Using new MineMeld file hash indicators?

L1 Bithead

Using new MineMeld file hash indicators?

I see that new indicator types for file hashes (MD5, SHA256, SHA1, SSDEEP) were added in MineMeld 0.9.26 this is awesome, but should those indicator types be selectable from the ( NODES > ADD INDICATOR > TYPE ) drop down menu?  I don't see them listed so I'm just trying to figure out how to employ the use of these new indicator types.  I'm still very new to MineMeld so still getting familiar and testing it out so my apologies if this is off-base...

 

Also, does anyone know if we will be able to export AutoFocus file hashes into export lists to leverage them in MineMeld?

L7 Applicator

Re: Using new MineMeld file hash indicators?

Hi @DrewDixon,

currently the only Miner producing hashes is the VirusTotal retrohunt Miner.

Next release (0.9.30) will have better coverage for hashes.

 

Do you have suggestions for new feeds of hashes we should cover ?

 

Thanks,

luigi

L1 Bithead

Re: Using new MineMeld file hash indicators?

Hi @lmori,

 

First I just wanted to say thanks for all the great work creating MineMeld and for your part in making it open source!

 

Would you perhaps have any more info on the VirusTotal retrohunt Miner?  Does this pull *all* of the malicious file hashes from VirusTotal or some or how does that work?

 

Thanks for asking on suggestions, I absolutely have a few:

 

1.) Team Cymru Malware hash registry would be a great one to have a miner available, it looks like they want open source uses/implementations to reach out to them first like they state here in this page (http://www.team-cymru.org/MHR.html)

 

2.) It would be *Phenomenal* if an update for AutoFocus subscribers (those of us that have an AutoFocus license) could export file hashes from AutoFocus into export lists to be used with MineMeld (in bulk, if possible, currently we can't add file hashes to export lists it seems..), I'm not sure how/if Palo Alto Networks might feel about that but it certianly would be probably the most epic known malware file hash feed!  Do you think this might be possible?

 

Thoughts?

 

Thank you,

 

-Drew

L7 Applicator

Re: Using new MineMeld file hash indicators?

Hi @DrewDixon,

VirusTotal retro hunt is a subscription based feature of VT where you can define Yara rules and be notified every time a new sample uploaded to VT matches one of those rules.

 

1) I will look into this, thanks !

2) about AutoFocus, a feed containing all the billions of hashes known to AF wouldn't be super useful. But I see your point.

 

Thanks and please let us know any suggestion you have,

luigi 

L0 Member

Re: Using new MineMeld file hash indicators?

Luigi, i am on VERSION: 0.9.40 (AF)

 

1) is hashes includeded in the export miner ?

2) is there a miner that i can use to add hashes from nodes->add indicator.

 

i can only see a miner for virus total. please let me know .

 

thanks

 

Highlighted
L7 Applicator

Re: Using new MineMeld file hash indicators?

Hi @Jerin,

1) hashes are exported by output nodes, which Miner are you using ? The autofocus.samplesMiner support hashes

2) you will be able to do it in the next release (0.9.42)

 

Thanks,

luigi

L0 Member

Re: Using new MineMeld file hash indicators?

Thanks Luigi .

 i am able to get hash from autofocus.samplesminer. wondering if "Export List Miner" support hash too?

i see only  IPv4, URL, and domain indicators.

Thanks

Jerin

L7 Applicator

Re: Using new MineMeld file hash indicators?

Hi @Jerin,

you can't add hashes to export list. Please, could you provide more details about your use case ?

 

Thanks,

luigi

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!