Reworked ndpi flow risk score adding client and server score

4 files changed, 168 insertions, 138 deletions

diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index c44440cc8..a2e362acd 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -1520,8 +1520,9 @@ extern "C" {
 
   const char* ndpi_risk2str(ndpi_risk_enum risk);
   const char* ndpi_severity2str(ndpi_risk_severity s);
-  ndpi_risk_severity ndpi_risk2severity(ndpi_risk_enum risk);
-  u_int16_t ndpi_risk2score(ndpi_risk risk);
+  ndpi_risk_info* ndpi_risk2severity(ndpi_risk_enum risk);
+  u_int16_t ndpi_risk2score(ndpi_risk risk,
+			    u_int16_t *client_score, u_int16_t *server_score);
   
   /* ******************************* */
 
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 42c1e9f94..4656b4af2 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -63,9 +63,10 @@ typedef enum {
   NOTE
   When the typedef below is modified don't forget to update
   - nDPI/wireshark/ndpi.lua
-  - ndpi_risk2str and ndpi_risk2severity (in ndpi_utils.c)
+  - ndpi_risk2str (in ndpi_utils.c)
   - https://github.com/ntop/ntopng/blob/dev/scripts/lua/modules/flow_risk_utils.lua
   - ndpi_risk_enum (in python/ndpi.py)
+  - ndpi_known_risks (ndpi_utils.c)
  */
 typedef enum {
   NDPI_NO_RISK = 0,
@@ -121,6 +122,21 @@ typedef enum {
   NDPI_SCORE_RISK_SEVERE = 250,
 } ndpi_risk_score;
 
+typedef enum {
+  CLIENT_NO_RISK_PERCENTAGE   =   0, /* 100% server risk */
+  CLIENT_LOW_RISK_PERCENTAGE  =  10, /* 90%  server risk */
+  CLIENT_FAIR_RISK_PERCENTAGE =  50, /* 50%  server risk */
+  CLIENT_HIGH_RISK_PERCENTAGE =  90, /* 10%  server risk */
+  CLIENT_FULL_RISK_PERCENTAGE = 100 /* 0%   server risk */
+} risk_percentage;
+
+typedef struct {
+  ndpi_risk_enum risk;
+  ndpi_risk_severity severity;
+  risk_percentage default_client_risk_pctg; /* 0-100 */
+} ndpi_risk_info;
+
+
 /* NDPI_VISIT */
 typedef enum {
    ndpi_preorder,
@@ -938,81 +954,81 @@ typedef enum {
 
