Merge remote-tracking branch 'origin/topic/vladg/socks_fix'

* origin/topic/vladg/socks_fix:
  Fix misidentification of SOCKS traffic. Traffic that had a certain bytestring would get incorrectly identified as SOCKS. This seemed to happen a lot with DCE/RPC traffic.

Tweaked the error message and added SetSkip() to the "reserved" case
as well.

BIT-1130 #merged

CHANGES

@@ -1,4 +1,9 @@
 
+2.2-173 | 2014-02-14 10:50:15 -0800
+
+  * Fix misidentification of SOCKS traffic that in particiular seemed
+    to happen a lot with DCE/RPC traffic. (Vlad Grigorescu)
+
 2.2-170 | 2014-02-13 16:42:07 -0800
 
   * Refactor DNS script's state management to improve performance.

VERSION

@@ -1 +1 @@
-2.2-170
+2.2-173

src/analyzer/protocol/socks/socks-analyzer.pac

@@ -62,6 +62,14 @@ refine connection SOCKS_Conn += {
 		if ( ${request.reserved} != 0 )
 			{
 			bro_analyzer()->ProtocolViolation(fmt("invalid value in reserved field: %d", ${request.reserved}));
+			bro_analyzer()->SetSkip(true);
+			return false;
+			}
+
+		if ( (${request.command} == 0) || (${request.command} > 3) )
+			{
+			bro_analyzer()->ProtocolViolation(fmt("undefined value in command field: %d", ${request.command}));
+			bro_analyzer()->SetSkip(true);
 			return false;
 			}
 
@@ -105,7 +113,7 @@ refine connection SOCKS_Conn += {
 	function socks5_reply(reply: SOCKS5_Reply): bool
 		%{
 		RecordVal* sa = new RecordVal(socks_address);
-
+		
 		// This is dumb and there must be a better way (checking for presence of a field)...
 		switch ( ${reply.bound.addr_type} )
 			{