Feature #4162
openrules: entropy rule keyword
Description
The idea was brought up at the 2020 brainstorm: a keyword that calculates entropy for a buffer. Might be best implemented as a transform.
Updated by Victor Julien about 4 years ago
- Related to Task #4097: Suricon 2020 brainstorm added
Updated by Philippe Antoine 7 months ago
- Assignee set to Community Ticket
- Target version set to TBD
Updated by Jeff Lucovsky about 1 month ago
- Subject changed from rules: entropy transform keyword to rules: entropy rule keyword
- Status changed from New to Assigned
- Assignee changed from Community Ticket to Jeff Lucovsky
Entropy will be added as a keyword (not a transform). Given the output from a transform, a transform isn't suitable for a "match," so signaling a match/no match on the entropy value would be difficult.
Updated by Jeff Lucovsky 15 days ago ยท Edited
Perhaps the absent keyword could be used to permit entropy to be a transformation.
The entropy transform will support options -- here's a draft example that calculates the entropy of the input buffer (4 bytes starting at 30 bytes from the buffer beginning) and signals when the value is <= 7.0:
entropy: bytes 4, offset 30, oper <=,value 7;
This could be combined with the absent keyword to alert:
bytes 4, offset 30, oper <=,value 7; absent;
The signaling would be detected by `absent` (see 7114)
Updated by Jeff Lucovsky 12 days ago
We made the decision to have entropy work on the content (like byte_math, e.g.).
The keyword and its options will remain as is pending review feedback.