Add a new flow risk about literal IP addresses used as SNI (#1892)

RFC 6066 3: "Literal IPv4 and IPv6 addresses are not permitted in
"HostName"."

Don't set this risk if we have a valid sub-classification (example:
via certificate)

Since a similar risk already exists for HTTP hostnames, reuse it, with a
more generic name.

1 files changed, 2 insertions, 2 deletions

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index b9cc198c1..e0f56c4e8 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -634,7 +634,7 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru
     char str[64];
 
     snprintf(str, sizeof(str), "Found host %s", buf);
-    ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_NUMERIC_IP_HOST, str);
+    ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, str);
   }
 }
 
@@ -916,7 +916,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
         strstr(flow->http.url, "download.windowsupdate.com/")) &&
        ndpi_strnstr((const char *)packet->user_agent_line.ptr, "Microsoft-Delivery-Optimization/",
                     packet->user_agent_line.len) &&
-       ndpi_isset_risk(ndpi_struct, flow, NDPI_HTTP_NUMERIC_IP_HOST)) {
+       ndpi_isset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST)) {
       ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WINDOWS_UPDATE, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI);
     }
   }