Added entropy calculation to check for suspicious (encrypted) payload.add/entropy-calc-and-check

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2021-08-05 13:04:36 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2021-08-05 13:26:46 +0200
commit: d5227f6c0990590ab951f3fea082c4ef60a1d659 (patch)
tree: aa4948afc25796cc42579a78479c2feeace3f84a
parent: dc841574af54d59ca8cfd0aa30fcc471c598dbbb (diff)
5 files changed, 35 insertions, 14 deletions
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h
index 0cd41d2b8..40ad61dfb 100644
--- a/src/include/ndpi_main.h
+++ b/src/include/ndpi_main.h
@@ -154,7 +154,8 @@ extern "C" {
   void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str,
 		     struct ndpi_flow_struct *flow, ndpi_risk_enum r);
   int ndpi_is_printable_string(char const * const str, size_t len);
-  float ndpi_calculate_entropy(u_int8_t const * const buf, size_t len);
+#define NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(entropy) (entropy > 7.0f)
+  float ndpi_entropy(u_int8_t const * const buf, size_t len);
   void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str);
   u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str,
 			    const char *alpn_to_check, u_int alpn_to_check_len);    
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 9aaa6c63f..1430a66c2 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -103,6 +103,7 @@ typedef enum {
   NDPI_TLS_UNCOMMON_ALPN,
   NDPI_TLS_CERT_VALIDITY_TOO_LONG,
   NDPI_TLS_EXTENSION_SUSPICIOUS,
+  NDPI_ENTROPY_SUSPICIOUS,
 
   /* Leave this as last member */
   NDPI_MAX_RISK /* must be <= 63 due to (**) */
@@ -735,6 +736,8 @@ struct ndpi_flow_tcp_struct {
 
   /* NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK */
   u_int32_t ddlink_server_direction:1;
+
+  /* Part of the TCP header. */
   u_int32_t seen_syn:1;
   u_int32_t seen_syn_ack:1;
   u_int32_t seen_ack:1;
@@ -1290,6 +1293,9 @@ struct ndpi_flow_struct {
     struct ndpi_flow_udp_struct udp;
   } l4;
 
+  /* Some protocols calculate the entropy. */
+  float entropy;
+
   /* Place textual flow info here */
   char flow_extra_info[16];
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index aa3934a0f..56c176377 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -104,6 +104,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_TLS_UNCOMMON_ALPN,                     NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
   { NDPI_TLS_CERT_VALIDITY_TOO_LONG,            NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
   { NDPI_TLS_EXTENSION_SUSPICIOUS,              NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_ENTROPY_SUSPICIOUS,                    NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
 
   /* Leave this as last member */
   { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE }
@@ -2836,6 +2837,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
       break;
     case NDPI_ICMP_PROTOCOL_TYPE:
       if(flow) {
+        flow->entropy = 0.0f;
 	/* Run some basic consistency tests */
 
 	if(flow->packet.payload_packet_len < sizeof(struct ndpi_icmphdr))
@@ -2848,6 +2850,15 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
 	  if(((icmp_type >= 44) && (icmp_type <= 252))
 	     || (icmp_code > 15))
 	    ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET);
+	  if (flow->packet.payload_packet_len > sizeof(struct ndpi_icmphdr))
+	  {
+	    flow->entropy = ndpi_entropy(flow->packet.payload + sizeof(struct ndpi_icmphdr),
+	                                 flow->packet.payload_packet_len - sizeof(struct ndpi_icmphdr));
+	    if (NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(flow->entropy) != 0)
+	    {
+	      ndpi_set_risk(ndpi_str, flow, NDPI_ENTROPY_SUSPICIOUS);
+	    }
+	  }
 	}
       }
       return(NDPI_PROTOCOL_IP_ICMP);
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 48788c15d..1509515c0 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1126,6 +1126,9 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
 
   ndpi_serialize_start_of_block(serializer, "ndpi");
   ndpi_serialize_risk(serializer, flow);
+  if (l7_protocol.master_protocol == NDPI_PROTOCOL_IP_ICMP && flow->entropy > 0.0f) {
+    ndpi_serialize_string_float(serializer, "entropy", flow->entropy, "%.6f");
+  }
   ndpi_serialize_string_string(serializer, "proto", ndpi_protocol2name(ndpi_struct, l7_protocol, buf, sizeof(buf)));
   ndpi_protocol_breed_t breed =
       ndpi_get_proto_breed(ndpi_struct,
@@ -1774,6 +1777,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
   case NDPI_TLS_EXTENSION_SUSPICIOUS:
     return("TLS extension suspicious");
 
