Description:
Compares an attribute containing a Fuzzy Hash against a file containing a list of fuzzy hashes, appending an attribute to the FlowFile in case of a successful match.
Tags:
hashing, fuzzy-hashing, cyber-security
Properties:
In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.
| Name | Default Value | Allowable Values | Description |
| Hash List source file | Path to the file containing hashes to be validated against | ||
| Hashing Algorithm |
*ssdeep  *tlsh
|
The hashing algorithm utilized | |
| Hash Attribute Name | fuzzyhash.value | The name of the FlowFile Attribute that should hold the Fuzzy Hash Value | |
| Match threshold | The similarity score must exceed or be equal to in order for match to be considered true. Refer to Additional Information for differences between TLSH and SSDEEP scores and how they relate to this property. | ||
| Matching mode | single |
*single *multi-match
|
Defines if the Processor should try to match as many entries as possible (multi-match) or if it should stop after the first match (single) |
Relationships:
| Name | Description |
| failure | Any FlowFile that cannot be matched, e.g. (lacks the attribute) will be sent to this Relationship. |
| not-found | Any FlowFile that cannot be matched to an existing hash will be sent to this Relationship. |
| found | Any FlowFile that is successfully matched to an existing hash will be sent to this Relationship. |
Reads Attributes:
None specified.
Writes Attributes:
| Name | Description |
| XXXX.N.match | The match that resembles the attribute specified by the Hash Attribute Name property. Note that: 'XXX' gets replaced with the Hash Attribute Name |
| XXXX.N.similarity | The similarity score between this flowfile and its match of the same number N. Note that: 'XXX' gets replaced with the Hash Attribute Name |
State management:
This component does not store state.
Restricted:
This component is not restricted.
Input requirement:
This component requires an incoming relationship.
See Also:
FuzzyHashContent