netzob.Inference.Vocabulary package¶
Subpackages¶
- netzob.Inference.Vocabulary.FormatOperations package
- Subpackages
- Submodules
- netzob.Inference.Vocabulary.FormatOperations.ClusterByAlignment module
- netzob.Inference.Vocabulary.FormatOperations.ClusterByApplicativeData module
- netzob.Inference.Vocabulary.FormatOperations.ClusterByKeyField module
- netzob.Inference.Vocabulary.FormatOperations.ClusterBySize module
- netzob.Inference.Vocabulary.FormatOperations.FieldOperations module
- netzob.Inference.Vocabulary.FormatOperations.FieldReseter module
- netzob.Inference.Vocabulary.FormatOperations.FieldSplitDelimiter module
- netzob.Inference.Vocabulary.FormatOperations.FindKeyFields module
- Module contents
- netzob.Inference.Vocabulary.Search package
Submodules¶
netzob.Inference.Vocabulary.CorrelationFinder module¶
netzob.Inference.Vocabulary.EntropyMeasurement module¶
-
class
EntropyMeasurement[source]¶ Bases:
objectThis utility class exposes various methods related to Entropy. This measure can be usefull to identify encrypted and compressed chunk of data accross various messages. By entropy we refer to the Shanon’s one.
>>> import binascii >>> from netzob.all import * >>> fake_random_values = [b"00000906", b"00110906", b"00560902", b"00ff0901"] >>> messages = [RawMessage(binascii.unhexlify(val)) for val in fake_random_values] >>> [byte_entropy for byte_entropy in EntropyMeasurement.measure_entropy(messages)] [0.0, 2.0, 0.0, 1.5]
In the following example, 1000 messages are generated under a simple specification. In the specification, 5 bytes are randomly generated. This specificity can easily be spoited by the entropy measurement as illustred below.
>>> f1 = Field(b"hello ") >>> f2 = Field(Raw(nbBytes=5)) >>> f3 = Field(b", welcome !") >>> s = Symbol(fields=[f1, f2, f3]) >>> messages = [RawMessage(s.specialize()) for x in range(1000)] >>> bytes_entropy = [byte_entropy for byte_entropy in EntropyMeasurement.measure_entropy(messages)] >>> min(bytes_entropy[6:11]) > 7 True
You can also measure the entropy of the data that are accepeted by a specific field.
>>> f1 = Field(Raw(nbBytes=2)) >>> f2 = Field(Raw(nbBytes=(10, 20))) >>> f3 = Field(Raw(nbBytes=2)) >>> s = Symbol(fields=[f1, f2, f3]) >>> s.messages = [RawMessage(s.specialize()) for x in range(1000)] >>> bytes_entropy = [byte_entropy for byte_entropy in EntropyMeasurement.measure_values_entropy(f2.getValues())] >>> print(min(bytes_entropy[:10]) > 7) True
-
static
measure_entropy(messages)[source]¶ This method returns the entropy of bytes found at each position of the messages.
>>> [x for x in EntropyMeasurement.measure_entropy(messages=None)] Traceback (most recent call last): ... Exception: Messages cannot be None
>>> from netzob.all import * >>> [x for x in EntropyMeasurement.measure_entropy(messages=[RawMessage()])] Traceback (most recent call last): ... Exception: At least two messages must be provided
-
static
measure_values_entropy(values)[source]¶ This method returns the entropy of bytes found at each position of the specified values.
>>> [x for x in EntropyMeasurement.measure_values_entropy(values=None)] Traceback (most recent call last): ... Exception: values cannot be None
>>> from netzob.all import * >>> [x for x in EntropyMeasurement.measure_values_entropy(values=[])] Traceback (most recent call last): ... Exception: At least one value must be provided
-
static