Updates for the SOCKS analyzer.

- Now supports SOCKSv5 in the analyzer and the DPD sigs.

- Reworked the core events.

- Tests.

- A SOCKS log!

scripts/base/frameworks/dpd/dpd.sig

@@ -162,33 +162,48 @@ signature dpd_teredo {
   enable "teredo"
 }
 
-signature dpd_socks_client {
+signature dpd_socks4_client {
 	ip-proto == tcp
 	# '32' is a rather arbitrary max length for the user name.
 	payload /^\x04[\x01\x02].{0,32}\x00/
 	tcp-state originator
 }
 
-signature dpd_socks_server {
+signature dpd_socks4_server {
 	ip-proto == tcp
-	requires-reverse-signature dpd_socks_client
+	requires-reverse-signature dpd_socks4_client
 	payload /^\x00[\x5a\x5b\x5c\x5d]/
 	tcp-state responder
 	enable "socks"
 }
 
-signature dpd_socks_reverse_client {
+signature dpd_socks4_reverse_client {
 	ip-proto == tcp
 	# '32' is a rather arbitrary max length for the user name.
 	payload /^\x04[\x01\x02].{0,32}\x00/
 	tcp-state responder
 }
 
-signature dpd_socks_reverse_server {
+signature dpd_socks4_reverse_server {
 	ip-proto == tcp
-	requires-reverse-signature dpd_socks_client
+	requires-reverse-signature dpd_socks4_reverse_client
 	payload /^\x00[\x5a\x5b\x5c\x5d]/
 	tcp-state originator
 	enable "socks"
 }
 
+signature dpd_socks5_client {
+	ip-proto == tcp
+	payload /^\x05/
+	tcp-state originator
+}
+
+signature dpd_socks5_server {
+	ip-proto == tcp
+	requires-reverse-signature dpd_socks5_client
+	payload /^\x05/
+	tcp-state responder
+	enable "socks"
+}
+
+