 /* Abstract categories to group the protocols. */
 typedef enum {
-	      NDPI_PROTOCOL_CATEGORY_UNSPECIFIED = 0,   /* For general services and unknown protocols */
-	      NDPI_PROTOCOL_CATEGORY_MEDIA,             /* Multimedia and streaming */
-	      NDPI_PROTOCOL_CATEGORY_VPN,               /* Virtual Private Networks */
-	      NDPI_PROTOCOL_CATEGORY_MAIL,              /* Protocols to send/receive/sync emails */
-	      NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER,     /* AFS/NFS and similar protocols */
-	      NDPI_PROTOCOL_CATEGORY_WEB,               /* Web/mobile protocols and services */
-	      NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK,    /* Social networks */
-	      NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT,       /* Download, FTP, file transfer/sharing */
-	      NDPI_PROTOCOL_CATEGORY_GAME,              /* Online games */
-	      NDPI_PROTOCOL_CATEGORY_CHAT,              /* Instant messaging */
-	      NDPI_PROTOCOL_CATEGORY_VOIP,              /* Real-time communications and conferencing */
-	      NDPI_PROTOCOL_CATEGORY_DATABASE,          /* Protocols for database communication */
-	      NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS,     /* Remote access and control */
-	      NDPI_PROTOCOL_CATEGORY_CLOUD,             /* Online cloud services */
-	      NDPI_PROTOCOL_CATEGORY_NETWORK,           /* Network infrastructure protocols */
-	      NDPI_PROTOCOL_CATEGORY_COLLABORATIVE,     /* Software for collaborative development, including Webmail */
-	      NDPI_PROTOCOL_CATEGORY_RPC,               /* High level network communication protocols */
-	      NDPI_PROTOCOL_CATEGORY_STREAMING,         /* Streaming protocols */
-	      NDPI_PROTOCOL_CATEGORY_SYSTEM_OS,         /* System/Operating System level applications */
-	      NDPI_PROTOCOL_CATEGORY_SW_UPDATE,         /* Software update */
-
-	      /* See #define NUM_CUSTOM_CATEGORIES */
-	      NDPI_PROTOCOL_CATEGORY_CUSTOM_1,          /* User custom category 1 */
-	      NDPI_PROTOCOL_CATEGORY_CUSTOM_2,          /* User custom category 2 */
-	      NDPI_PROTOCOL_CATEGORY_CUSTOM_3,          /* User custom category 3 */
-	      NDPI_PROTOCOL_CATEGORY_CUSTOM_4,          /* User custom category 4 */
-	      NDPI_PROTOCOL_CATEGORY_CUSTOM_5,          /* User custom category 5 */
-
-	      /* Further categories... */
-	      NDPI_PROTOCOL_CATEGORY_MUSIC,
-	      NDPI_PROTOCOL_CATEGORY_VIDEO,
-	      NDPI_PROTOCOL_CATEGORY_SHOPPING,
-	      NDPI_PROTOCOL_CATEGORY_PRODUCTIVITY,
-	      NDPI_PROTOCOL_CATEGORY_FILE_SHARING,
-	      /*
-		 The category below is used by sites who are used
-		 to test connectivity
-	       */
-	      NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK,
-	      NDPI_PROTOCOL_CATEGORY_IOT_SCADA,
-	      /*
-		 The category below is used for vocal assistance services.
-	       */
-	      NDPI_PROTOCOL_CATEGORY_VIRTUAL_ASSISTANT,
-
-	      /* Some custom categories */
-	      CUSTOM_CATEGORY_MINING           = 99,
-	      CUSTOM_CATEGORY_MALWARE          = 100,
-	      CUSTOM_CATEGORY_ADVERTISEMENT    = 101,
-	      CUSTOM_CATEGORY_BANNED_SITE      = 102,
-	      CUSTOM_CATEGORY_SITE_UNAVAILABLE = 103,
-	      CUSTOM_CATEGORY_ALLOWED_SITE     = 104,
-	      /*
-		The category below is used to track communications made by
-		security applications (e.g. sophosxl.net, spamhaus.org)
-		to track malware, spam etc.
-	      */
-	      CUSTOM_CATEGORY_ANTIMALWARE      = 105,
-
-	      /*
-		IMPORTANT
-
-		Please keep in sync with
-
-		static const char* categories[] = { ..}
-
-		in ndpi_main.c
-	      */
-
-	      NDPI_PROTOCOL_NUM_CATEGORIES, /*
-					     NOTE: Keep this as last member
-					     Unused as value but useful to getting the number of elements
