Added entropy calculation to check for suspicious (encrypted) payload.add/entropy-calc-and-check

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

4 files changed, 29 insertions, 8 deletions

diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h
index 0cd41d2b8..40ad61dfb 100644
--- a/src/include/ndpi_main.h
+++ b/src/include/ndpi_main.h
@@ -154,7 +154,8 @@ extern "C" {
   void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str,
 		     struct ndpi_flow_struct *flow, ndpi_risk_enum r);
   int ndpi_is_printable_string(char const * const str, size_t len);
-  float ndpi_calculate_entropy(u_int8_t const * const buf, size_t len);
+#define NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(entropy) (entropy > 7.0f)
+  float ndpi_entropy(u_int8_t const * const buf, size_t len);
   void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str);
   u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str,
 			    const char *alpn_to_check, u_int alpn_to_check_len);    
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 9aaa6c63f..1430a66c2 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -103,6 +103,7 @@ typedef enum {
   NDPI_TLS_UNCOMMON_ALPN,
   NDPI_TLS_CERT_VALIDITY_TOO_LONG,
   NDPI_TLS_EXTENSION_SUSPICIOUS,
+  NDPI_ENTROPY_SUSPICIOUS,
 
   /* Leave this as last member */
   NDPI_MAX_RISK /* must be <= 63 due to (**) */
@@ -735,6 +736,8 @@ struct ndpi_flow_tcp_struct {
 
   /* NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK */
   u_int32_t ddlink_server_direction:1;
+
+  /* Part of the TCP header. */
   u_int32_t seen_syn:1;
   u_int32_t seen_syn_ack:1;
   u_int32_t seen_ack:1;
@@ -1290,6 +1293,9 @@ struct ndpi_flow_struct {
     struct ndpi_flow_udp_struct udp;
   } l4;
 
+  /* Some protocols calculate the entropy. */
+  float entropy;
+
   /* Place textual flow info here */
   char flow_extra_info[16];
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index aa3934a0f..56c176377 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -104,6 +104,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_TLS_UNCOMMON_ALPN,                     NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
   { NDPI_TLS_CERT_VALIDITY_TOO_LONG,            NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
   { NDPI_TLS_EXTENSION_SUSPICIOUS,              NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_ENTROPY_SUSPICIOUS,                    NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
 
   /* Leave this as last member */
   { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE }
@@ -2836,6 +2837,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
       break;
     case NDPI_ICMP_PROTOCOL_TYPE:
       if(flow) {
+        flow->entropy = 0.0f;
 	/* Run some basic consistency tests */
 
 	if(flow->packet.payload_packet_len < sizeof(struct ndpi_icmphdr))
@@ -2848,6 +2850,15 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
 	  if(((icmp_type >= 44) && (icmp_type <= 252))
 	     || (icmp_code > 15))
 	    ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET);
+	  if (flow->packet.payload_packet_len > sizeof(struct ndpi_icmphdr))
+	  {
+	    flow->entropy = ndpi_entropy(flow->packet.payload + sizeof(struct ndpi_icmphdr),
+	                                 flow->packet.payload_packet_len - sizeof(struct ndpi_icmphdr));
+	    if (NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(flow->entropy) != 0)
+	    {
+	      ndpi_set_risk(ndpi_str, flow, NDPI_ENTROPY_SUSPICIOUS);
+	    }
+	  }
 	}
       }
       return(NDPI_PROTOCOL_IP_ICMP);
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 48788c15d..1509515c0 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1126,6 +1126,9 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
 
   ndpi_serialize_start_of_block(serializer, "ndpi");
   ndpi_serialize_risk(serializer, flow);
+  if (l7_protocol.master_protocol == NDPI_PROTOCOL_IP_ICMP && flow->entropy > 0.0f) {
+    ndpi_serialize_string_float(serializer, "entropy", flow->entropy, "%.6f");
+  }
   ndpi_serialize_string_string(serializer, "proto", ndpi_protocol2name(ndpi_struct, l7_protocol, buf, sizeof(buf)));
   ndpi_protocol_breed_t breed =
       ndpi_get_proto_breed(ndpi_struct,
@@ -1774,6 +1777,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
   case NDPI_TLS_EXTENSION_SUSPICIOUS:
     return("TLS extension suspicious");
 
+  case NDPI_ENTROPY_SUSPICIOUS:
+    return("Entropy suspicious");
+
   default:
     snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
@@ -2126,16 +2132,14 @@ int ndpi_is_printable_string(char const * const str, size_t len) {
 
 /* ******************************************************************** */
 
-float ndpi_calculate_entropy(u_int8_t const * const buf, size_t len) {
+float ndpi_entropy(u_int8_t const * const buf, size_t len) {
   float entropy = 0.0f;
   u_int32_t byte_counters[256];
 
   memset(byte_counters, 0, sizeof(byte_counters));
 
   for (size_t i = 0; i < len; ++i) {
-    if (buf[i] == i) {
-      byte_counters[i]++;
-    }
+    byte_counters[buf[i]]++;
   }
 
   for (size_t i = 0; i < sizeof(byte_counters) / sizeof(byte_counters[0]); ++i) {
@@ -2143,11 +2147,10 @@ float ndpi_calculate_entropy(u_int8_t const * const buf, size_t len) {
       continue;
     }
 
-    float p = 1.0f * byte_counters[i] / len;
-    entropy -= p * log2f(p);
+    float const p = (float)byte_counters[i] / len;
+    entropy += p * log2f(1 / p);
   }
 
-  entropy *= -1.0f;
   return entropy;
 }