Adds a new field, ReqEntropy, to DNS and HTTP logs. It contains the shannon entropy of URIs in HTTP get strings, or in DNS subdomains. It is a good field to search on for exfil through http gets and DNS channels In the kibana dev console, or using curl or similar 1. Post the CalcEntropy script 2. Create BRO pipeline 3. Create DNSHTTP pipeline 4. Test pipeline using the provided test script In your elk master server: Replace 9000_bro_config file with the new one in /etc/logstash/conf.d adds a new line to send bro logs to the BRO pipeline in ELK Replace logstash-template.json adds a mappings for the new fields TotalEntropy, NormalizedEntropy and SymbolEntropy as doubles Note: either wait a day for the new fields to be mapped when the log rolls over, or reindex with so-elastic-reindex https://github.com/Security-Onion-Solutions/security-onion/wiki/Re%E2%80%90Indexing Refresh the mapping in management-indexpatterns-logstash* -> refresh button Totalentropy - can be interpreted as the information content of the field (URI or subdomain in this case). High values indicate information is being transmitted in the field (abnormal for get strings and subdomains) SymbolEntropy - The average information contained in every symbol of the field. High values indicate a large random symbol set (e.g. encoded/encrypted). Low values indicate small/less random sets. NormalizedEntropy - the symbol entropy normalized by the size of the symbol set. Measure of randomness of the set, removes set size from symbol entropy. 1 is a flat distribution (indication of compression/encryption), the more peaked the distribution is the closer it gets to 0.