-					     in this datastructure
-					   */
-              NDPI_PROTOCOL_ANY_CATEGORY /* Used to handle wildcards */
+  NDPI_PROTOCOL_CATEGORY_UNSPECIFIED = 0,   /* For general services and unknown protocols */
+  NDPI_PROTOCOL_CATEGORY_MEDIA,             /* Multimedia and streaming */
+  NDPI_PROTOCOL_CATEGORY_VPN,               /* Virtual Private Networks */
+  NDPI_PROTOCOL_CATEGORY_MAIL,              /* Protocols to send/receive/sync emails */
+  NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER,     /* AFS/NFS and similar protocols */
+  NDPI_PROTOCOL_CATEGORY_WEB,               /* Web/mobile protocols and services */
+  NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK,    /* Social networks */
+  NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT,       /* Download, FTP, file transfer/sharing */
+  NDPI_PROTOCOL_CATEGORY_GAME,              /* Online games */
+  NDPI_PROTOCOL_CATEGORY_CHAT,              /* Instant messaging */
+  NDPI_PROTOCOL_CATEGORY_VOIP,              /* Real-time communications and conferencing */
+  NDPI_PROTOCOL_CATEGORY_DATABASE,          /* Protocols for database communication */
+  NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS,     /* Remote access and control */
+  NDPI_PROTOCOL_CATEGORY_CLOUD,             /* Online cloud services */
+  NDPI_PROTOCOL_CATEGORY_NETWORK,           /* Network infrastructure protocols */
+  NDPI_PROTOCOL_CATEGORY_COLLABORATIVE,     /* Software for collaborative development, including Webmail */
+  NDPI_PROTOCOL_CATEGORY_RPC,               /* High level network communication protocols */
+  NDPI_PROTOCOL_CATEGORY_STREAMING,         /* Streaming protocols */
+  NDPI_PROTOCOL_CATEGORY_SYSTEM_OS,         /* System/Operating System level applications */
+  NDPI_PROTOCOL_CATEGORY_SW_UPDATE,         /* Software update */
+  
+  /* See #define NUM_CUSTOM_CATEGORIES */
+  NDPI_PROTOCOL_CATEGORY_CUSTOM_1,          /* User custom category 1 */
+  NDPI_PROTOCOL_CATEGORY_CUSTOM_2,          /* User custom category 2 */
+  NDPI_PROTOCOL_CATEGORY_CUSTOM_3,          /* User custom category 3 */
+  NDPI_PROTOCOL_CATEGORY_CUSTOM_4,          /* User custom category 4 */
+  NDPI_PROTOCOL_CATEGORY_CUSTOM_5,          /* User custom category 5 */
+  
+  /* Further categories... */
+  NDPI_PROTOCOL_CATEGORY_MUSIC,
+  NDPI_PROTOCOL_CATEGORY_VIDEO,
+  NDPI_PROTOCOL_CATEGORY_SHOPPING,
+  NDPI_PROTOCOL_CATEGORY_PRODUCTIVITY,
+  NDPI_PROTOCOL_CATEGORY_FILE_SHARING,
+  /*
+    The category below is used by sites who are used
+    to test connectivity
+  */
+  NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK,
+  NDPI_PROTOCOL_CATEGORY_IOT_SCADA,
+  /*
+    The category below is used for vocal assistance services.
+  */
+  NDPI_PROTOCOL_CATEGORY_VIRTUAL_ASSISTANT,
+  
+  /* Some custom categories */
+  CUSTOM_CATEGORY_MINING           = 99,
+  CUSTOM_CATEGORY_MALWARE          = 100,
+  CUSTOM_CATEGORY_ADVERTISEMENT    = 101,
+  CUSTOM_CATEGORY_BANNED_SITE      = 102,
+  CUSTOM_CATEGORY_SITE_UNAVAILABLE = 103,
+  CUSTOM_CATEGORY_ALLOWED_SITE     = 104,
+  /*
+    The category below is used to track communications made by
+    security applications (e.g. sophosxl.net, spamhaus.org)
+    to track malware, spam etc.
+  */
+  CUSTOM_CATEGORY_ANTIMALWARE      = 105,
+  
+  /*
+    IMPORTANT
+
+    Please keep in sync with
+
+    static const char* categories[] = { ..}
+
+    in ndpi_main.c
+  */
+
+  NDPI_PROTOCOL_NUM_CATEGORIES, /*
+				  NOTE: Keep this as last member
+				  Unused as value but useful to getting the number of elements
+				  in this datastructure
+				*/
+  NDPI_PROTOCOL_ANY_CATEGORY /* Used to handle wildcards */
 } ndpi_protocol_category_t;
 
