Enhanced TLS risk info reported to users

2 files changed, 13 insertions, 8 deletions

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index c1cd0c137..86da37dfa 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1042,7 +1042,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SYSLOG,
 			  "Syslog", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS,
-			  ndpi_build_default_ports(ports_a, 601, 0, 0, 0, 0) /* TCP */,
+			  ndpi_build_default_ports(ports_a, 514, 601, 6514, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 514, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DHCP,
 			  "DHCP", NDPI_PROTOCOL_CATEGORY_NETWORK,
@@ -1912,9 +1912,13 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
                           "MpegDash", NDPI_PROTOCOL_CATEGORY_MEDIA,
                           ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
                           ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+  /* 
+     Note: removed RSH port 514 as TCP/514 is often used for syslog and RSH is as such on;y
+     if both source and destination ports are 514. So we removed the default for RSH and used with syslog
+  */
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_RSH,
                           "RSH", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS,
-                          ndpi_build_default_ports(ports_a, 514, 0, 0, 0, 0) /* TCP */,
+                          ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
                           ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_PIM,
                           "IP_PIM", NDPI_PROTOCOL_CATEGORY_NETWORK,
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 8a7359ad1..326b13434 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1426,7 +1426,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
       if((flow->protos.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.server.cipher[0])) == 1) {
 	char str[64];
 
-	snprintf(str, sizeof(str), "Cipher %08X", ja3.server.cipher[0]);
+	snprintf(str, sizeof(str), "Cipher %s", ndpi_cipher2str(ja3.server.cipher[0]));
 	ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_WEAK_CIPHER, str);
       }
       
@@ -1648,9 +1648,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
       flow->protos.tls_quic.ssl_version = ja3.client.tls_handshake_version = tls_version;
       if(flow->protos.tls_quic.ssl_version < 0x0303) /* < TLSv1.2 */ {
-	char str[32];
-
-	snprintf(str, sizeof(str), "%04X", flow->protos.tls_quic.ssl_version);
+	char str[32], buf[32];
+	u_int8_t unknown_tls_version;
+	
+	snprintf(str, sizeof(str), "%s", ndpi_ssl_version2str(buf, sizeof(buf),
+							      flow->protos.tls_quic.ssl_version,
+							      &unknown_tls_version));
 	ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_OBSOLETE_VERSION, str);
       }
       
@@ -1851,11 +1854,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		printf("[TLS] Extensions: found server name\n");
 #endif
 		if((offset+extension_offset+4) < packet->payload_packet_len) {
-
 		  len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4];
 
 		  if((offset+extension_offset+5+len) <= packet->payload_packet_len) {
-
 		    char *sni = ndpi_hostname_sni_set(flow, &packet->payload[offset+extension_offset+5], len);
 		    int sni_len = strlen(sni);
 #ifdef DEBUG_TLS