From 56acd99d15e2e64182a685afa84efe7741213b8c Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Fri, 24 Jan 2014 21:00:55 -0500
Subject: [PATCH] Fix misidentification of SOCKS traffic. Traffic that had a
 certain bytestring would get incorrectly identified as SOCKS. This seemed to
 happen a lot with DCE/RPC traffic.

---
 src/analyzer/protocol/socks/socks-analyzer.pac | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac
index 885542fc2a..b7cbaaceac 100644
--- a/src/analyzer/protocol/socks/socks-analyzer.pac
+++ b/src/analyzer/protocol/socks/socks-analyzer.pac
@@ -64,6 +64,12 @@ refine connection SOCKS_Conn += {
 			bro_analyzer()->ProtocolViolation(fmt("invalid value in reserved field: %d", ${request.reserved}));
 			return false;
 			}
+		if ( ( ${request.command} == 0 ) || ( ${request.command} > 3 ) )
+			{
+			bro_analyzer()->ProtocolViolation(fmt("invalid value in reserved field: %d", ${request.reserved}));
+			bro_analyzer()->SetSkip(true);
+			return false;
+			}
 
 		RecordVal* sa = new RecordVal(socks_address);
 
@@ -105,7 +111,7 @@ refine connection SOCKS_Conn += {
 	function socks5_reply(reply: SOCKS5_Reply): bool
 		%{
 		RecordVal* sa = new RecordVal(socks_address);
-
+		
 		// This is dumb and there must be a better way (checking for presence of a field)...
 		switch ( ${reply.bound.addr_type} )
 			{