Add Entropy to File Object

oasis-tcs / cti-stix2

OASIS CTI TC: Provides issue tracking and wiki pages for the STIX 2.x Work Products

https://github.com/oasis-tcs/cti-stix2

Other

23 stars 9 forks source link

Add Entropy to File Object #82

Open ikiril01 opened 6 years ago

ikiril01 commented 6 years ago

We should consider adding entropy as a property to the base File Object. Currently we have it just for PE File Sections, and I think there are some decent use cases for characterizing entropy as a part of an entire file (e.g., files that may have been encrypted as part of the activity of ransomware, https://isc.sans.edu/forums/diary/Using+File+Entropy+to+Identify+Ransomwared+Files/21351/).

kumarsubodh commented 6 years ago

I found myself needing this while translating reversinglabs report to STIX, there is entropy in each section as well as entropy at file level. We do not want to lose the information and ended up using a custom property for this, which does not flow well as this exists in PE File Sections already.

clenk commented 4 years ago

I've had a user comment in favor of this recently.