detect/entropy: Clarify when entropy is logged

author Jeff Lucovsky <jlucovsky@oisf.net>

Wed, 18 Jun 2025 13:14:16 +0000 (09:14 -0400)

committer Victor Julien <victor@inliniac.net>

Sat, 21 Jun 2025 19:32:49 +0000 (21:32 +0200)
author Jeff Lucovsky <jlucovsky@oisf.net>
Wed, 18 Jun 2025 13:14:16 +0000 (09:14 -0400)
committer Victor Julien <victor@inliniac.net>
Sat, 21 Jun 2025 19:32:49 +0000 (21:32 +0200)
diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst

index 71885ef05b56ae05a9e04bb69f0274c86012a968..8e9d8f71fac1a7b29aeaa031bd72e79305a3423d 100644 (file)
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -737,10 +737,11 @@ Logging
  ~~~~~~~
  
  When the ``entropy`` rule keyword is provided and the rule is evaluated, the
-`calculated entropy` value is logged within the ``metadata`` section of an
-output log. If the alert matched, it will be included there; here's an example
-that shows the calculated entropy value with the buffer on which the value was
-computed::
+`calculated entropy` value is associated with the flow even if the calculated
+entropy value didn't result in a match or alert. Subsequent logging of event
+types that include the flow, including alerts, will contain the ``entropy`` value in
+the ``metadata`` section of an output log. The follow is an example that shows
+the calculated entropy value with the buffer on which the value was computed::
  
       "metadata": {
          "entropy": {
author	Jeff Lucovsky <jlucovsky@oisf.net>
	Wed, 18 Jun 2025 13:14:16 +0000 (09:14 -0400)
committer	Victor Julien <victor@inliniac.net>
	Sat, 21 Jun 2025 19:32:49 +0000 (21:32 +0200)