From 89cae9ddf257e156e3973270aacea51dad2c8662 Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Thu, 2 Mar 2023 15:27:30 +0100 Subject: Add a new flow risk about literal IP addresses used as SNI (#1892) RFC 6066 3: "Literal IPv4 and IPv6 addresses are not permitted in "HostName"." Don't set this risk if we have a valid sub-classification (example: via certificate) Since a similar risk already exists for HTTP hostnames, reuse it, with a more generic name. --- src/lib/ndpi_main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/lib/ndpi_main.c') diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 9340e4c58..6c7ba2e15 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -142,7 +142,7 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_TLS_CERTIFICATE_EXPIRED, NDPI_RISK_HIGH, CLIENT_LOW_RISK_PERCENTAGE, NDPI_SERVER_ACCOUNTABLE }, { NDPI_TLS_CERTIFICATE_MISMATCH, NDPI_RISK_HIGH, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_SERVER_ACCOUNTABLE }, { NDPI_HTTP_SUSPICIOUS_USER_AGENT, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, - { NDPI_HTTP_NUMERIC_IP_HOST, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, + { NDPI_NUMERIC_IP_HOST, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_HTTP_SUSPICIOUS_URL, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_HTTP_SUSPICIOUS_HEADER, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_TLS_NOT_CARRYING_HTTPS, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, @@ -2946,7 +2946,7 @@ static void ndpi_add_domain_risk_exceptions(struct ndpi_detection_module_struct const ndpi_risk risks_to_mask[] = { NDPI_SUSPICIOUS_DGA_DOMAIN, NDPI_BINARY_APPLICATION_TRANSFER, - NDPI_HTTP_NUMERIC_IP_HOST, + NDPI_NUMERIC_IP_HOST, NDPI_MALICIOUS_JA3, NDPI_NO_RISK /* End */ }; -- cgit v1.2.3