gjanders
diff --git a/‎README.md‎
Lines changed: 88 additions & 55 deletions b/‎README.md‎
Lines changed: 88 additions & 55 deletions
@@ -1,4 +1,4 @@
-
+```
                     .___                                  __
                   __| _/____   ___________ ___.__._______/  |_
                  / __ |/ __ \_/ ___\_  __ <   |  |\____ \   __\
@@ -8,7 +8,7 @@
 
                         Original author: Michael Zalewski <[email protected]>
                         New maintainer: Gareth Anderson
-
+```
 
 DECRYPT is a set of Splunk commands which provide encryption and
 decryption routines commonly used in malware communication and data
@@ -51,102 +51,120 @@ The above example can be explained as:
 - Pass the output of `hex` to `emit` with the argument `'decrypted'`, creating a `decrypted` field
 
 ## Functions
-`btoa()`
-Encodes input to a Base64 string.
+### `btoa()`
+- Encodes input to a Base64 string.
 
 `b64(), atob()`
-Decodes a Base64 encoded string.
+- Decodes a Base64 encoded string.
 
 `b32()`
-Decodes a Base32 encoded string.
+- Decodes a Base32 encoded string.
 
 `b58()`
-Decodes a Base58 encoded string.
+- Decodes a Base58 encoded string.
 
 `rotx(count)`
-Implements Caesarian shift. The count argument specifies the amount to shift and must be an integer.
+- Implements Caesarian shift. The count argument specifies the amount to shift and must be an integer.
 
 `rol(count)`
-Implements rotate-on-left to each character within the string using an 8 bit boundary. The count argument specifies the amount to rotate and must be an integer.
+- Implements rotate-on-left to each character within the string using an 8 bit boundary. The count argument specifies the amount to rotate and must be an integer.
 
 `ror(count)`
-Implements rotate-on-right to each character within the string using an 8 bit boundary. The count argument specifies the amount to rotate and must be an integer.
+- Implements rotate-on-right to each character within the string using an 8 bit boundary. 
+- The count argument specifies the amount to rotate and must be an integer.
 
 `xor(key)`
-Implements basic XOR cipher against the field with the supplied key. The key can be provided as a string or integer.
+- Implements basic XOR cipher against the field with the supplied key. 
+- The key can be provided as a string or integer.
 
 `rc4('key')`
-Implements the RC4 cipher against the field with the supplied key. The key provided must be a string.
+- Implements the RC4 cipher against the field with the supplied key. 
+- The key provided must be a string.
 
 `hex()`
-Transforms input into its hexadecimal representation.
+- Transforms input into its hexadecimal representation.
 
 `unhex()`
-Transforms hexadecimal input into its byte form.
+- Transforms hexadecimal input into its byte form.
 
 `save('name')`
-Saves the current state to memory as name.
+- Saves the current state to memory as name.
 
 `load('name')`
-Recalls the previously saved state name from memory.
+- Recalls the previously saved state name from memory.
 
 `ascii()`
-Transforms input into ASCII output. Non-printable characters will be replaced with a period.
+- Transforms input into ASCII output. Non-printable characters will be replaced with a period.
 
 `emit('name')`
-Outputs the current state as UTF-8 to the field name.
+- Outputs the current state as UTF-8 to the field name.
 
 `substr(offset, count)`
-Returns a substring of the input, starting at the index offset with the number of characters count. Set the count to `'null'` to return from the start offset to the end of the input.
+- Returns a substring of the input, starting at the index offset with the number of characters count. 
+- Set the count to `'null'` to return from the start offset to the end of the input.
 
 `slice(start, end)`
-Returns a slice of the input, starting at start offset to the end offset. Set the end to `'null'` to go to the end of the input.
+- Returns a slice of the input, starting at start offset to the end offset. 
+- Set the end to `'null'` to go to the end of the input.
 
 `decode('codec')`
-Returns a decoded version of the input based on the codec, python codec list is available on https://docs.python.org/3/library/codecs.html#standard-encodings
+- Returns a decoded version of the input based on the codec.
+- Python codec list is available on https://docs.python.org/3/library/codecs.html#standard-encodings
 
 `escape`
-Returns a string where control characters, \, and non-ASCII characters are backslash escaped (e.g. `\x0a`, `\\`, `\x80`).
+- Returns a string where control characters, \, and non-ASCII characters are backslash escaped (e.g. `\x0a`, `\\`, `\x80`).
 
 `unescape`
-Returns a string run through python unicode_escape (i.e. return the unicode point(s)). Reverses `escape`. Also unescapes Unicode codepoints (`\uxxxx` or `\Uxxxxxxxx`), which `escape` does not produce.
+- Returns a string run through python unicode_escape (i.e. return the unicode point(s)). Reverses `escape`. 
+- Also unescapes Unicode codepoints (`\uxxxx` or `\Uxxxxxxxx`), which `escape` does not produce.
 
 `htmlescape`
-Returns a string with `&`, `<`, and `>` XML escaped like `&amp;`.
+- Returns a string with `&`, `<`, and `>` XML escaped like `&amp;`.
 
 `htmlunescape`
-Returns a string with HTML references like `&gt;` and `&#62;` unescaped to `>`.
+- Returns a string with HTML references like `&gt;` and `&#62;` unescaped to `>`.
 
 `tr('from', 'to')`
-Takes an argument to translate "from" and an argument of characters to translate "to" and then returns a result with the result (similar to `tr` in Unix).
+- Takes an argument to translate "from" and an argument of characters to translate "to" and then returns a result with the result (similar to `tr` in Unix).
 
