Open ikiril01 opened 6 years ago
I found myself needing this while translating reversinglabs report to STIX, there is entropy in each section as well as entropy at file level. We do not want to lose the information and ended up using a custom property for this, which does not flow well as this exists in PE File Sections already.
I've had a user comment in favor of this recently.
We should consider adding entropy as a property to the base File Object. Currently we have it just for PE File Sections, and I think there are some decent use cases for characterizing entropy as a part of an entire file (e.g., files that may have been encrypted as part of the activity of ransomware, https://isc.sans.edu/forums/diary/Using+File+Entropy+to+Identify+Ransomwared+Files/21351/).