+  case NDPI_ENTROPY_SUSPICIOUS:
+    return("Entropy suspicious");
+
   default:
     snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
@@ -2126,16 +2132,14 @@ int ndpi_is_printable_string(char const * const str, size_t len) {
 
 /* ******************************************************************** */
 
-float ndpi_calculate_entropy(u_int8_t const * const buf, size_t len) {
+float ndpi_entropy(u_int8_t const * const buf, size_t len) {
   float entropy = 0.0f;
   u_int32_t byte_counters[256];
 
   memset(byte_counters, 0, sizeof(byte_counters));
 
   for (size_t i = 0; i < len; ++i) {
-    if (buf[i] == i) {
-      byte_counters[i]++;
-    }
+    byte_counters[buf[i]]++;
   }
 
   for (size_t i = 0; i < sizeof(byte_counters) / sizeof(byte_counters[0]); ++i) {
@@ -2143,11 +2147,10 @@ float ndpi_calculate_entropy(u_int8_t const * const buf, size_t len) {
       continue;
     }
 
-    float p = 1.0f * byte_counters[i] / len;
-    entropy -= p * log2f(p);
+    float const p = (float)byte_counters[i] / len;
+    entropy += p * log2f(1 / p);
   }
 
-  entropy *= -1.0f;
   return entropy;
 }
 
diff --git a/tests/result/quic_interop_V.pcapng.out b/tests/result/quic_interop_V.pcapng.out
index 38ac189f6..de9e48304 100644
--- a/tests/result/quic_interop_V.pcapng.out
+++ b/tests/result/quic_interop_V.pcapng.out
@@ -47,7 +47,7 @@ JA3 Host Stats:
 	31	UDP [2001:b07:ac9:d5ae:a4d3:fe47:691e:807d]:38077 -> [2400:8902::f03c:91ff:fe69:a454]:443 [proto: 188/QUIC][cat: Web/5][2 pkts/2588 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][0.15 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][TLSv1.3][Client: nghttp2.org][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
 	32	ICMPV6 [2001:19f0:4:34::1]:0 -> [2001:b07:ac9:d5ae:a4d3:fe47:691e:807d]:0 [proto: 102/ICMPV6][cat: Network/14][2 pkts/2588 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][0.06 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
 	33	ICMPV6 [2001:19f0:5:c21:5400:1ff:fe33:3b96]:0 -> [2001:b07:ac9:d5ae:a4d3:fe47:691e:807d]:0 [proto: 102/ICMPV6][cat: Network/14][2 pkts/2588 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][0.17 sec][PLAIN TEXT (bSuZ88)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
-	34	ICMP 51.158.105.98:0 -> 192.168.1.128:0 [proto: 81/ICMP][cat: Network/14][3 pkts/1770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][0.20 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	34	ICMP 51.158.105.98:0 -> 192.168.1.128:0 [proto: 81/ICMP][cat: Network/14][3 pkts/1770 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][0.20 sec][Risk: ** Entropy suspicious **][Risk Score: 50][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	35	UDP [2001:b07:ac9:d5ae:a4d3:fe47:691e:807d]:38394 <-> [2600:1f18:2310:d230:5103:7d9e:7d75:374f]:4433 [proto: 188/QUIC][cat: Web/5][1 pkts/1294 bytes <-> 1 pkts/113 bytes][Goodput ratio: 95/45][0.14 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][Risk: ** Known protocol on non standard port **][Risk Score: 10][TLSv1.3][Client: test.privateoctopus.com][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0]
 	36	UDP [2001:b07:ac9:d5ae:a4d3:fe47:691e:807d]:52080 <-> [2600:1f18:2310:d230:5103:7d9e:7d75:374f]:4434 [proto: 188/QUIC][cat: Web/5][1 pkts/1294 bytes <-> 1 pkts/113 bytes][Goodput ratio: 95/45][0.13 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][Risk: ** Known protocol on non standard port **][Risk Score: 10][TLSv1.3][Client: test.privateoctopus.com][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0]
