stratosphereips
diff --git a/‎.github/workflows/integration-tests.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/integration-tests.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/unit-tests.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/unit-tests.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 2 additions & 3 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎conftest.py‎
Lines changed: 14 additions & 1 deletion b/‎conftest.py‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎dataset/test15-malicious-zeek-dir/ssl.log‎
Lines changed: 3 additions & 2 deletions b/‎dataset/test15-malicious-zeek-dir/ssl.log‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎dataset/test9-mixed-zeek-dir/ssl.log‎
Lines changed: 2 additions & 2 deletions b/‎dataset/test9-mixed-zeek-dir/ssl.log‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎managers/process_manager.py‎
Lines changed: 1 addition & 1 deletion b/‎managers/process_manager.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/flowalerts/dns.py‎
Lines changed: 1 addition & 2 deletions b/‎modules/flowalerts/dns.py‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎modules/flowalerts/set_evidence.py‎
Lines changed: 20 additions & 12 deletions b/‎modules/flowalerts/set_evidence.py‎
Lines changed: 20 additions & 12 deletions
diff --git a/‎modules/flowalerts/ssl.py‎
Lines changed: 8 additions & 6 deletions b/‎modules/flowalerts/ssl.py‎
Lines changed: 8 additions & 6 deletions
@@ -87,7 +87,7 @@ jobs:
 
     - name: Upload Artifacts
       if: success() || failure()
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: test_slips_locally-integration-tests-output
         path: |
 
@@ -125,7 +125,7 @@ jobs:
 
     - name: Upload Artifacts
       if: success() || failure()
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: test_slips_locally-integration-tests-output
         path: |
 
@@ -20,14 +20,13 @@ repos:
           exclude: '.*dataset/.*|^config/local_ti_files/own_malicious_JA3.csv$|.*test.*|.*\.md$'
 
 -     repo: https://github.com/astral-sh/ruff-pre-commit
-      # Ruff version.
       rev: v0.3.4
       hooks:
         # Run the linter.
         - id: ruff
           args: [ --fix ]
           # excludes formatting slips_files/common/imports.py
-          exclude: (imports|sqlite_db.*)
+          exclude: (imports|sqlite_db.*|conftest.py)
 
 -     repo: https://github.com/psf/black-pre-commit-mirror
       rev: 24.4.2
@@ -36,7 +35,7 @@ repos:
           args: ['--line-length' , '79']
           language_version: python3.12.3
           # excludes formatting slips_files/common/imports.py
-          exclude: imports
+          exclude: (imports|conftest.py)
 
 -     repo: https://github.com/adrienverge/yamllint.git
       rev: v1.31.0
 
@@ -14,7 +14,7 @@
 from slips_files.core.database.database_manager import DBManager
 from slips_files.core.output import Output
 from slips_files.core.flows.zeek import Conn
-
+import logging
 
 # add parent dir to path for imports to work
 current_dir = os.path.dirname(
@@ -24,6 +24,19 @@
 sys.path.insert(0, parent_dir)
 
 
+# Suppress TensorFlow logs from C++ backend
+os.environ["TF_CPP_MIN_LOG_LEVEL"] = "3"  # 3 = ERROR
+# TensorFlow logs oneDNN messages even with TF_CPP_MIN_LOG_LEVEL=3.
+os.environ["TF_ENABLE_ONEDNN_OPTS"] = "0"
+
+import tensorflow as tf
+
+
+# Suppress Python-based TensorFlow logs
+tf.get_logger().setLevel(logging.ERROR)
+logging.getLogger("tensorflow").setLevel(logging.ERROR)
+
+
 @pytest.fixture
 def mock_db():
     # Create a mock version of the database object
 
