
> Key: METRON-1052
> URL: https://issues.apache.org/jira/browse/METRON-1052
> Project: Metron
> Issue Type: Improvement
> Reporter: Jon Zeolla
>
> This is a follow-on to METRON-539. Currently we have Stellar functions to
> perform cryptographic hashing operations. It would be useful to expand this
> to support forensic similarity hash functions so we could compare the
> similarity of inputs. I can see two main components of this, and one
> secondary/lower priority thought:
> (1) Support of LSH and/or CCTP hash functions (aka forensic similarity hash
> functions) such as sdhash or spamsum/ssdeep. I quickly found some code
> examples[1][2] in Java that have compatible licenses, in case that is
> appealing.
> (2) An approximate string matching function to establish a similarity rating
> between n hashes. ssdeep currently has this via its -x and -k options, and
> there are some other thoughts[3] on how to best do this, but I'm aware there
> are numerous ways that we may want to consider comparing strings for
> similarity (damerau-levenshtein distance, longest common subsequence, etc.).
> (3) Similar to 2, I could see some applicability as a streaming enrichment,
> but as a native feature this would be a much lower priority/potentially a
> separate PR.
> 1:
> https://github.com/pcbje/autopsy-ahbm/blob/master/src/com/pcbje/ahbm/Sdhash.java
> 2: https://github.com/tdebatty/java-spamsum
> 3:
> https://www.virusbulletin.com/virusbulletin/2015/11/optimizing-ssdeep-use-scale
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
