Added by Victor Julien over 5 years ago. Updated about 1 year ago.
Description
The idea was brought up at the 2020 brainstorm: a keyword that calculates entropy for a buffer. Might be best implemented as a transform.
Entropy will be added as a keyword (not a transform). Given the output from a transform, a transform isn't suitable for a "match," so signaling a match/no match on the entropy value would be difficult.
Perhaps the absent keyword could be used to permit entropy to be a transformation.
The entropy transform will support options -- here's a draft example that calculates the entropy of the input buffer (4 bytes starting at 30 bytes from the buffer beginning) and signals when the value is <= 7.0:
entropy: bytes 4, offset 30, oper <=,value 7;
This could be combined with the absent keyword to alert:
bytes 4, offset 30, oper <=,value 7; absent;
The signaling would be detected by `absent` (see 7114)
We made the decision to have entropy work on the content (like byte_math, e.g.).
The keyword and its options will remain as is pending review feedback.