@@ -1,6 +1,7 @@
-{"ts":95.036038,"uid":"CmjEJ14q2fMkVjIrjh","id.orig_h":"10.0.2.15","id.orig_p":49194,"id.resp_h":"52.0.131.132","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp384r1","server_name":"netflix.com","resumed":false,"established":true,"cert_chain_fuids":["FKMTO94tQEsBTFbPgc","FiN0Qh1UtcWHK5OhI1"],"client_cert_chain_fuids":[],"subject":"CN=www.netflix.com","issuer":"CN=Google Internet Authority G2,O=Google Inc,C=US","validation_status":"certificate is not yet valid"}
+{"ts":95.036038,"uid":"CmjEJ14q2fMkVjIrjh","id.orig_h":"10.0.2.15","id.orig_p":49194,"id.resp_h":"52.0.131.132","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp384r1","server_name":"netflix.com","resumed":false,"established":true,"cert_chain_fuids":["FKMTO94tQEsBTFbPgc","FiN0Qh1UtcWHK5OhI1"],"client_cert_chain_fuids":[],"subject":"CN=www.google.com","issuer":"CN=Google Internet Authority G2,O=Google Inc,C=US","validation_status":"certificate is not yet valid"}
 {"ts":95.035658,"uid":"CofVUoGEO2KmtNRU8","id.orig_h":"10.0.2.15","id.orig_p":49193,"id.resp_h":"54.247.162.104","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","curve":"secp256r1","server_name":"eu-west-1.dc.ads.linkedin.com","resumed":false,"established":true,"cert_chain_fuids":["Fz1tYe2XBbvuv8rdv5","FFhyEd4l0VxQ3oHQYg"],"client_cert_chain_fuids":[],"subject":"CN=ads.linkedin.com,O=LinkedIn Corporation,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"certificate is not yet valid"}
-{"ts":96.79553,"uid":"CS9zxQ7bqVG25o57h","id.orig_h":"10.0.2.15","id.orig_p":49201,"id.resp_h":"23.4.248.213","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp256r1","server_name":"support.microsoft.com","resumed":false,"established":true,"cert_chain_fuids":["FGfeOO1SupRd8nH3a","FDqAH11L7j7Ha50flg"],"client_cert_chain_fuids":[],"subject":"CN=support.microsoft.com,OU=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=WA,C=US","issuer":"CN=Microsoft IT SSL SHA2,OU=Microsoft IT,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US","validation_status":"certificate is not yet valid","ja3":"6734f37431670b3ab4292b8f60f29984"}
+{"ts":95.035658,"uid":"CofVUoGEO2KmtNRU8","id.orig_h":"10.0.2.15","id.orig_p":49193,"id.resp_h":"123.33.22.33","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","curve":"secp256r1","server_name":"eu-west-1.dc.ads.linkedin.com","resumed":false,"established":true,"cert_chain_fuids":["Fz1tYe2XBbvuv8rdv5","FFhyEd4l0VxQ3oHQYg"],"client_cert_chain_fuids":[],"subject":"CN=ads.linkedin.com,O=LinkedIn Corporation,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"certificate is not yet valid"}
+{"ts":96.79553,"uid":"CS9zxQ7bqVG25o57h","id.orig_h":"10.0.2.15","id.orig_p":49201,"id.resp_h":"23.4.248.213","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp256r1","server_name":"netflix.com","resumed":false,"established":true,"cert_chain_fuids":["FGfeOO1SupRd8nH3a","FDqAH11L7j7Ha50flg"],"client_cert_chain_fuids":[],"subject":"CN=whatever","issuer":"CN=netflix IT SSL SHA2,OU=netflix IT,O=netflix Corporation,L=Redmond,ST=Washington,C=US","validation_status":"certificate is not yet valid","ja3":"6734f37431670b3ab4292b8f60f29984"}
 {"ts":96.918351,"uid":"CENVVlX3lQPg4mBcb","id.orig_h":"10.0.2.15","id.orig_p":49203,"id.resp_h":"54.247.162.104","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","server_name":"eu-west-1.dc.ads.linkedin.com","resumed":true,"established":true}
 {"ts":97.642593,"uid":"C8Yv0q4DKlhvcyneMi","id.orig_h":"10.0.2.15","id.orig_p":49208,"id.resp_h":"185.33.223.218","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp256r1","server_name":"secure.adnxs.com","resumed":false,"established":true,"cert_chain_fuids":["FgAwAF16Y8bQmHTfSi","FB5esu1DguCF1WVOSe"],"client_cert_chain_fuids":[],"subject":"CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New York,C=US","issuer":"CN=GeoTrust SSL CA - G3,O=GeoTrust Inc.,C=US","validation_status":"certificate is not yet valid"}
 {"ts":97.79116,"uid":"CwzCf923y1FlDr18Ea","id.orig_h":"10.0.2.15","id.orig_p":49209,"id.resp_h":"185.33.223.218","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","server_name":"secure.adnxs.com","resumed":true,"established":true}
 
