TLS Risks - Certificate Validity Too Long (#1239)

* Added flow risk: TLS certificate too long * Added flow risk: TLS certificate too long * Date for TLS limit added * TLS certificate check fixed Co-authored-by: pacant <a.pace97@outlook.com>
2026-05-20 01:01:32 +00:00 · 2021-07-14 11:13:22 +02:00 · 2021-07-14 11:13:22 +02:00 · 19a29e1e22
commit 19a29e1e22
parent c411df523e
7 changed files with 70 additions and 2 deletions
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@ -101,6 +101,7 @@ typedef enum {
  NDPI_MALICIOUS_SHA1_CERTIFICATE,
  NDPI_DESKTOP_OR_FILE_SHARING_SESSION, /* 30 */
  NDPI_TLS_UNCOMMON_ALPN,
+  NDPI_TLS_CERT_VALIDITY_TOO_LONG,

  /* Leave this as last member */
  NDPI_MAX_RISK /* must be <= 63 due to (**) */
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@ -102,6 +102,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
  { NDPI_MALICIOUS_SHA1_CERTIFICATE,            NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
  { NDPI_DESKTOP_OR_FILE_SHARING_SESSION,       NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE },
  { NDPI_TLS_UNCOMMON_ALPN,                     NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_TLS_CERT_VALIDITY_TOO_LONG,            NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },

  /* Leave this as last member */
  { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE }
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@ -1731,6 +1731,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {

  case NDPI_TLS_UNCOMMON_ALPN:
    return("Uncommon TLS ALPN");
+    
+  case NDPI_TLS_CERT_VALIDITY_TOO_LONG:
+    return("TLS certificate validity longer than 13 months");
+

  default:
    snprintf(buf, sizeof(buf), "%d", (int)risk);
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@ -94,6 +94,8 @@ union ja3_info {
 */

 #define NDPI_MAX_TLS_REQUEST_SIZE 10000
+#define TLS_THRESHOLD 34186659 // Threshold for certificate validity
+#define TLS_LIMIT_DATE 1598918400 // From 01/09/2020 TLS certificates lifespan is limited to 13 months

 /* skype.c */
 extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct,
@ -420,7 +422,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 	for(j=0; j<len; j++) printf("%c", packet->payload[i+4+j]);
 	printf("]\n");
 #endif
-
+    
 	if(len < (sizeof(utcDate)-1)) {
 	  struct tm utc;
 	  utc.tm_isdst = -1; /* Not set by strptime */
@ -454,7 +456,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 	    for(j=0; j<len; j++) printf("%c", packet->payload[offset+j]);
 	    printf("]\n");
 #endif
-
+                
 	    if(len < (sizeof(utcDate)-1)) {
 	      struct tm utc;
 	      utc.tm_isdst = -1; /* Not set by strptime */
@ -472,6 +474,9 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 	      }
 	    }

+		if (flow->protos.tls_quic_stun.tls_quic.notBefore > TLS_LIMIT_DATE) 
+        	if((flow->protos.tls_quic_stun.tls_quic.notAfter-flow->protos.tls_quic_stun.tls_quic.notBefore) > TLS_THRESHOLD)
+				ndpi_set_risk(flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months*/

