Graylog entropy calculation

Hello everyone!

It would be great to know if graylog can calculate Shannon entropy. I have tried to set up proper pipeline, but I don’t know if it is possible to do in the first place.

Shannon entropy is quite useful for finding DNS tunneling and encoded data in general.

I would be grateful for any advice!
Thank you!

Hello @pasha_ibr, welcome!

This is an interesting suggestion. There’s nothing anywhere in the interface or configuration that does this. You might be able to set up something that interfaces with the elasticsearch API to accomplish this but that’s going to be pretty custom. If you figure out a way to do it please do share it.

While not having heard of Shannon Entropy prior to your mentioning it, I did some googling and I can appreciate it’s usefulness. Based on that, I would think that implementing something along those lines would be restricted to writing a plugin for Graylog.

Plugins — Graylog 4.0.0 documentation

I don’t think the capability would be possible in the pipelines… but I could be wrong.

Thank you for replies! I really appreciate your help.

I will probably write something myself if my boss says so. If it will be a case I’ll happily paste it here :smiley:

1 Like

Maybe little odd, but check if lookup table with external HTTP request could be your option. External HTTP service should return entropy based on input and you can use pipeline rule to process lookup table renponse.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.