Add an heuristic to detect fully encrypted flows (#2058)

A fully encrypted session is a flow where every bytes of the payload is encrypted in an attempt to “look like nothing”. The heuristic needs only the very first packet of the flow. See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf A basic, but generic, inplementation of the popcpunt alg has been added
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2023-07-26 09:09:12 +0200
committer: GitHub <noreply@github.com> 2023-07-26 09:09:12 +0200
commit: 3326fa258ec92e553e39fc8a1bfa3921dc81f15c (patch)
tree: fcd0e725b7b5a8d13db1654a9b0864651c642f00 /src/include/ndpi_api.h
parent: 2b230e28e0612e8654ad617534deb9aaaabd51b7 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index 653510e82..121c3f7f8 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -1843,6 +1843,13 @@ extern "C" {
   
   /* ******************************* */
 
+  /* PopCount [count how many bits are set to 1] */
+
+  int ndpi_popcount_init(struct ndpi_popcount *h);
+  void ndpi_popcount_count(struct ndpi_popcount *h, const u_int8_t *buf, u_int32_t buf_len);
+
+  /* ******************************* */
+
   int  ndpi_init_bin(struct ndpi_bin *b, enum ndpi_bin_family f, u_int16_t num_bins);
   void ndpi_free_bin(struct ndpi_bin *b);
   struct ndpi_bin* ndpi_clone_bin(struct ndpi_bin *b);
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2023-07-26 09:09:12 +0200
committer	GitHub <noreply@github.com>	2023-07-26 09:09:12 +0200
commit	3326fa258ec92e553e39fc8a1bfa3921dc81f15c (patch)
tree	fcd0e725b7b5a8d13db1654a9b0864651c642f00 /src/include/ndpi_api.h
parent	2b230e28e0612e8654ad617534deb9aaaabd51b7 (diff)