From 2722861d6e79d416d3377af4cf6fdaaba2a18de4 Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Thu, 6 Aug 2020 10:29:35 +0200
Subject: Suspicious ESNI usage: add a comment and a pcap example

See: 79b89d286605635f15edfe3c21297aaa3b5f3acf
---
 src/lib/protocols/tls.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/lib/protocols')

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index f96745dc6..883de7666 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1434,6 +1434,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	      NDPI_SET_BIT(flow->risk, NDPI_TLS_NOT_CARRYING_HTTPS);
 	    }
 
+	    /* Suspicious Domain Fronting:
+	       https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */
 	    if(flow->protos.stun_ssl.ssl.encrypted_sni.esni &&
 	       flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') {
 	      NDPI_SET_BIT(flow->risk, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
-- 
cgit v1.2.3