Stan 0.4.1 - Stream Analyzer
Copyright © 2001, 2003, 2004 by Konrad Rieck
Introduction
Stan is a console application that analyzes binary streams and calculates several useful statistical information from the observed data. It features statistical, pattern and bit analysis. Stan has been designed as a "swiss-knife" for first steps in reverse engineering and cryptographic analysis.
Changes
| Version | Date | Changes |
| 0.4.1 | 2004-09-15 | Minor documentation fixes. |
| 0.4 | 2003-11-23 | Removed documentation and code cruft from late 2001. |
| 0.3 | 2001-07-18 | Added entropy and serial correlation calculations. |
| 0.2 | 2001-04-10 | First public release. |
Downloads
| Source packages | Release | Source Package | Size |
| Stan 0.4.1 | stan-0.4.1.tar.gz | 37kb |
| Stan 0.4 | stan-0.4.tar.gz | 37kb |
| Stan 0.3 | stan-0.3.tar.gz | 35kb |
| Stan 0.2 | stan-0.2.tar.gz | 35kb |
Details
Stan's functionality can be divided into three types of analysis: general statistics, pattern analysis and bit analysis.
- General Statistics
- Stan uses the bytes of the input data to calculate statistic standard
values, such as the mean, the median, the deviation, the chi-square
value, and the entropy per byte. Where possible the corresponding ASCII
characters are printed after the decimal value in order to simplify
text analysis.
- Pattern Analysis
- Stan records all observed patterns up to the pattern length patlen and
efficiently stores them in a treap (binary tree with heap properties).
Stan can easily process patterns up to a length of 10 on non-random
data
- Bit Analysis
- Stan observes so called runs which are sequences of the same bit,
e.g. 000 or 11. According to the analysis of pseudo random number
genera tors, it then calculates the following ratios:
Length Ratios. The number runs of length n is divided by the number of runs of length (n+1). If the input data is rather random, the ratio should be 2.
0/1 Ratios. The number of 0-runs of length n is divided by the number of 1-runs of the same length. If the input data is rather random, this ratio should be 1.
Installation
The installation process is straight forward, as long as your are running a POSIX compliant operating system, such as Linux or any BSD.
$ ./configure
$ make
# make install
Usage
stan [ -bhvV ] [ -f filter ] [ -n number ] [ -p patlen ] [ file ... ]
- -f filter
- Use a filter before passing the data to the analysis engine. The
following filter may be used to restrict the range of data.
- 0 No filter (default)
- 1 Analyse only printable characters.
- 2 Analyse only alphanumeric characters.
- 1 Analyse only printable characters.
- 0 No filter (default)
- -n number
- Display number of patterns. The default value is 10. You should
keep this value rather small because a lot of patterns may be
found in a large data stream.
- -p patlen
- Analyse patterns from 1 to patlen length. The length of the
pattern is measured in bytes.
- -b
- Enable bit analysis.
- -h
- Print a help screen to stderr.
- -v
- Print verbose information.
- -V
- Display the version and copyright notice.
Examples
Learn about your password file. Before you execute the following command, guess which is the most common 2 byte pattern.
$ stan /etc/passwd.
If you want to analyse your PRNG device, try the following setup
$ dd if=/dev/urandom count=10 | stan -b
You may also use stan to analyse text. Let's look at the most common
letter patterns in this man page.
$ man stan | stan -p 5 -f 2