From 4afccb396a57069fb9e689e2edbe6add2c8a0497 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Wed, 5 Feb 2025 16:03:08 -0500 Subject: [PATCH] doc/entropy: Add documentation for the entropy keyword This commit updates the - Upgrade notes for 7 to 8 - Payload keyword section Both are update to document the new entropy keyword. --- doc/userguide/rules/payload-keywords.rst | 64 ++++++++++++++++++++++++ doc/userguide/upgrade.rst | 2 + 2 files changed, 66 insertions(+) diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index 780ad111f7dc..e7811c98b913 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -669,6 +669,70 @@ Example:: flow:established,to_server; content:"|00 FF|"; \ byte_extract:2,0,cmp_ver,relative; content:"FooBar"; distance:0; byte_test:2,=,cmp_ver,0; sid:3;) +.. _keyword_entropy: + +entropy +------- + +The ``entropy`` keyword calculates the Shannon entropy value for content and compares it with +an entropy value. When there is a match, rule processing will continue. Entropy values +are between 0.0 and 8.0, inclusive. Internally, entropy is representing as a 64-bit +floating point value. + +The ``entropy`` keyword syntax is the keyword entropy followed by options +and the entropy value and operator used to determine if the values agree. + +The minimum entropy keyword specification is:: + + entropy: value + +This results in the calculated entropy value being compared with +`entropy-spec` using the (default) equality operator. + +Example:: + + entropy: 7.01 + +A match occurs when the calculated entropy and specified entropy values agree. +This is determined by calculating the entropy value and comparing it with the +value from the rule using the specified operator. + +Example:: + + entropy: <7.01 + +Options have default values: +- bytes is equal to the current content length +- offset is 0 +- equality comparison + +When entropy keyword options are specified, all options and "value" must +be comma-separated. Options and value may be specified in any order. + +The complete format for the ``entropy`` keyword is:: + + entropy: [bytes ] [offset ] value + +This example shows all possible options with default values and an entropy value of `4.037`:: + + entropy: bytes 0, offset 0, value = 4.037 + +The following operators are available:: + + * = (default): Match when calculated value equals entropy value + * < Match when calculated value is strictly less than entropy value + * <= Match when calculated value is less than or equal to entropy value + * > Match when calculated value is strictly greater than entropy value + * >= Match when calculated value is greater than or equal to entropy value + * != Match when calculated value is not equal to entropy value + * x-y Match when calculated value is within the exclusive range + * !x-y Match when calculated value is not within the exclusive range + +This example matches if the `file.data` content for an HTTP transaction has +a Shannon entropy value of 4 or higher:: + + alert http any any -> any any (msg:"entropy simple test"; file.data; entropy: value >= 4; sid:1;) + rpc --- diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 3e442b3eb8c9..709faa5acabc 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -103,6 +103,8 @@ Major changes change, however if you run these tools from the source directory, patch them or use them as Python modules your workflows may need to be adapted. +- New rule keyword ``entropy`` for alerting based on entropy values. See + :ref:`keyword_entropy`. Removals ~~~~~~~~