From 89cae9ddf257e156e3973270aacea51dad2c8662 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Thu, 2 Mar 2023 15:27:30 +0100
Subject: Add a new flow risk about literal IP addresses used as SNI (#1892)

RFC 6066 3: "Literal IPv4 and IPv6 addresses are not permitted in
"HostName"."

Don't set this risk if we have a valid sub-classification (example:
via certificate)

Since a similar risk already exists for HTTP hostnames, reuse it, with a
more generic name.
---
 doc/flow_risks.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'doc')

diff --git a/doc/flow_risks.rst b/doc/flow_risks.rst
index 2a0780fce..1cd6c0002 100644
--- a/doc/flow_risks.rst
+++ b/doc/flow_risks.rst
@@ -73,9 +73,9 @@ HTTP only: this risk is triggered whenever the user agent contains suspicious ch
 
 .. _Risk 012:
 
-NDPI_HTTP_NUMERIC_IP_HOST
+NDPI_NUMERIC_IP_HOST
 =========================
-HTTP only: this risk is triggered whenever we're accessing a host using its IP rather than its symbolic name. Example http://1.2.3.4.
+This risk is triggered whenever a HTTP/TLS/QUIC connection is using a literal IPv4 or IPv6 address as ServerName (TLS/QUIC; example: SNI=1.2.3.4) or as Hostname (HTTP; example: http://1.2.3.4.).
 
 .. _Risk 013:
 
-- 
cgit v1.2.3