Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix misidentification of SOCKS traffic. Traffic that had a certain bytestring would get incorrectly identified as SOCKS. This seemed to happen a lot with DCE/RPC traffic.

Browse source
This commit is contained in:
Vlad Grigorescu 2014-01-24 21:00:55 -05:00
parent 430cf311e9
commit 56acd99d15
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/analyzer/protocol/socks/socks-analyzer.pac
View file

@ -64,6 +64,12 @@ refine connection SOCKS_Conn += {
bro_analyzer()->ProtocolViolation(fmt("invalid value in reserved field: %d", ${request.reserved})); bro_analyzer()->ProtocolViolation(fmt("invalid value in reserved field: %d", ${request.reserved}));
return false; return false;
} }
if ( ( ${request.command} == 0 ) || ( ${request.command} > 3 ) )
{
bro_analyzer()->ProtocolViolation(fmt("invalid value in reserved field: %d", ${request.reserved}));
bro_analyzer()->SetSkip(true);
return false;
}
RecordVal* sa = new RecordVal(socks_address); RecordVal* sa = new RecordVal(socks_address);
@ -105,7 +111,7 @@ refine connection SOCKS_Conn += {
function socks5_reply(reply: SOCKS5_Reply): bool function socks5_reply(reply: SOCKS5_Reply): bool
%{ %{
RecordVal* sa = new RecordVal(socks_address); RecordVal* sa = new RecordVal(socks_address);
// This is dumb and there must be a better way (checking for presence of a field)... // This is dumb and there must be a better way (checking for presence of a field)...
switch ( ${reply.bound.addr_type} ) switch ( ${reply.bound.addr_type} )
{ {