diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-07-26 09:09:12 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-07-26 09:09:12 +0200 |
| commit | 3326fa258ec92e553e39fc8a1bfa3921dc81f15c (patch) | |
| tree | fcd0e725b7b5a8d13db1654a9b0864651c642f00 /src/lib/ndpi_analyze.c | |
| parent | 2b230e28e0612e8654ad617534deb9aaaabd51b7 (diff) | |
Add an heuristic to detect fully encrypted flows (#2058)
A fully encrypted session is a flow where every bytes of the
payload is encrypted in an attempt to “look like nothing”.
The heuristic needs only the very first packet of the flow.
See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf
A basic, but generic, inplementation of the popcpunt alg has been added
Diffstat (limited to 'src/lib/ndpi_analyze.c')
| -rw-r--r-- | src/lib/ndpi_analyze.c | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/src/lib/ndpi_analyze.c b/src/lib/ndpi_analyze.c index f7f9784b6..17f755026 100644 --- a/src/lib/ndpi_analyze.c +++ b/src/lib/ndpi_analyze.c @@ -1831,3 +1831,42 @@ void ndpi_cm_sketch_destroy(struct ndpi_cm_sketch *sketch) { ndpi_free(sketch->tables); ndpi_free(sketch); } + +/* ********************************************************************************* */ +/* ********************************************************************************* */ + +/* Popcount, short for "population count," is a computer programming term that refers to + the number of set bits (bits with a value of 1) in a binary representation of a given + data word or integer. In other words, it is the count of all the 1s present in the + binary representation of a number. + For example, consider the number 45, which is represented in binary as 101101. + The popcount of 45 would be 4 because there are four 1s in its binary representation. +*/ + +int ndpi_popcount_init(struct ndpi_popcount *h) +{ + if(h) { + memset(h, '\0', sizeof(*h)); + return 0; + } + return -1; +} + +/* ********************************************************************************* */ + +void ndpi_popcount_count(struct ndpi_popcount *h, const u_int8_t *buf, u_int32_t buf_len) +{ + u_int32_t i; + + if(!h) + return; + + /* Trivial alg. TODO: there are lots of better, more performant algorithms */ + + for(i = 0; i < buf_len / 4; i++) + h->pop_count += __builtin_popcount(*(u_int32_t *)(buf + i * 4)); + for(i = 0; i < buf_len % 4; i++) + h->pop_count += __builtin_popcount(buf[buf_len - (buf_len % 4) + i]); + + h->tot_bytes_count += buf_len; +} |