I see that new indicator types for file hashes (MD5, SHA256, SHA1, SSDEEP) were added in MineMeld 0.9.26 this is awesome, but should those indicator types be selectable from the ( NODES > ADD INDICATOR > TYPE ) drop down menu? I don't see them listed so I'm just trying to figure out how to employ the use of these new indicator types. I'm still very new to MineMeld so still getting familiar and testing it out so my apologies if this is off-base...
Also, does anyone know if we will be able to export AutoFocus file hashes into export lists to leverage them in MineMeld?
currently the only Miner producing hashes is the VirusTotal retrohunt Miner.
Next release (0.9.30) will have better coverage for hashes.
Do you have suggestions for new feeds of hashes we should cover ?
First I just wanted to say thanks for all the great work creating MineMeld and for your part in making it open source!
Would you perhaps have any more info on the VirusTotal retrohunt Miner? Does this pull *all* of the malicious file hashes from VirusTotal or some or how does that work?
Thanks for asking on suggestions, I absolutely have a few:
1.) Team Cymru Malware hash registry would be a great one to have a miner available, it looks like they want open source uses/implementations to reach out to them first like they state here in this page (http://www.team-cymru.org/MHR.html)
2.) It would be *Phenomenal* if an update for AutoFocus subscribers (those of us that have an AutoFocus license) could export file hashes from AutoFocus into export lists to be used with MineMeld (in bulk, if possible, currently we can't add file hashes to export lists it seems..), I'm not sure how/if Palo Alto Networks might feel about that but it certianly would be probably the most epic known malware file hash feed! Do you think this might be possible?
VirusTotal retro hunt is a subscription based feature of VT where you can define Yara rules and be notified every time a new sample uploaded to VT matches one of those rules.
1) I will look into this, thanks !
2) about AutoFocus, a feed containing all the billions of hashes known to AF wouldn't be super useful. But I see your point.
Thanks and please let us know any suggestion you have,
Luigi, i am on VERSION: 0.9.40 (AF)
1) is hashes includeded in the export miner ?
2) is there a miner that i can use to add hashes from nodes->add indicator.
i can only see a miner for virus total. please let me know .
1) hashes are exported by output nodes, which Miner are you using ? The autofocus.samplesMiner support hashes
2) you will be able to do it in the next release (0.9.42)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!