 	    if((time_sec < flow->protos.tls_quic_stun.tls_quic.notBefore)
 	       || (time_sec > flow->protos.tls_quic_stun.tls_quic.notAfter))
--- a/tests/pcap/tls_certificate_too_long.pcap
+++ b/tests/pcap/tls_certificate_too_long.pcap
--- a/tests/result/tls_certificate_too_long.pcap.out
+++ b/tests/result/tls_certificate_too_long.pcap.out
@ -0,0 +1,56 @@
+Protocol statistics:
+	Safe                         49251 bytes
+	Acceptable                   54851 bytes
+	Tracker/Ads                   3310 bytes
+	Unrated                       5582 bytes
+
+Risk stats [found 10 (28.6 %) flows with risks]:
+	Binary application transfer                  2 [20.0 %]
+	TLS certificate validity longer than 13 months     8 [80.0 %]
+
+	NOTE: as one flow can have multiple risks set, the sum of the
+	      last column can exceed the number of flows with risks.
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.1.121            	 1      
+
+
+	1	TCP 192.168.1.121:53428 <-> 52.98.163.18:443 [proto: 91.219/TLS.Microsoft365][cat: Collaborative/15][29 pkts/21518 bytes <-> 43 pkts/11702 bytes][Goodput ratio: 93/80][0.38 sec][bytes ratio: 0.295 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/7 67/51 19/15][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 742/272 1502/1366 612/367][PLAIN TEXT (@AnNDf)][Plen Bins: 0,35,7,0,3,5,3,1,0,1,0,0,3,0,0,0,0,0,0,0,3,0,0,0,0,0,0,10,0,1,0,0,1,0,0,0,0,0,3,0,3,1,0,0,0,15,0,0]
+	2	TCP 192.168.1.121:53429 <-> 52.98.163.18:443 [proto: 91.219/TLS.Microsoft365][cat: Collaborative/15][16 pkts/10693 bytes <-> 38 pkts/9863 bytes][Goodput ratio: 92/79][0.15 sec][bytes ratio: 0.040 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 3/3 17/42 5/9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 668/260 1502/1372 596/276][PLAIN TEXT (egNBzU5)][Plen Bins: 0,20,2,2,2,0,29,17,2,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,4,0,0,2,0,0,0,0,0,0,0,0,0,2,2,0,0,0,9,0,0]
+	3	TCP 192.168.1.121:53911 <-> 40.113.10.47:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][7 pkts/919 bytes <-> 5 pkts/4143 bytes][Goodput ratio: 56/93][0.25 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.637 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 20/17 51/50 25/24][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 131/829 571/1502 180/652][Risk: ** TLS certificate validity longer than 13 months **][Risk Score: 50][TLSv1.2][Client: wdcp.microsoft.com][JA3C: 656b9a2f4de6ed4909e157482860ab3d][ServerNames: wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com][JA3S: 17e97216fa7f4ec8c43090c6eed97c25][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com][Certificate SHA-1: 81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22][Safari][Validity: 2020-12-10 19:38:28 - 2022-03-10 19:38:28][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0]
+	4	TCP 192.168.1.121:53915 <-> 40.113.10.47:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][7 pkts/919 bytes <-> 5 pkts/4143 bytes][Goodput ratio: 56/93][0.16 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.637 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21/18 53/53 25/25][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 131/829 571/1502 180/652][Risk: ** TLS certificate validity longer than 13 months **][Risk Score: 50][TLSv1.2][Client: wdcp.microsoft.com][JA3C: 656b9a2f4de6ed4909e157482860ab3d][ServerNames: wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com][JA3S: 17e97216fa7f4ec8c43090c6eed97c25][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com][Certificate SHA-1: 81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22][Safari][Validity: 2020-12-10 19:38:28 - 2022-03-10 19:38:28][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0]
+	5	TCP 192.168.1.121:53916 <-> 40.113.10.47:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][7 pkts/919 bytes <-> 5 pkts/4143 bytes][Goodput ratio: 56/93][0.19 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.637 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 20/17 51/50 25/24][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 131/829 571/1502 180/652][Risk: ** TLS certificate validity longer than 13 months **][Risk Score: 50][TLSv1.2][Client: wdcp.microsoft.com][JA3C: 656b9a2f4de6ed4909e157482860ab3d][ServerNames: wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com][JA3S: 17e97216fa7f4ec8c43090c6eed97c25][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com][Certificate SHA-1: 81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22][Safari][Validity: 2020-12-10 19:38:28 - 2022-03-10 19:38:28][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0]