 typedef enum {
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 4b84ceefa..8db2dee80 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -70,6 +70,46 @@ static void (*_ndpi_free)(void *ptr);
 
 /* ****************************************** */
 
+static ndpi_risk_info ndpi_known_risks[] = {
+  { NDPI_NO_RISK,                               NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE }, 
+  { NDPI_URL_POSSIBLE_XSS,                      NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_URL_POSSIBLE_SQL_INJECTION,            NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_URL_POSSIBLE_RCE_INJECTION,            NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_BINARY_APPLICATION_TRANSFER,           NDPI_RISK_SEVERE, CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT,   NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_TLS_SELFSIGNED_CERTIFICATE,            NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_TLS_OBSOLETE_VERSION,                  NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_TLS_WEAK_CIPHER,                       NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_TLS_CERTIFICATE_EXPIRED,               NDPI_RISK_HIGH,   CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_TLS_CERTIFICATE_MISMATCH,              NDPI_RISK_HIGH,   CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_HTTP_SUSPICIOUS_USER_AGENT,            NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_HTTP_NUMERIC_IP_HOST,                  NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_HTTP_SUSPICIOUS_URL,                   NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_HTTP_SUSPICIOUS_HEADER,                NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_TLS_NOT_CARRYING_HTTPS,                NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_SUSPICIOUS_DGA_DOMAIN,                 NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_MALFORMED_PACKET,                      NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER, NDPI_RISK_MEDIUM, CLIENT_LOW_RISK_PERCENTAGE  },
+  { NDPI_SMB_INSECURE_VERSION,                  NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_TLS_SUSPICIOUS_ESNI_USAGE,             NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_UNSAFE_PROTOCOL,                       NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_DNS_SUSPICIOUS_TRAFFIC,                NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_TLS_MISSING_SNI,                       NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_HTTP_SUSPICIOUS_CONTENT,               NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_RISKY_ASN,                             NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_RISKY_DOMAIN,                          NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_MALICIOUS_JA3,                         NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_MALICIOUS_SHA1_CERTIFICATE,            NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_DESKTOP_OR_FILE_SHARING_SESSION,       NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_TLS_UNCOMMON_ALPN,                     NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+
+  /* Leave this as last member */
+  { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE }
+};
+
+/* ****************************************** */
+
 /* Forward */
 static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_str, ndpi_port_range *range,
                            ndpi_proto_defaults_t *def, u_int8_t customUserProto, ndpi_default_ports_tree_node_t **root,
@@ -719,7 +759,7 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str
 /* ******************************************************************** */
 
 static void ndpi_validate_protocol_initialization(struct ndpi_detection_module_struct *ndpi_str) {
-  int i;
+  u_int i, val;
 
   for(i = 0; i < (int) ndpi_str->ndpi_num_supported_protocols; i++) {
     if(ndpi_str->proto_defaults[i].protoName == NULL) {
@@ -734,6 +774,13 @@ static void ndpi_validate_protocol_initialization(struct ndpi_detection_module_s
       }
     }
   }
+
+  /* Sanity check for risks initialization */
+  val = (sizeof(ndpi_known_risks) / sizeof(ndpi_risk_info)) - 1;
+  if(val != NDPI_MAX_RISK) {
+    NDPI_LOG_ERR(ndpi_str,  "[NDPI] INTERNAL ERROR Invalid ndpi_known_risks[] initialization [%u != %u]\n", val, NDPI_MAX_RISK);
+    exit(0);
+  }
 }
 
 /* ******************************************************************** */
@@ -6496,7 +6543,7 @@ void ndpi_dump_risks_score() {
 	 
   for(i = 1; i < NDPI_MAX_RISK; i++) {
     ndpi_risk_enum r = (ndpi_risk_enum)i;
-    ndpi_risk_severity s = ndpi_risk2severity(r);
+    ndpi_risk_severity s = ndpi_risk2severity(r)->severity;
     u_int16_t score = 0;
     
     switch(s) {
@@ -7576,3 +7623,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
 }
   
 /* ******************************************************************** */
+
+ndpi_risk_info* ndpi_risk2severity(ndpi_risk_enum risk) {
+  return(&ndpi_known_risks[risk]);
+}
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 80d6c9b15..bf5817495 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1730,57 +1730,6 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
 