 	37	UDP [2001:b07:ac9:d5ae:a4d3:fe47:691e:807d]:51040 <-> [2604:a880:800:a1::1279:3001]:4433 [proto: 188/QUIC][cat: Web/5][1 pkts/1294 bytes <-> 1 pkts/109 bytes][Goodput ratio: 95/43][0.09 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][Risk: ** Known protocol on non standard port **][Risk Score: 10][TLSv1.3][Client: http3-test.litespeedtech.com][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][PLAIN TEXT (bOP/lk)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0]
@@ -66,10 +66,10 @@ JA3 Host Stats:
 	50	UDP [2001:b07:ac9:d5ae:a4d3:fe47:691e:807d]:49270 <-> [2001:bc8:47a4:1c25::1]:4434 [proto: 188/QUIC][cat: Web/5][1 pkts/1294 bytes <-> 1 pkts/85 bytes][Goodput ratio: 95/27][0.04 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][Risk: ** Known protocol on non standard port **][Risk Score: 10][TLSv1.3][Client: h3.stammw.eu][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][Plen Bins: 50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0]
 	51	UDP [2001:b07:ac9:d5ae:a4d3:fe47:691e:807d]:51185 <-> [2001:bc8:47a4:1c25::1]:4433 [proto: 188/QUIC][cat: Web/5][1 pkts/1294 bytes <-> 1 pkts/85 bytes][Goodput ratio: 95/27][0.03 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][Risk: ** Known protocol on non standard port **][Risk Score: 10][TLSv1.3][Client: h3.stammw.eu][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][Plen Bins: 50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0]
 	52	UDP [2001:b07:ac9:d5ae:a4d3:fe47:691e:807d]:60346 <-> [2001:bc8:47a4:1c25::1]:443 [proto: 188/QUIC][cat: Web/5][1 pkts/1294 bytes <-> 1 pkts/85 bytes][Goodput ratio: 95/27][0.03 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][TLSv1.3][Client: h3.stammw.eu][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][Plen Bins: 50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0]
-	53	ICMP 202.238.220.92:0 <-> 192.168.1.128:0 [proto: 81/ICMP][cat: Network/14][2 pkts/1180 bytes <-> 2 pkts/194 bytes][Goodput ratio: 93/56][0.28 sec][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	53	ICMP 202.238.220.92:0 <-> 192.168.1.128:0 [proto: 81/ICMP][cat: Network/14][2 pkts/1180 bytes <-> 2 pkts/194 bytes][Goodput ratio: 93/56][0.28 sec][Risk: ** Entropy suspicious **][Risk Score: 50][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	54	UDP 192.168.1.128:34903 <-> 18.189.84.245:443 [proto: 188/QUIC][cat: Web/5][1 pkts/1294 bytes <-> 1 pkts/77 bytes][Goodput ratio: 97/45][0.13 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][TLSv1.3][Client: fb.mvfst.net][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0]
 	55	UDP 192.168.1.128:43475 <-> 18.189.84.245:4433 [proto: 188/QUIC][cat: Web/5][1 pkts/1294 bytes <-> 1 pkts/73 bytes][Goodput ratio: 97/42][0.12 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][Risk: ** Known protocol on non standard port **][Risk Score: 10][TLSv1.3][Client: fb.mvfst.net][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][Plen Bins: 50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0]
-	56	ICMP 133.242.206.244:0 <-> 192.168.1.128:0 [proto: 81/ICMP][cat: Network/14][2 pkts/1180 bytes <-> 2 pkts/178 bytes][Goodput ratio: 93/53][0.22 sec][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	56	ICMP 133.242.206.244:0 <-> 192.168.1.128:0 [proto: 81/ICMP][cat: Network/14][2 pkts/1180 bytes <-> 2 pkts/178 bytes][Goodput ratio: 93/53][0.22 sec][Risk: ** Entropy suspicious **][Risk Score: 50][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	57	UDP 192.168.1.128:41587 -> 131.159.24.198:4433 [proto: 188/QUIC][cat: Web/5][1 pkts/1294 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][Risk: ** Known protocol on non standard port **][Risk Score: 10][TLSv1.3][Client: pandora.cm.in.tum.de][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0]
