Feature #4162
closedrules: entropy rule keyword
Description
The idea was brought up at the 2020 brainstorm: a keyword that calculates entropy for a buffer. Might be best implemented as a transform.
VJ Updated by Victor Julien over 5 years ago
- Related to Task #4097: Suricon 2020 brainstorm added
PA Updated by Philippe Antoine almost 2 years ago
- Assignee set to Community Ticket
- Target version set to TBD
JL Updated by Jeff Lucovsky over 1 year ago
- Subject changed from rules: entropy transform keyword to rules: entropy rule keyword
- Status changed from New to Assigned
- Assignee changed from Community Ticket to Jeff Lucovsky
Entropy will be added as a keyword (not a transform). Given the output from a transform, a transform isn't suitable for a "match," so signaling a match/no match on the entropy value would be difficult.
JL Updated by Jeff Lucovsky about 1 year ago ยท Edited
Perhaps the absent keyword could be used to permit entropy to be a transformation.
The entropy transform will support options -- here's a draft example that calculates the entropy of the input buffer (4 bytes starting at 30 bytes from the buffer beginning) and signals when the value is <= 7.0:
entropy: bytes 4, offset 30, oper <=,value 7;
This could be combined with the absent keyword to alert:
bytes 4, offset 30, oper <=,value 7; absent;
The signaling would be detected by `absent` (see 7114)
JL Updated by Jeff Lucovsky about 1 year ago
We made the decision to have entropy work on the content (like byte_math, e.g.).
The keyword and its options will remain as is pending review feedback.
JL Updated by Jeff Lucovsky about 1 year ago
- Status changed from Assigned to In Review
JL Updated by Jeff Lucovsky about 1 year ago
- Precedes Feature #7572: Relative offset support for the entropy keyword added
JL Updated by Jeff Lucovsky about 1 year ago
- Status changed from In Review to Closed