Added entropy calculation to check for suspicious (encrypted) payload.add/entropy-calc-and-check

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

2 files changed, 8 insertions, 1 deletions

diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h
index 0cd41d2b8..40ad61dfb 100644
--- a/src/include/ndpi_main.h
+++ b/src/include/ndpi_main.h
@@ -154,7 +154,8 @@ extern "C" {
   void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str,
 		     struct ndpi_flow_struct *flow, ndpi_risk_enum r);
   int ndpi_is_printable_string(char const * const str, size_t len);
-  float ndpi_calculate_entropy(u_int8_t const * const buf, size_t len);
+#define NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(entropy) (entropy > 7.0f)
+  float ndpi_entropy(u_int8_t const * const buf, size_t len);
   void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str);
   u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str,
 			    const char *alpn_to_check, u_int alpn_to_check_len);    
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 9aaa6c63f..1430a66c2 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -103,6 +103,7 @@ typedef enum {
   NDPI_TLS_UNCOMMON_ALPN,
   NDPI_TLS_CERT_VALIDITY_TOO_LONG,
   NDPI_TLS_EXTENSION_SUSPICIOUS,
+  NDPI_ENTROPY_SUSPICIOUS,
 
   /* Leave this as last member */
   NDPI_MAX_RISK /* must be <= 63 due to (**) */
@@ -735,6 +736,8 @@ struct ndpi_flow_tcp_struct {
 
   /* NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK */
   u_int32_t ddlink_server_direction:1;
+
+  /* Part of the TCP header. */
   u_int32_t seen_syn:1;
   u_int32_t seen_syn_ack:1;
   u_int32_t seen_ack:1;
@@ -1290,6 +1293,9 @@ struct ndpi_flow_struct {
     struct ndpi_flow_udp_struct udp;
   } l4;
 
+  /* Some protocols calculate the entropy. */
+  float entropy;
+
   /* Place textual flow info here */
   char flow_extra_info[16];