+	6	TCP 192.168.1.121:53910 <-> 40.113.10.47:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][6 pkts/865 bytes <-> 5 pkts/4143 bytes][Goodput ratio: 60/93][0.28 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.655 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 47/16 138/48 50/23][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 144/829 571/1502 191/652][Risk: ** TLS certificate validity longer than 13 months **][Risk Score: 50][TLSv1.2][Client: wdcp.microsoft.com][JA3C: 656b9a2f4de6ed4909e157482860ab3d][ServerNames: wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com][JA3S: 17e97216fa7f4ec8c43090c6eed97c25][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com][Certificate SHA-1: 81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22][Safari][Validity: 2020-12-10 19:38:28 - 2022-03-10 19:38:28][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0]
+	7	TCP 192.168.1.121:53914 <-> 40.113.10.47:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][6 pkts/865 bytes <-> 5 pkts/4143 bytes][Goodput ratio: 60/93][0.15 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.655 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21/16 48/48 22/23][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 144/829 571/1502 191/652][Risk: ** TLS certificate validity longer than 13 months **][Risk Score: 50][TLSv1.2][Client: wdcp.microsoft.com][JA3C: 656b9a2f4de6ed4909e157482860ab3d][ServerNames: wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com][JA3S: 17e97216fa7f4ec8c43090c6eed97c25][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com][Certificate SHA-1: 81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22][Safari][Validity: 2020-12-10 19:38:28 - 2022-03-10 19:38:28][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0]
+	8	TCP 192.168.1.121:53917 <-> 40.113.10.47:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][6 pkts/865 bytes <-> 5 pkts/4143 bytes][Goodput ratio: 60/93][0.16 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.655 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/17 50/50 22/24][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 144/829 571/1502 191/652][Risk: ** TLS certificate validity longer than 13 months **][Risk Score: 50][TLSv1.2][Client: wdcp.microsoft.com][JA3C: 656b9a2f4de6ed4909e157482860ab3d][ServerNames: wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com][JA3S: 17e97216fa7f4ec8c43090c6eed97c25][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com][Certificate SHA-1: 81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22][Safari][Validity: 2020-12-10 19:38:28 - 2022-03-10 19:38:28][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0]
+	9	TCP 192.168.1.121:53918 <-> 40.113.10.47:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][6 pkts/865 bytes <-> 5 pkts/4143 bytes][Goodput ratio: 60/93][0.16 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.655 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21/17 51/51 23/24][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 144/829 571/1502 191/652][Risk: ** TLS certificate validity longer than 13 months **][Risk Score: 50][TLSv1.2][Client: wdcp.microsoft.com][JA3C: 656b9a2f4de6ed4909e157482860ab3d][ServerNames: wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com][JA3S: 17e97216fa7f4ec8c43090c6eed97c25][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com][Certificate SHA-1: 81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22][Safari][Validity: 2020-12-10 19:38:28 - 2022-03-10 19:38:28][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0]
+	10	TCP 192.168.1.121:53919 <-> 40.113.10.47:443 [proto: 91.212/TLS.Microsoft][cat: Cloud/13][6 pkts/865 bytes <-> 5 pkts/4143 bytes][Goodput ratio: 60/93][0.16 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.655 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/16 48/48 21/23][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 144/829 571/1502 191/652][Risk: ** TLS certificate validity longer than 13 months **][Risk Score: 50][TLSv1.2][Client: wdcp.microsoft.com][JA3C: 656b9a2f4de6ed4909e157482860ab3d][ServerNames: wdcp.microsoft.com,spynet2.microsoft.com,wdcpalt.microsoft.com,spynetalt.microsoft.com,*.cp.wd.microsoft.com][JA3S: 17e97216fa7f4ec8c43090c6eed97c25][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=wdcp.microsoft.com][Certificate SHA-1: 81:41:67:66:7E:A9:1B:AA:61:3D:DE:D1:41:E7:17:13:CE:C4:3B:22][Safari][Validity: 2020-12-10 19:38:28 - 2022-03-10 19:38:28][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0]