@@ -1,6 +1,6 @@
 {"ts":95.036038,"uid":"CmjEJ14q2fMkVjIrjh","id.orig_h":"10.0.2.15","id.orig_p":49194,"id.resp_h":"204.79.197.200","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp384r1","server_name":"ieonline.microsoft.com","resumed":false,"established":true,"cert_chain_fuids":["FKMTO94tQEsBTFbPgc","FiN0Qh1UtcWHK5OhI1"],"client_cert_chain_fuids":[],"subject":"CN=www.bing.com","issuer":"CN=Google Internet Authority G2,O=Google Inc,C=US","validation_status":"certificate is not yet valid"}
 {"ts":95.035658,"uid":"CofVUoGEO2KmtNRU8","id.orig_h":"10.0.2.15","id.orig_p":49193,"id.resp_h":"54.247.162.104","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","curve":"secp256r1","server_name":"eu-west-1.dc.ads.linkedin.com","resumed":false,"established":true,"cert_chain_fuids":["Fz1tYe2XBbvuv8rdv5","FFhyEd4l0VxQ3oHQYg"],"client_cert_chain_fuids":[],"subject":"CN=ads.linkedin.com,O=LinkedIn Corporation,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"certificate is not yet valid"}
-{"ts":96.79553,"uid":"CS9zxQ7bqVG25o57h","id.orig_h":"10.0.2.15","id.orig_p":49201,"id.resp_h":"23.4.248.213","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp256r1","server_name":"support.microsoft.com","resumed":false,"established":true,"cert_chain_fuids":["FGfeOO1SupRd8nH3a","FDqAH11L7j7Ha50flg"],"client_cert_chain_fuids":[],"subject":"CN=support.microsoft.com,OU=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=WA,C=US","issuer":"CN=Microsoft IT SSL SHA2,OU=Microsoft IT,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US","validation_status":"certificate is not yet valid","ja3":"6734f37431670b3ab4292b8f60f29984"}
+{"ts":96.79553,"uid":"CS9zxQ7bqVG25o57h","id.orig_h":"10.0.2.15","id.orig_p":49201,"id.resp_h":"23.4.248.213","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp256r1","server_name":"netflix.com","resumed":false,"established":true,"cert_chain_fuids":["FGfeOO1SupRd8nH3a","FDqAH11L7j7Ha50flg"],"client_cert_chain_fuids":[],"subject":"CN=support.microsoft.com,OU=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=WA,C=US","issuer":"CN=Microsoft IT SSL SHA2,OU=Microsoft IT,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US","validation_status":"certificate is not yet valid","ja3":"6734f37431670b3ab4292b8f60f29984"}
 {"ts":96.918351,"uid":"CENVVlX3lQPg4mBcb","id.orig_h":"10.0.2.15","id.orig_p":49203,"id.resp_h":"54.247.162.104","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","server_name":"eu-west-1.dc.ads.linkedin.com","resumed":true,"established":true}
 {"ts":97.642593,"uid":"C8Yv0q4DKlhvcyneMi","id.orig_h":"10.0.2.15","id.orig_p":49208,"id.resp_h":"185.33.223.218","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp256r1","server_name":"secure.adnxs.com","resumed":false,"established":true,"cert_chain_fuids":["FgAwAF16Y8bQmHTfSi","FB5esu1DguCF1WVOSe"],"client_cert_chain_fuids":[],"subject":"CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New York,C=US","issuer":"CN=GeoTrust SSL CA - G3,O=GeoTrust Inc.,C=US","validation_status":"certificate is not yet valid"}
 {"ts":97.79116,"uid":"CwzCf923y1FlDr18Ea","id.orig_h":"10.0.2.15","id.orig_p":49209,"id.resp_h":"185.33.223.218","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","server_name":"secure.adnxs.com","resumed":true,"established":true}
@@ -18,7 +18,7 @@
 {"ts":99.542318,"uid":"CVjEks28O5BxraAOSf","id.orig_h":"10.0.2.15","id.orig_p":49239,"id.resp_h":"104.96.160.12","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","server_name":"assets.onestore.ms","resumed":true,"established":true}
 {"ts":99.576663,"uid":"Cp7Ae73K73Mhl2Z9G1","id.orig_h":"10.0.2.15","id.orig_p":49244,"id.resp_h":"23.4.249.223","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp256r1","server_name":"www.microsoft.com","resumed":false,"established":true,"cert_chain_fuids":["FK7Il41Zm9voJIkxjf","F7h8xp2aCQ6IUYlR88"],"client_cert_chain_fuids":[],"subject":"CN=www.microsoft.com,OU=MSCOM,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US","issuer":"CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US","validation_status":"certificate is not yet valid"}
 {"ts":99.5769,"uid":"C0c0ib2kEJhhnLvxU9","id.orig_h":"10.0.2.15","id.orig_p":49242,"id.resp_h":"23.4.249.223","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp256r1","server_name":"www.microsoft.com","resumed":false,"established":true,"cert_chain_fuids":["Fw96Zc2jRSqw7HfiV7","FYlNCX1Sxt86wQi623"],"client_cert_chain_fuids":[],"subject":"CN=www.microsoft.com,OU=MSCOM,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US","issuer":"CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US","validation_status":"certificate is not yet valid"}
-{"ts":99.577159,"uid":"CCaRFW2mHr5QjSxnQk","id.orig_h":"10.0.2.15","id.orig_p":49243,"id.resp_h":"23.4.249.223","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp256r1","server_name":"www.microsoft.com","resumed":false,"established":true,"cert_chain_fuids":["FAqZiovJiKx2hjVog","FjIi3A4UVoAkvFLRd6"],"client_cert_chain_fuids":[],"subject":"CN=www.microsoft.com,OU=MSCOM,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US","issuer":"CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US","validation_status":"certificate is not yet valid","ja3s":"49ed2ef3f1321e5f044f1e71b0e6fdd5"}
+{"ts":99.577159,"uid":"CCaRFW2mHr5QjSxnQk","id.orig_h":"10.0.2.15","id.orig_p":49243,"id.resp_h":"123.33.22.11","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp256r1","server_name":"www.netflix.com","resumed":false,"established":true,"cert_chain_fuids":["FAqZiovJiKx2hjVog","FjIi3A4UVoAkvFLRd6"],"client_cert_chain_fuids":[],"subject":"CN=www.microsoft.com,OU=MSCOM,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US","issuer":"CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US","validation_status":"certificate is not yet valid","ja3s":"e7d705a3286e19ea42f587b344ee6865"}
 {"ts":99.654964,"uid":"C3c6el2LWkagjE1CUa","id.orig_h":"10.0.2.15","id.orig_p":49246,"id.resp_h":"104.96.160.12","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","server_name":"assets.onestore.ms","resumed":true,"established":true}
 {"ts":99.670901,"uid":"CiKTJDJ4jjLKfMzRb","id.orig_h":"10.0.2.15","id.orig_p":49247,"id.resp_h":"23.4.249.223","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","server_name":"www.microsoft.com","resumed":true,"established":true}
 {"ts":99.578387,"uid":"CP1gyt4jNylMd0zbye","id.orig_h":"10.0.2.15","id.orig_p":49245,"id.resp_h":"23.4.249.223","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp256r1","server_name":"www.microsoft.com","resumed":false,"established":true,"cert_chain_fuids":["FPunt91J4UyxyE4zg5","FhnwZz4XtL2KsygJ1b"],"client_cert_chain_fuids":[],"subject":"CN=www.microsoft.com,OU=MSCOM,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US","issuer":"CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US","validation_status":"certificate is not yet valid"}
 
