aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_main.h3
-rw-r--r--src/include/ndpi_typedefs.h6
-rw-r--r--src/lib/ndpi_main.c11
-rw-r--r--src/lib/ndpi_utils.c17
4 files changed, 29 insertions, 8 deletions
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h
index 0cd41d2b8..40ad61dfb 100644
--- a/src/include/ndpi_main.h
+++ b/src/include/ndpi_main.h
@@ -154,7 +154,8 @@ extern "C" {
void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str,
struct ndpi_flow_struct *flow, ndpi_risk_enum r);
int ndpi_is_printable_string(char const * const str, size_t len);
- float ndpi_calculate_entropy(u_int8_t const * const buf, size_t len);
+#define NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(entropy) (entropy > 7.0f)
+ float ndpi_entropy(u_int8_t const * const buf, size_t len);
void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str);
u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str,
const char *alpn_to_check, u_int alpn_to_check_len);
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 9aaa6c63f..1430a66c2 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -103,6 +103,7 @@ typedef enum {
NDPI_TLS_UNCOMMON_ALPN,
NDPI_TLS_CERT_VALIDITY_TOO_LONG,
NDPI_TLS_EXTENSION_SUSPICIOUS,
+ NDPI_ENTROPY_SUSPICIOUS,
/* Leave this as last member */
NDPI_MAX_RISK /* must be <= 63 due to (**) */
@@ -735,6 +736,8 @@ struct ndpi_flow_tcp_struct {
/* NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK */
u_int32_t ddlink_server_direction:1;
+
+ /* Part of the TCP header. */
u_int32_t seen_syn:1;
u_int32_t seen_syn_ack:1;
u_int32_t seen_ack:1;
@@ -1290,6 +1293,9 @@ struct ndpi_flow_struct {
struct ndpi_flow_udp_struct udp;
} l4;
+ /* Some protocols calculate the entropy. */
+ float entropy;
+
/* Place textual flow info here */
char flow_extra_info[16];
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index aa3934a0f..56c176377 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -104,6 +104,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
{ NDPI_TLS_UNCOMMON_ALPN, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
{ NDPI_TLS_CERT_VALIDITY_TOO_LONG, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
{ NDPI_TLS_EXTENSION_SUSPICIOUS, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_ENTROPY_SUSPICIOUS, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
/* Leave this as last member */
{ NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE }
@@ -2836,6 +2837,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
break;
case NDPI_ICMP_PROTOCOL_TYPE:
if(flow) {
+ flow->entropy = 0.0f;
/* Run some basic consistency tests */
if(flow->packet.payload_packet_len < sizeof(struct ndpi_icmphdr))
@@ -2848,6 +2850,15 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
if(((icmp_type >= 44) && (icmp_type <= 252))
|| (icmp_code > 15))
ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET);
+ if (flow->packet.payload_packet_len > sizeof(struct ndpi_icmphdr))
+ {
+ flow->entropy = ndpi_entropy(flow->packet.payload + sizeof(struct ndpi_icmphdr),
+ flow->packet.payload_packet_len - sizeof(struct ndpi_icmphdr));
+ if (NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(flow->entropy) != 0)
+ {
+ ndpi_set_risk(ndpi_str, flow, NDPI_ENTROPY_SUSPICIOUS);
+ }
+ }
}
}
return(NDPI_PROTOCOL_IP_ICMP);
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 48788c15d..1509515c0 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1126,6 +1126,9 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_serialize_start_of_block(serializer, "ndpi");
ndpi_serialize_risk(serializer, flow);
+ if (l7_protocol.master_protocol == NDPI_PROTOCOL_IP_ICMP && flow->entropy > 0.0f) {
+ ndpi_serialize_string_float(serializer, "entropy", flow->entropy, "%.6f");
+ }
ndpi_serialize_string_string(serializer, "proto", ndpi_protocol2name(ndpi_struct, l7_protocol, buf, sizeof(buf)));
ndpi_protocol_breed_t breed =
ndpi_get_proto_breed(ndpi_struct,
@@ -1774,6 +1777,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
case NDPI_TLS_EXTENSION_SUSPICIOUS:
return("TLS extension suspicious");
+ case NDPI_ENTROPY_SUSPICIOUS:
+ return("Entropy suspicious");
+
default:
snprintf(buf, sizeof(buf), "%d", (int)risk);
return(buf);
@@ -2126,16 +2132,14 @@ int ndpi_is_printable_string(char const * const str, size_t len) {
/* ******************************************************************** */
-float ndpi_calculate_entropy(u_int8_t const * const buf, size_t len) {
+float ndpi_entropy(u_int8_t const * const buf, size_t len) {
float entropy = 0.0f;
u_int32_t byte_counters[256];
memset(byte_counters, 0, sizeof(byte_counters));
for (size_t i = 0; i < len; ++i) {
- if (buf[i] == i) {
- byte_counters[i]++;
- }
+ byte_counters[buf[i]]++;
}
for (size_t i = 0; i < sizeof(byte_counters) / sizeof(byte_counters[0]); ++i) {
@@ -2143,11 +2147,10 @@ float ndpi_calculate_entropy(u_int8_t const * const buf, size_t len) {
continue;
}
- float p = 1.0f * byte_counters[i] / len;
- entropy -= p * log2f(p);
+ float const p = (float)byte_counters[i] / len;
+ entropy += p * log2f(1 / p);
}
- entropy *= -1.0f;
return entropy;
}
Powered by cgit, Themed by Ted Yin.