It would be great to know if graylog can calculate Shannon entropy. I have tried to set up proper pipeline, but I don’t know if it is possible to do in the first place.
Shannon entropy is quite useful for finding DNS tunneling and encoded data in general.
This is an interesting suggestion. There’s nothing anywhere in the interface or configuration that does this. You might be able to set up something that interfaces with the elasticsearch API to accomplish this but that’s going to be pretty custom. If you figure out a way to do it please do share it.
While not having heard of Shannon Entropy prior to your mentioning it, I did some googling and I can appreciate it’s usefulness. Based on that, I would think that implementing something along those lines would be restricted to writing a plugin for Graylog.
Maybe little odd, but check if lookup table with external HTTP request could be your option. External HTTP service should return entropy based on input and you can use pipeline rule to process lookup table renponse.