@@ -37,7 +37,7 @@
 )
 
 from slips_files.common.style import green
-from slips_files.core.evidencehandler import EvidenceHandler
+from slips_files.core.evidence_handler import EvidenceHandler
 from slips_files.core.input import Input
 from slips_files.core.output import Output
 from slips_files.core.profiler import Profiler
 
@@ -451,8 +451,7 @@ def check_invalid_dns_answers(self, twid, flow):
         """
         this function is used to check for private IPs in the answers of
         a dns queries.
-        probably means the queries is being blocked
-        (perhaps by ad blockers) and set to a private IP value
+        Can be because of PI holes or DNS rebinding attacks
         """
         if not flow.answers:
             return
 
@@ -405,8 +405,9 @@ def non_ssl_port_443_conn(self, twid, flow) -> None:
     def incompatible_cn(self, twid, flow, org: str) -> None:
         confidence: float = 0.9
         description: str = (
-            f"Incompatible certificate CN to IP: {flow.daddr} "
-            f"claiming to belong {org.capitalize()}."
+            f"Incompatible certificate CN to IP: {flow.daddr} domain: "
+            f"{flow.server_name}. The certificate is "
+            f"claiming to belong to {org.capitalize()}."
         )
 
         twid_number: int = int(twid.replace("timewindow", ""))
@@ -1142,11 +1143,12 @@ def suspicious_dns_answer(
         self.db.set_evidence(evidence)
 
     def invalid_dns_answer(self, twid, flow, invalid_answer) -> None:
-        confidence: float = 0.7
+        confidence: float = 0.8
         twid: int = int(twid.replace("timewindow", ""))
 