 /* ******************************************************************** */
 
-ndpi_risk_severity ndpi_risk2severity(ndpi_risk_enum risk) {
-  switch(risk) {
-  case NDPI_NO_RISK:
-  case NDPI_MAX_RISK:
-  case NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT:
-  case NDPI_HTTP_NUMERIC_IP_HOST:
-  case NDPI_TLS_NOT_CARRYING_HTTPS:
-  case NDPI_MALFORMED_PACKET:
-  case NDPI_UNSAFE_PROTOCOL:
-  case NDPI_DESKTOP_OR_FILE_SHARING_SESSION:
-    return(NDPI_RISK_LOW);
-
-  case NDPI_TLS_SELFSIGNED_CERTIFICATE:
-  case NDPI_TLS_OBSOLETE_VERSION:
-  case NDPI_TLS_WEAK_CIPHER:
-  case NDPI_HTTP_SUSPICIOUS_USER_AGENT:
-  case NDPI_HTTP_SUSPICIOUS_HEADER:
-  case NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER:
-  case NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER:
-  case NDPI_SMB_INSECURE_VERSION:
-  case NDPI_TLS_SUSPICIOUS_ESNI_USAGE:
-  case NDPI_MALICIOUS_JA3:
-  case NDPI_MALICIOUS_SHA1_CERTIFICATE:
-  case NDPI_TLS_UNCOMMON_ALPN:
-  case NDPI_DNS_SUSPICIOUS_TRAFFIC:
-  case NDPI_TLS_MISSING_SNI:
-  case NDPI_HTTP_SUSPICIOUS_CONTENT:
-  case NDPI_RISKY_ASN:
-  case NDPI_RISKY_DOMAIN:
-    return(NDPI_RISK_MEDIUM);
-
-  case NDPI_TLS_CERTIFICATE_EXPIRED:
-  case NDPI_TLS_CERTIFICATE_MISMATCH:
-  case NDPI_HTTP_SUSPICIOUS_URL:
-  case NDPI_SUSPICIOUS_DGA_DOMAIN:
-    return(NDPI_RISK_HIGH);
-
-  case NDPI_URL_POSSIBLE_XSS:
-  case NDPI_URL_POSSIBLE_SQL_INJECTION:
-  case NDPI_URL_POSSIBLE_RCE_INJECTION:
-  case NDPI_BINARY_APPLICATION_TRANSFER:
-    return(NDPI_RISK_SEVERE);
-  }
-
-  /* We have added all possible ndpi_risk_enum values in the switch,
-     but the compiler complains anyway... Try to silence it */
-  return(NDPI_RISK_LOW);
-}
-
-/* ******************************************************************** */
-
 const char* ndpi_severity2str(ndpi_risk_severity s) {
   switch(s) {
   case NDPI_RISK_LOW:
@@ -1805,33 +1754,45 @@ const char* ndpi_severity2str(ndpi_risk_severity s) {
 
 /* ******************************************************************** */
 
-u_int16_t ndpi_risk2score(ndpi_risk risk) {
+u_int16_t ndpi_risk2score(ndpi_risk risk,
+			  u_int16_t *client_score,
+			  u_int16_t *server_score) {
   u_int16_t score = 0;
   u_int32_t i;
 
+  *client_score = *server_score = 0; /* Reset values */
+  
   if(risk == 0) return(0);
   
   for(i = 0; i < NDPI_MAX_RISK; i++) {
     ndpi_risk_enum r = (ndpi_risk_enum)i;
 
     if(NDPI_ISSET_BIT(risk, r)) {
-      switch(ndpi_risk2severity(r)) {
+      ndpi_risk_info *info = ndpi_risk2severity(r);
+      u_int16_t val, client_score_val;
+      
+      switch(info->severity) {
       case NDPI_RISK_LOW:
-	score += NDPI_SCORE_RISK_LOW;
+	val = NDPI_SCORE_RISK_LOW;
 	break;
 
       case NDPI_RISK_MEDIUM:
-	score += NDPI_SCORE_RISK_MEDIUM;
+	val = NDPI_SCORE_RISK_MEDIUM;
 	break;
 
       case NDPI_RISK_HIGH:
-	score += NDPI_SCORE_RISK_HIGH;
+	val = NDPI_SCORE_RISK_HIGH;
 	break;
 
       case NDPI_RISK_SEVERE:
-	score += NDPI_SCORE_RISK_SEVERE;
+	val = NDPI_SCORE_RISK_SEVERE;
 	break;
       }
+
+      score += val;
+      client_score_val = (val * info->default_client_risk_pctg) / 100;
+
+      *client_score += client_score_val, *server_score += (val - client_score_val);
     }
   }
 
@@ -2024,5 +1985,6 @@ void ndpi_set_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r) {
 
   // NDPI_SET_BIT(flow->risk, (u_int32_t)r);
   flow->risk |= v;
-
 }
+
+