+	11	TCP 192.168.1.121:53913 <-> 2.22.33.235:80 [proto: 7.212/HTTP.Microsoft][cat: FileTransfer/7][6 pkts/621 bytes <-> 5 pkts/2517 bytes][Goodput ratio: 34/87][0.04 sec][Host: www.microsoft.com][bytes ratio: -0.604 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 20/11 8/5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 104/503 279/1502 79/576][URL: www.microsoft.com/pkiops/certs/MicSecSerCA2011_2011-10-18.crt][StatusCode: 200][Content-Type: application/octet-stream][User-Agent: com.apple.trustd/2.0][Risk: ** Binary application transfer **][Risk Score: 250][PLAIN TEXT (GET /pkiops/certs/MicSecSerCA)][Plen Bins: 0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0]
+	12	TCP 192.168.1.121:53912 <-> 2.22.33.235:80 [proto: 7.212/HTTP.Microsoft][cat: FileTransfer/7][6 pkts/619 bytes <-> 5 pkts/2282 bytes][Goodput ratio: 34/85][0.05 sec][Host: www.microsoft.com][bytes ratio: -0.573 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/7 21/11 8/5][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/456 277/1502 78/558][URL: www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt][StatusCode: 200][Content-Type: application/octet-stream][User-Agent: com.apple.trustd/2.0][Risk: ** Binary application transfer **][Risk Score: 250][PLAIN TEXT (GET /pki/certs/MicRooCerAut)][Plen Bins: 0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0]
+	13	UDP 192.168.1.121:52251 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][cat: Web/5][8 pkts/767 bytes <-> 8 pkts/1085 bytes][Goodput ratio: 56/69][1.01 sec][Host: 60.21.149.52.in-addr.arpa][::][bytes ratio: -0.172 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 165/2 988/5 368/2][Pkt Len c2s/s2c min/avg/max/stddev: 80/86 96/136 132/196 21/42][PLAIN TEXT (msnhst)][Plen Bins: 0,57,18,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	14	UDP 192.168.1.121:51998 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][cat: Web/5][3 pkts/255 bytes <-> 3 pkts/449 bytes][Goodput ratio: 50/72][1.02 sec][Host: 235.33.22.2.in-addr.arpa][::][bytes ratio: -0.276 (Download)][IAT c2s/s2c min/avg/max/stddev: 999/996 500/498 999/996 500/498][Pkt Len c2s/s2c min/avg/max/stddev: 84/131 85/150 86/171 1/16][PLAIN TEXT (deploy)][Plen Bins: 0,51,16,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	15	UDP 192.168.1.121:5353 -> 192.168.1.139:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/383 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][< 1 sec][Host: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	16	UDP 192.168.1.121:51364 <-> 8.8.8.8:53 [proto: 5.212/DNS.Microsoft][cat: Cloud/13][1 pkts/77 bytes <-> 1 pkts/289 bytes][Goodput ratio: 45/85][0.01 sec][Host: www.microsoft.com][::][PLAIN TEXT (microsoft)][Plen Bins: 0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	17	TCP 130.211.33.145:443 <-> 192.168.1.121:53432 [proto: 91.126/TLS.Google][cat: Web/5][2 pkts/163 bytes <-> 2 pkts/167 bytes][Goodput ratio: 19/21][0.01 sec][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	18	UDP 192.168.1.121:55567 <-> 8.8.8.8:53 [proto: 5.212/DNS.Microsoft][cat: Cloud/13][1 pkts/78 bytes <-> 1 pkts/250 bytes][Goodput ratio: 46/83][0.07 sec][Host: wdcp.microsoft.com][::][PLAIN TEXT (microsoft)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	19	UDP 192.168.1.121:58161 <-> 8.8.8.8:53 [proto: 5.212/DNS.Microsoft][cat: Cloud/13][1 pkts/77 bytes <-> 1 pkts/244 bytes][Goodput ratio: 45/82][0.03 sec][Host: www.microsoft.com][2.22.33.235][PLAIN TEXT (microsoft)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	20	UDP [fe80::1059:a858:f9e7:cf94]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/320 bytes -> 0 pkts/0 bytes][Goodput ratio: 61/0][1.02 sec][Host: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	21	UDP 192.168.1.121:65492 <-> 8.8.8.8:53 [proto: 5.212/DNS.Microsoft][cat: Cloud/13][1 pkts/115 bytes <-> 1 pkts/191 bytes][Goodput ratio: 63/78][0.07 sec][Host: wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com][::][PLAIN TEXT (northeurope)][Plen Bins: 