Added entropy calculation to check for suspicious (encrypted) payload. (#1270)

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>

2 files changed, 9 insertions, 2 deletions

diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h
index 8c6eac83f..0a513c353 100644
--- a/src/include/ndpi_main.h
+++ b/src/include/ndpi_main.h
@@ -155,7 +155,8 @@ extern "C" {
   void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str,
 		     struct ndpi_flow_struct *flow, ndpi_risk_enum r);
   int ndpi_is_printable_string(char const * const str, size_t len);
-  float ndpi_calculate_entropy(u_int8_t const * const buf, size_t len);
+#define NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(entropy) (entropy > 7.0f)
+  float ndpi_entropy(u_int8_t const * const buf, size_t len);
   void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str);
   u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str,
 			    const char *alpn_to_check, u_int alpn_to_check_len);    
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 12dbc4dcf..2260e95e8 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -105,7 +105,8 @@ typedef enum {
   NDPI_TLS_CERT_VALIDITY_TOO_LONG,
   NDPI_TLS_SUSPICIOUS_EXTENSION,
   NDPI_TLS_FATAL_ALERT,
-
+  NDPI_ENTROPY_SUSPICIOUS,
+  
   /* Leave this as last member */
   NDPI_MAX_RISK /* must be <= 63 due to (**) */
 } ndpi_risk_enum;
@@ -737,6 +738,8 @@ struct ndpi_flow_tcp_struct {
 
   /* NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK */
   u_int32_t ddlink_server_direction:1;
+
+  /* Part of the TCP header. */
   u_int32_t seen_syn:1;
   u_int32_t seen_syn_ack:1;
   u_int32_t seen_ack:1;
@@ -1293,6 +1296,9 @@ struct ndpi_flow_struct {
     struct ndpi_flow_udp_struct udp;
   } l4;
 
+  /* Some protocols calculate the entropy. */
+  float entropy;
+
   /* Place textual flow info here */
   char flow_extra_info[16];