Feature #4162
open
rules: entropy rule keyword
Added by Victor Julien about 4 years ago.
Updated 13 days ago.
Description
The idea was brought up at the 2020 brainstorm: a keyword that calculates entropy for a buffer. Might be best implemented as a transform.
Related issues
1 (1 open — 0 closed)
- Related to Task #4097: Suricon 2020 brainstorm added
- Assignee set to Community Ticket
- Target version set to TBD
- Subject changed from rules: entropy transform keyword to rules: entropy rule keyword
- Status changed from New to Assigned
- Assignee changed from Community Ticket to Jeff Lucovsky
Entropy will be added as a keyword (not a transform). Given the output from a transform, a transform isn't suitable for a "match," so signaling a match/no match on the entropy value would be difficult.
Perhaps the absent keyword could be used to permit entropy to be a transformation.
The entropy transform will support options -- here's a draft example that calculates the entropy of the input buffer (4 bytes starting at 30 bytes from the buffer beginning) and signals when the value is <= 7.0:
entropy: bytes 4, offset 30, oper <=,value 7;
This could be combined with the absent keyword to alert:
bytes 4, offset 30, oper <=,value 7; absent;
The signaling would be detected by `absent` (see 7114)
We made the decision to have entropy work on the content (like byte_math, e.g.).
The keyword and its options will remain as is pending review feedback.
Also available in: Atom
PDF