 `rev()`
-Returns the input in reverse order.
+- Returns the input in reverse order.
 
 `find('subseq', start)`
-Returns the index of a subsequence "subseq" starting at index "start", or `-1` if the subsequence is not found.
+- Returns the index of a subsequence "subseq" starting at index "start", or `-1` if the subsequence is not found.
 
 `b32re()`
-Returns a reverse-endian base32 decoded string, as used in the SunBurst DGA.
+- Returns a reverse-endian base32 decoded string, as used in the SunBurst DGA.
 
 `b64re()`
-Returns a reverse-endian base64 decoded string.
+- Returns a reverse-endian base64 decoded string.
 
 `zlib_inflate()`
-Returns zlib.decompress() inflated bytes. The window size (wbits) must be provided.
+- Returns zlib.decompress() inflated bytes. 
+- Default window size of -15 (raw inflate) is used if a wbits value is not provided.
+
+`zlib_deflate()`
+- Returns zlib.compress() deflated bytes. 
+- Default level of -1 (currently 6) and window size of -15 (raw deflate) if values are not provided.
+
+`entropy()`
+- Returns base2 entropy of input. The maximum entropy for Unicode strings can be greater than 8.
 
 _Note: you must use **single quotes** around the strings._
 
 # Function Arguments
 ## Strings
-Strings can be specified by encapsulating values in apostrophes (single quote). Strings accept Pythonic escape sequences, so hexadecimal and octal values can be specified with \xhh and \ooo respectively.
+Strings can be specified by encapsulating values in apostrophes (single quote). Strings accept Pythonic escape sequences, so hexadecimal and octal values can be specified with `\xhh` and `\ooo` respectively.
+Unicode values can be expressed as `\u0000` or `\U00000000`
 
 `'This is a valid string'`
+
 `'This is also \x61 valid string.'`
 
 Quotation marks (double quotes) **cannot** be used.
 
 `"This is not a valid string"`
+
 ## Integers
 Integers can be specified numerically or as hexadecimal representations by prefixing values with a 0x.
 
@@ -161,19 +179,23 @@ The above example demonstrates passing the sourcetype field as the key to the xo
 Fields saved using the save command can also be referenced.
 
 `... | decrypt field=_raw substr(0,1) save('1byte') substr(1, 4096) xor(1byte) ...`
+
 ## Style
 Functions which take no arguments do not need parenthesis in order for syntax checking to pass. The following examples will pass syntax checks and execute the same.
 
 `... | decrypt field=_raw b64 hex unhex`
+
 `... | decrypt field=_raw b64() hex() unhex()`
+
 `... | decrypt field=_raw b64() hex unhex`
 
 New lines can be used to break up command sequences for easier readability.
-
-`... | decrypt field=_raw`
-`      b64`
-`      hex`
-`      unhex`
+```
+... | decrypt field=_raw
+      b64
+      hex
+      unhex
+```
 # Recipes
 ## XOR
 `... | decrypt field=data xor('secret') emit('result')`
@@ -182,26 +204,32 @@ New lines can be used to break up command sequences for easier readability.
 ## Base64 decode, XOR
 `... | decrypt field=data b64 xor('secret') emit('result')`
 ## Base64 decode, XOR with first byte
-`... | decrypt field=data`
-      `b64`
-      `save('bin')`
-      `substr(0, 1) emit('key')`
-      `load('bin')`
-      `substr(1, 9999) xor(key) emit('result')`
+```
+... | decrypt field=data
+      b64
+      save('bin')
+      substr(0, 1) emit('key')
+      load('bin')
+      substr(1, 9999) xor(key) emit('result')
+```
 ## Brute force RC4
-`... | decrypt field=data`
-      `b64`
-      `save('orig') rc4('secret') emit('rc4-secret')`
-      `load('orig') rc4('password') emit('rc4-password')`
-      `load('orig') rc4('abc123') emit('rc4-abc123')`
-      `load('orig') rc4('aabbccdd') emit('rc4-aabbccdd')`
+```
+... | decrypt field=data
+      b64
+      save('orig') rc4('secret') emit('rc4-secret')
+      load('orig') rc4('password') emit('rc4-password')
+      load('orig') rc4('abc123') emit('rc4-abc123')
+      load('orig') rc4('aabbccdd') emit('rc4-aabbccdd')
+```
 ## Brute force XOR key
-`... | decrypt field=data`
-      `b64`
-      `save('data') xor(0x01) emit('xor0x01')`
-      `load('data') xor(0x02) emit('xor0x02')`
-      `load('data') xor(0x03) emit('xor0x03')`
-      `...`
+```
+... | decrypt field=data
+      b64
+      save('data') xor(0x01) emit('xor0x01')
+      load('data') xor(0x02) emit('xor0x02')
+      load('data') xor(0x03) emit('xor0x03')
+      ...
+```
 ## Reverse the data field
 `... | decrypt field=data rev`
 
@@ -216,6 +244,11 @@ Shannon Davis (Splunk)
 Steven (malvidin on github)
 
 # Release Notes
+## 2.4.1
+- Added support for null argument padding, so `find('decrypt2')` is equivalent to `find('decrypt2', 0)`
+- Added zlib_deflate for internal validation of zlib_inflate, which can also be used for information analysis
+- Add basic entropy calculation
+
 ## 2.4.0
 Merged pull request from Steven (malvidin on github)