Fixed some problems with the SOCKS analyzer and tests.

scripts/base/frameworks/dpd/dpd.sig

@@ -202,8 +202,9 @@ signature dpd_socks5_client {
 signature dpd_socks5_server {
 	ip-proto == tcp
 	requires-reverse-signature dpd_socks5_client
-	# Watch for a single authentication method to be chosen by the server.
-	payload /^\x05\x01[\x00\x01\x02]/
+	# Watch for a single authentication method to be chosen by the server or
+	# the server to indicate the no authentication is required.
+	payload /^\x05(\x00|\x01[\x00\x01\x02])/
 	tcp-state responder
 	enable "socks"
 }

scripts/base/init-bare.bro

@@ -2402,6 +2402,17 @@ type bittorrent_benc_dir: table[string] of bittorrent_benc_value;
 ##    bt_tracker_response_not_ok
 type bt_tracker_headers: table[string] of string;
 
+module SOCKS;
+export {
+	## This record is for a SOCKS client or server to provide either a 
+	## name or an address to represent a desired or established connection.
+	type Address: record {
+		host: addr   &optional;
+		name: string &optional;
+	} &log;
+}
+module GLOBAL;
+
 @load base/event.bif
 
 ## BPF filter the user has set via the -f command line options. Empty if none.

scripts/base/protocols/socks/main.bro

@@ -8,27 +8,23 @@ export {
 	
 	type Info: record {
 		## Time when the proxy connection was first detected.
-		ts:          time    &log;
-		uid:         string  &log;
-		id:          conn_id &log;
+		ts:          time            &log;
+		uid:         string          &log;
+		id:          conn_id         &log;
 		## Protocol version of SOCKS.
-		version:     count   &log;
+		version:     count           &log;
 		## Username for the proxy if extracted from the network.
-		user:        string  &log &optional;
+		user:        string          &log &optional;
 		## Server status for the attempt at using the proxy.
-		status:      string  &log &optional;
-		## Client requested address.  Mutually exclusive with req_name.
-		req_h:       addr    &log &optional;
-		## Client requested domain name.  Mutually exclusive with req_h.
-		req_name:    string  &log &optional;
+		status:      string          &log &optional;
+		## Client requested SOCKS address.  Could be an address, a name or both.
+		request:     SOCKS::Address  &log &optional;
 		## Client requested port.
-		req_p:       port    &log &optional;
-		## Server bound address. Mutually exclusive with bound_name.
-		bound_h:     addr    &log &optional;
-		## Server bound domain name. Mutually exclusive with bound_h.
-		bound_name:  string  &log &optional;
+		request_p:   port            &log &optional;
+		## Server bound address.  Could be an address, a name or both.
+		bound:       SOCKS::Address  &log &optional;
 		## Server bound port.
-		bound_p:     port    &log &optional;
+		bound_p:     port            &log &optional;
 	};
 	
 	## Event that can be handled to access the SOCKS
@@ -57,15 +53,12 @@ function set_session(c: connection, version: count)
 	}
 
 event socks_request(c: connection, version: count, request_type: count, 
-                    dstaddr: addr, dstname: string, p: port, user: string) &priority=5
+                    sa: SOCKS::Address, p: port, user: string) &priority=5
 	{
 	set_session(c, version);
 	
-	if ( dstaddr != [::] )
-		c$socks$req_h = dstaddr;
-	if ( dstname != "" )
-		c$socks$req_name = dstname;
-	c$socks$req_p = p;
+	c$socks$request   = sa;
+	c$socks$request_p = p;
 	
 	# Copy this conn_id and set the orig_p to zero because in the case of SOCKS proxies there will
 	# be potentially many source ports since a new proxy connection is established for each 
@@ -75,7 +68,7 @@ event socks_request(c: connection, version: count, request_type: count,
 	Tunnel::register([$cid=cid, $tunnel_type=Tunnel::SOCKS, $payload_proxy=T]);
 	}
 
-event socks_reply(c: connection, version: count, reply: count, dstaddr: addr, dstname: string, p: port) &priority=5
+event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=5
 	{
 	set_session(c, version);
 	
@@ -84,15 +77,11 @@ event socks_reply(c: connection, version: count, reply: count, dstaddr: addr, ds
 	else if ( version == 4 )
 		c$socks$status = v4_status[reply];
 	
-	if ( dstaddr != [::] )
-		c$socks$bound_h = dstaddr;
-	if ( dstname != "" )
-		c$socks$bound_name = dstname;
-	
+	c$socks$bound   = sa;
 	c$socks$bound_p = p;
 	}
 
-event socks_reply(c: connection, version: count, reply: count, dstaddr: addr, dstname: string, p: port) &priority=-5
+event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=-5
 	{
 	Log::write(SOCKS::LOG, c$socks);
 	}