6 files changed, 39 insertions, 12 deletions

diff --git a/python/ndpi.py b/python/ndpi.py
index 61376fdbe..fe9fffb6a 100644
--- a/python/ndpi.py
+++ b/python/ndpi.py
@@ -322,6 +322,10 @@ typedef enum {
   NDPI_MALICIOUS_JA3,
   NDPI_MALICIOUS_SHA1_CERTIFICATE,
   NDPI_DESKTOP_OR_FILE_SHARING_SESSION,
+  NDPI_TLS_UNCOMMON_ALPN,
+  NDPI_TLS_CERT_VALIDITY_TOO_LONG,
+  NDPI_TLS_SUSPICIOUS_EXTENSION,
+  NDPI_TLS_FATAL_ALERT,
 
   /* Leave this as last member */
   NDPI_MAX_RISK
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index f767150cb..12dbc4dcf 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -67,6 +67,7 @@ typedef enum {
   - https://github.com/ntop/ntopng/blob/dev/scripts/lua/modules/flow_risk_utils.lua
   - ndpi_risk_enum (in python/ndpi.py)
   - ndpi_known_risks (ndpi_utils.c)
+  - ndpi_known_risks (ndpi_main.c)
  */
 typedef enum {
   NDPI_NO_RISK = 0,
@@ -102,7 +103,8 @@ typedef enum {
   NDPI_DESKTOP_OR_FILE_SHARING_SESSION, /* 30 */
   NDPI_TLS_UNCOMMON_ALPN,
   NDPI_TLS_CERT_VALIDITY_TOO_LONG,
-  NDPI_TLS_EXTENSION_SUSPICIOUS,
+  NDPI_TLS_SUSPICIOUS_EXTENSION,
+  NDPI_TLS_FATAL_ALERT,
 
   /* Leave this as last member */
   NDPI_MAX_RISK /* must be <= 63 due to (**) */
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 5ff098ac2..b3758a1aa 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -103,7 +103,8 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_DESKTOP_OR_FILE_SHARING_SESSION,       NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE },
   { NDPI_TLS_UNCOMMON_ALPN,                     NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
   { NDPI_TLS_CERT_VALIDITY_TOO_LONG,            NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
-  { NDPI_TLS_EXTENSION_SUSPICIOUS,              NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_TLS_SUSPICIOUS_EXTENSION,              NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_TLS_FATAL_ALERT,                       NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE },
 
   /* Leave this as last member */
   { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE }
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 0008835f4..a753dc086 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1771,8 +1771,11 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
   case NDPI_TLS_CERT_VALIDITY_TOO_LONG:
     return("TLS certificate validity longer than 13 months");
 
-  case NDPI_TLS_EXTENSION_SUSPICIOUS:
-    return("TLS extension suspicious");
+  case NDPI_TLS_SUSPICIOUS_EXTENSION:
+    return("TLS suspicious extension");
+
+  case NDPI_TLS_FATAL_ALERT:
+    return("TLS fatal alert");
 
   default:
     snprintf(buf, sizeof(buf), "%d", (int)risk);
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 38f1ffbca..ecd5f177e 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -514,9 +514,8 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 			 flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, len,
 			 packet->payload_packet_len-i-len);
 #endif
-		  if (ndpi_is_printable_string(dNSName, len) == 0)
-		  {
-		    ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
+		  if (ndpi_is_printable_string(dNSName, len) == 0) {
+		    ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION);
 		  }
 
 		  if(matched_name == 0) {
@@ -756,6 +755,10 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
   struct ndpi_packet_struct *packet = &flow->packet;
   int ret;
 
+#ifdef DEBUG_TL
+  printf("[TLS] Processing block %u\n", packet->payload[0]);
+#endif
+  
   switch(packet->payload[0] /* block type */) {
   case 0x01: /* Client Hello */
   case 0x02: /* Server Hello */
@@ -872,8 +875,20 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	*/
 	flow->l4.tcp.tls.num_tls_blocks = 0;
       }
-    }
+    } else if(content_type == 0x15 /* Alert */) {
+      /* https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132 */
+#ifdef DEBUG_TLS
+      printf("[TLS] *** TLS ALERT ***\n");
+#endif
 
+      if(len >= 7) {
+	u_int8_t alert_level = flow->l4.tcp.tls.message.buffer[5];
+
+	if(alert_level == 2 /* Warning (1), Fatal (2) */)
+	  ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_FATAL_ALERT);
+      }
+    }
+    
     if((len > 9)
        && (content_type != 0x17 /* Application Data */)
        && (!flow->l4.tcp.tls.certificate_processed)) {
@@ -1130,7 +1145,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
     printf("[TLS] extension length exceeds remaining packet length: %u > %u.\n",
            extension_len, packet->payload_packet_len - extension_payload_offset);
 #endif
-    ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
+    ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION);
     return;
   }
 
@@ -1167,7 +1182,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
 #ifdef DEBUG_TLS
       printf("[TLS] suspicious extension id: %u\n", extension_id);
 #endif
-      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
+      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION);
       return;
     }
   }
@@ -1180,7 +1195,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
 #ifdef DEBUG_TLS
       printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id);
 #endif
-      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
+      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION);
       return;
     }
   }
@@ -1669,7 +1684,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 #endif
 		    if (ndpi_is_printable_string(buffer, len) == 0)
 		    {
-		       ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
+		       ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION);
 		    }
 
 		    if(!is_quic) {
diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua
index 66b3c6138..2586a5616 100644
--- a/wireshark/ndpi.lua
+++ b/wireshark/ndpi.lua
@@ -70,6 +70,8 @@ flow_risks[30] = ProtoField.bool("ndpi.flow_risk.desktop_file_sharing_session",
 flow_risks[31] = ProtoField.bool("ndpi.flow_risk.uncommon_tls_alpn", "Uncommon TLS ALPN", num_bits_flow_risks, nil, bit(31), "nDPI Flow Risk: Uncommon TLS ALPN")
 -- FIXME: Workaround for masks 32+ bits
 -- flow_risks[32] = ProtoField.bool("ndpi.flow_risk.cert_validity_too_long", "TLS certificate validity longer than 13 months", num_bits_flow_risks, nil, bit(32), "nDPI Flow Risk: TLS certificate validity longer than 13 months")
+-- flow_risks[33] = ProtoField.bool("ndpi.flow_risk.suspicious_extension", "TLS suspicious extension", num_bits_flow_risks, nil, bit(33), "nDPI Flow Risk: TLS suspicious extension")
+-- flow_risks[34] = ProtoField.bool("ndpi.flow_risk.fatal_alert", "TLS fatal alert detected", num_bits_flow_risks, nil, bit(34), "nDPI Flow Risk: TLS fatal alert")
 
 for _,v in pairs(flow_risks) do
   ndpi_fds[#ndpi_fds + 1] = v