Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 01:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fixed some problems with the SOCKS analyzer and tests.

Browse source
This commit is contained in:
Seth Hall 2012-06-20 22:57:46 -04:00
parent f59736cb17
commit 6b8b4dab71
9 changed files with 63 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

47
scripts/base/protocols/socks/main.bro
View file

@ -8,27 +8,23 @@ export {
type Info: record {
## Time when the proxy connection was first detected.
ts: time &log;
uid: string &log;
id: conn_id &log;
ts: time &log;
uid: string &log;
id: conn_id &log;
## Protocol version of SOCKS.
version: count &log;
version: count &log;
## Username for the proxy if extracted from the network.
user: string &log &optional;
user: string &log &optional;
## Server status for the attempt at using the proxy.
status: string &log &optional;
## Client requested address. Mutually exclusive with req_name.
req_h: addr &log &optional;
## Client requested domain name. Mutually exclusive with req_h.
req_name: string &log &optional;
status: string &log &optional;
## Client requested SOCKS address. Could be an address, a name or both.
request: SOCKS::Address &log &optional;
## Client requested port.
req_p: port &log &optional;
## Server bound address. Mutually exclusive with bound_name.
bound_h: addr &log &optional;
## Server bound domain name. Mutually exclusive with bound_h.
bound_name: string &log &optional;
request_p: port &log &optional;
## Server bound address. Could be an address, a name or both.
bound: SOCKS::Address &log &optional;
## Server bound port.
bound_p: port &log &optional;
bound_p: port &log &optional;
};
## Event that can be handled to access the SOCKS
@ -57,15 +53,12 @@ function set_session(c: connection, version: count)
}
event socks_request(c: connection, version: count, request_type: count,
dstaddr: addr, dstname: string, p: port, user: string) &priority=5
sa: SOCKS::Address, p: port, user: string) &priority=5
{
set_session(c, version);
if ( dstaddr != [::] )
c$socks$req_h = dstaddr;
if ( dstname != "" )
c$socks$req_name = dstname;
c$socks$req_p = p;
c$socks$request = sa;
c$socks$request_p = p;
# Copy this conn_id and set the orig_p to zero because in the case of SOCKS proxies there will
# be potentially many source ports since a new proxy connection is established for each
@ -75,7 +68,7 @@ event socks_request(c: connection, version: count, request_type: count,
Tunnel::register([$cid=cid, $tunnel_type=Tunnel::SOCKS, $payload_proxy=T]);
}
event socks_reply(c: connection, version: count, reply: count, dstaddr: addr, dstname: string, p: port) &priority=5
event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=5
{
set_session(c, version);
@ -84,15 +77,11 @@ event socks_reply(c: connection, version: count, reply: count, dstaddr: addr, ds
else if ( version == 4 )
c$socks$status = v4_status[reply];
if ( dstaddr != [::] )
c$socks$bound_h = dstaddr;
if ( dstname != "" )
c$socks$bound_name = dstname;
c$socks$bound = sa;
c$socks$bound_p = p;
}
event socks_reply(c: connection, version: count, reply: count, dstaddr: addr, dstname: string, p: port) &priority=-5
event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=-5
{
Log::write(SOCKS::LOG, c$socks);
}