 	58	UDP 192.168.1.128:43735 -> 51.158.105.98:4434 [proto: 188/QUIC][cat: Web/5][1 pkts/1294 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][Risk: ** Known protocol on non standard port **][Risk Score: 10][TLSv1.3][Client: quic.seemann.io][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0]
 	59	UDP 192.168.1.128:45250 -> 51.158.105.98:4433 [proto: 188/QUIC][cat: Web/5][1 pkts/1294 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][Risk: ** Known protocol on non standard port **][Risk Score: 10][TLSv1.3][Client: quic.seemann.io][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0]
@@ -85,9 +85,9 @@ JA3 Host Stats:
 	69	UDP [2001:b07:ac9:d5ae:a4d3:fe47:691e:807d]:56073 -> [2604:a880:800:a1::1279:3001]:443 [proto: 188/QUIC][cat: Web/5][1 pkts/1294 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][< 1 sec][ALPN: hq-30;h3-30;hq-29;h3-29;hq-28;h3-28;hq-27;h3-27][TLS Supported Versions: TLSv1.3][TLSv1.3][Client: http3-test.litespeedtech.com][JA3C: 7d9e7f6dec1cb1dd8b79d72b1366b6cf][Firefox][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
 	70	ICMPV6 [2604:a880:800:a1::1279:3001]:0 -> [2001:b07:ac9:d5ae:a4d3:fe47:691e:807d]:0 [proto: 102/ICMPV6][cat: Network/14][1 pkts/1294 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
 	71	ICMPV6 [2001:4800:7817:101:be76:4eff:fe04:631d]:0 -> [2001:b07:ac9:d5ae:a4d3:fe47:691e:807d]:0 [proto: 102/ICMPV6][cat: Network/14][1 pkts/1294 bytes -> 0 pkts/0 bytes][Goodput ratio: 95/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0]
-	72	ICMP 131.159.24.198:0 -> 192.168.1.128:0 [proto: 81/ICMP][cat: Network/14][2 pkts/1180 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][0.14 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	73	ICMP 3.121.242.54:0 -> 192.168.1.128:0 [proto: 81/ICMP][cat: Network/14][1 pkts/590 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	74	ICMP 18.189.84.245:0 -> 192.168.1.128:0 [proto: 81/ICMP][cat: Network/14][1 pkts/590 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	72	ICMP 131.159.24.198:0 -> 192.168.1.128:0 [proto: 81/ICMP][cat: Network/14][2 pkts/1180 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][0.14 sec][Risk: ** Entropy suspicious **][Risk Score: 50][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	73	ICMP 3.121.242.54:0 -> 192.168.1.128:0 [proto: 81/ICMP][cat: Network/14][1 pkts/590 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][Risk: ** Entropy suspicious **][Risk Score: 50][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	74	ICMP 18.189.84.245:0 -> 192.168.1.128:0 [proto: 81/ICMP][cat: Network/14][1 pkts/590 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][Risk: ** Entropy suspicious **][Risk Score: 50][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	75	ICMP 192.168.1.128:0 -> 140.227.52.92:0 [proto: 81/ICMP][cat: Network/14][3 pkts/267 bytes -> 0 pkts/0 bytes][Goodput ratio: 53/0][0.17 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	76	ICMP 192.168.1.128:0 -> 40.112.191.60:0 [proto: 81/ICMP][cat: Network/14][2 pkts/194 bytes -> 0 pkts/0 bytes][Goodput ratio: 56/0][0.14 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	77	ICMP 192.168.1.128:0 -> 138.91.188.147:0 [proto: 81/ICMP][cat: Network/14][1 pkts/113 bytes -> 0 pkts/0 bytes][Goodput ratio: 62/0][< 1 sec][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Toni Uhlig <matzeton@googlemail.com>	2021-08-05 13:04:36 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2021-08-05 13:26:46 +0200
commit	d5227f6c0990590ab951f3fea082c4ef60a1d659 (patch)
tree	aa4948afc25796cc42579a78479c2feeace3f84a
parent	dc841574af54d59ca8cfd0aa30fcc471c598dbbb (diff)