0,0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	22	TCP 192.168.1.121:53905 <-> 140.82.113.26:443 [proto: 91/TLS][cat: Web/5][2 pkts/120 bytes <-> 2 pkts/163 bytes][Goodput ratio: 0/19][0.11 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	23	UDP 192.168.1.121:53884 <-> 8.8.8.8:53 [proto: 5.212/DNS.Microsoft][cat: Cloud/13][1 pkts/78 bytes <-> 1 pkts/203 bytes][Goodput ratio: 46/79][0.02 sec][Host: wdcp.microsoft.com][40.113.10.47][PLAIN TEXT (microsoft)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	24	UDP 192.168.1.139:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][2 pkts/280 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][1.02 sec][Host: _companion-link._tcp.local][_companion-link._tcp.local][PLAIN TEXT (companion)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	25	UDP 192.168.1.121:65213 <-> 8.8.8.8:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/80 bytes <-> 1 pkts/193 bytes][Goodput ratio: 47/78][0.01 sec][Host: time-macos.apple.com][17.253.54.251][PLAIN TEXT (aaplimg)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	26	UDP 192.168.1.121:55578 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/150 bytes][Goodput ratio: 51/72][0.01 sec][Host: e13678.dscb.akamaiedge.net][::][PLAIN TEXT (akamaiedge)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	27	UDP 192.168.1.121:54561 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][cat: Web/5][1 pkts/86 bytes <-> 1 pkts/102 bytes][Goodput ratio: 51/58][0.03 sec][Host: e13678.dscb.akamaiedge.net][2.22.33.235][PLAIN TEXT (akamaiedge)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	28	UDP 192.168.1.121:49216 <-> 17.253.54.251:123 [proto: 9.140/NTP.Apple][cat: System/18][1 pkts/90 bytes <-> 1 pkts/90 bytes][Goodput ratio: 53/53][0.03 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	29	UDP 192.168.1.121:50288 <-> 17.253.54.251:123 [proto: 9.140/NTP.Apple][cat: System/18][1 pkts/90 bytes <-> 1 pkts/90 bytes][Goodput ratio: 53/53][0.03 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	30	UDP 192.168.1.121:56865 <-> 17.253.54.251:123 [proto: 9.140/NTP.Apple][cat: System/18][1 pkts/90 bytes <-> 1 pkts/90 bytes][Goodput ratio: 53/53][0.03 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	31	UDP 192.168.1.121:65099 <-> 17.253.54.251:123 [proto: 9.140/NTP.Apple][cat: System/18][1 pkts/90 bytes <-> 1 pkts/90 bytes][Goodput ratio: 53/53][0.03 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	32	TCP 192.168.1.121:52746 <-> 52.149.21.60:443 [proto: 91/TLS][cat: Web/5][1 pkts/54 bytes <-> 1 pkts/54 bytes][Goodput ratio: 0/0][0.18 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	33	IGMP 192.168.1.139:0 -> 224.0.0.2:0 [proto: 82/IGMP][cat: Network/14][1 pkts/46 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	34	IGMP 192.168.1.139:0 -> 224.0.0.251:0 [proto: 82/IGMP][cat: Network/14][1 pkts/46 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+
+
+Undetected flows:
+	1	TCP 192.168.1.121:52721 <-> 192.168.1.139:55367 [proto: 0/Unknown][6 pkts/1578 bytes <-> 7 pkts/4004 bytes][Goodput ratio: 75/88][1.86 sec][bytes ratio: -0.435 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 388/69 825/279 297/108][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 263/572 460/1514 197/612][Plen Bins: 0,0,0,0,0,0,14,0,0,0,0,0,57,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,0,0]
--- a/wireshark/ndpi.lua
+++ b/wireshark/ndpi.lua
@ -68,6 +68,7 @@ flow_risks[28] = ProtoField.bool("ndpi.flow_risk.possibly_malicious_ja3", "Possi
 flow_risks[29] = ProtoField.bool("ndpi.flow_risk.possibly_malicious_ssl_certificate_sha1", "Possibly Malicious SSL Certificate SHA1 Fingerprint", num_bits_flow_risks, nil, bit(29), "nDPI Flow Risk: Possibly Malicious SSL Certificate SHA1 Fingerprint")
 flow_risks[30] = ProtoField.bool("ndpi.flow_risk.desktop_file_sharing_session", "Desktop/File Sharing Session", num_bits_flow_risks, nil, bit(30), "nDPI Flow Risk: Desktop/File Sharing Session")
 flow_risks[31] = ProtoField.bool("ndpi.flow_risk.uncommon_tls_alpn", "Uncommon TLS ALPN", num_bits_flow_risks, nil, bit(31), "nDPI Flow Risk: Uncommon TLS ALPN")
+flow_risks[32] = ProtoField.bool("ndpi.flow_risk.cert_validity_too_long", "TLS certificate validity longer than 13 months", num_bits_flow_risks, nil, bit(32), "nDPI Flow Risk: TLS certificate validity longer than 13 months")
 for _,v in pairs(flow_risks) do
  ndpi_fds[#ndpi_fds + 1] = v
 end