         description: str = (
-            f"The DNS query {flow.query} was resolved to {invalid_answer}"
+            f"Invalid DNS answer. The DNS query {flow.query} was resolved to "
+            f"the private IP: {invalid_answer}"
         )
 
         evidence: Evidence = Evidence(
@@ -1156,6 +1158,11 @@ def invalid_dns_answer(self, twid, flow, invalid_answer) -> None:
                 attacker_type=IoCType.IP,
                 value=flow.saddr,
             ),
+            victim=Victim(
+                direction=Direction.DST,
+                victim_type=IoCType.DOMAIN,
+                value=flow.query,
+            ),
             threat_level=ThreatLevel.INFO,
             confidence=confidence,
             description=description,
@@ -1164,7 +1171,6 @@ def invalid_dns_answer(self, twid, flow, invalid_answer) -> None:
             uid=[flow.uid],
             timestamp=flow.starttime,
         )
-
         self.db.set_evidence(evidence)
 
     def port_0_connection(
@@ -1223,11 +1229,13 @@ def malicious_ja3s(self, twid, flow, malicious_ja3_dict: dict) -> None:
 
         description = (
             f"Malicious JA3s: (possible C&C server): {flow.ja3s} "
-            f"to server {flow.daddr}"
+            f"to server {flow.daddr}."
         )
         if ja3_description != "None":
-            description += f"description: {ja3_description} "
-        description += f"tags: {tags}"
+            description += f" description: {ja3_description}."
+        if tags:
+            description += f" tags: {tags}"
+
         confidence: float = 1
         twid_number: int = int(twid.replace("timewindow", ""))
         # to add a correlation between the 2 evidence in alerts.json
@@ -1278,19 +1286,19 @@ def malicious_ja3s(self, twid, flow, malicious_ja3_dict: dict) -> None:
 
     def malicious_ja3(self, twid, flow, malicious_ja3_dict: dict) -> None:
         ja3_info: dict = json.loads(malicious_ja3_dict[flow.ja3])
-
         threat_level: str = ja3_info["threat_level"].upper()
         threat_level: ThreatLevel = ThreatLevel[threat_level]
 
         tags: str = ja3_info.get("tags", "")
         ja3_description: str = ja3_info["description"]
 
         description = (
-            f"Malicious JA3: {flow.ja3} from source address {flow.saddr}"
+            f"Malicious JA3: {flow.ja3} from source address {flow.saddr}."
         )
         if ja3_description != "None":
-            description += f" description: {ja3_description} "
-        description += f" tags: {tags}"
+            description += f" description: {ja3_description}."
+        if tags:
+            description += f" tags: {tags}"
 
         evidence: Evidence = Evidence(
             evidence_type=EvidenceType.MALICIOUS_JA3,
 
@@ -90,17 +90,17 @@ def detect_incompatible_cn(self, twid, flow):
         Detects if a certificate claims that it's CN (common name) belongs
         to an org that the domain doesn't belong to
         """
-        if not flow.issuer:
+        if not flow.subject:
             return False
 
-        found_org_in_cn = ""
+        org_found_in_cn = ""
         for org in utils.supported_orgs:
-            if org not in flow.issuer.lower():
+            if org not in flow.subject.lower():
                 continue
 
             # save the org this domain/ip is claiming to belong to,
             # to use it to set evidence later
-            found_org_in_cn = org
+            org_found_in_cn = org
 
             # check that the ip belongs to that same org
             if self.whitelist.org_analyzer.is_ip_in_org(flow.daddr, org):
@@ -115,13 +115,15 @@ def detect_incompatible_cn(self, twid, flow):
             ):
                 return False
 
-        if not found_org_in_cn:
+        if not org_found_in_cn:
+            # the certificate doesn't claim to belong to any of slips known
+            # orgs
             return False
 
         # found one of our supported orgs in the cn but
         # it doesn't belong to any of this org's
         # domains or ips
-        self.set_evidence.incompatible_cn(twid, flow, found_org_in_cn)
+        self.set_evidence.incompatible_cn(twid, flow, org_found_in_cn)
 
     def check_non_ssl_port_443_conns(self, twid, flow):
         """
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@`
`37`	`37`	`)`
`38`	`38`
`39`	`39`	`from slips_files.common.style import green`
`40`		`-from slips_files.core.evidencehandler import EvidenceHandler`
	`40`	`+from slips_files.core.evidence_handler import EvidenceHandler`
`41`	`41`	`from slips_files.core.input import Input`
`42`	`42`	`from slips_files.core.output import Output`
`43`	`43`	`from slips_files.core.profiler import Profiler`