detect/entropy: Add entropy keyword #12385
Draft
+644
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
inashivb
reviewed
Jan 13, 2025
|
|
||
| #[repr(u8)] | ||
| #[derive(PartialEq, Debug)] | ||
| // operators: ==, <, <=, >, >=, != |
There was a problem hiding this comment.
Q: Could we use DetectUintData and its syntax w bytes and offset options here?
There was a problem hiding this comment.
Not directly as the entropy value is a floating point value.
There was a problem hiding this comment.
Would be nice to add a DetectFloatData facility then?
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12385 +/- ##
==========================================
- Coverage 82.49% 80.61% -1.88%
==========================================
Files 912 917 +5
Lines 258220 258782 +562
==========================================
- Hits 213006 208618 -4388
- Misses 45214 50164 +4950
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
WARNING:
Pipeline 24194 |
This commit adds
- Parser for the entropy keyword
- Calculation of content the Shannon entropy value
The entropy keyword syntax is the keyword entropy followed by options
and the entropy value for comparison.
The minimum entropy keyword specification is:
entropy: value <entropy-val>
This results in the calculated entropy value being compared with
<entropy-val> with the equality operator.
A match occurs when the values and operator agree. This example matches
if the calculated and entropy value are the same.
When entropy keyword options are specified, all options and "value" must
be comma-separated. Options and value may be specified in any order.
Options have default values:
- bytes is equal to the current content length
- offset is 0
- oper is equality "=="
entropy: [bytes <byteval>] [offset <offsetval>] [oper <operval>] value <entropy-val>
Using default values:
entropy: bytes 0, offset 0, oper ==, value <entropy-val>
The following operators are available:
- == (default): Match when calculated value equals entropy value
- < Match when calculated value is strictly less than entropy value
- <= Match when calculated value is less than or equal to entropy value
- > Match when calculated value is strictly greater than entropy value
- >= Match when calculated value is greater than or equal to entropy value
- != Match when calculated value is not equal to entropy value
This commit adds keyword/build support for the entropy keyword. The entropy keyword compares an entropy value with a value calculated according to the Shannon entropy on the available content.
This commmit causes the content inspection engine to recognize and invoke the entropy "match" function when the entropy keyword is used.
This commit updates the - Upgrade notes for 7 to 8 - Payload keyword section Both are update to document the new entropy keyword.
|
Information: QA ran without warnings. Pipeline 24215 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds the entropy keyword. See the documentation and commit commits for more information.
(tbd -- details left out for draft PR)
Link to ticket: https://redmine.openinfosecfoundation.org/issues/4162
Describe changes:
Provide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCHvariable.SV_REPO=
SV_BRANCH=OISF/suricata-verify#2232
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=