Do not log SOCKS passwords by default.

This introduces a new option, SOCKS::default_capture_password which can be used to specify if Socks passwords are logged by default Like fot FTP/HTTP, this option is set to false by default. Addresses BIT-1791
2025-10-11 19:18:19 +00:00 · 2017-12-01 14:35:51 -08:00 · 2017-12-01 14:35:51 -08:00 · 8ba5c03538
commit 8ba5c03538
parent 1f6954ca3e
5 changed files with 54 additions and 13 deletions
--- a/8
+++ b/8
@ -48,6 +48,14 @@ Changed Functionality
  event is considered deprecated and will be removed in a future
  version of Bro.

+- The Socks analyzer does no longer log passwords by default. This
+  brings its behavior in line with the FTP/HTTP analyzers which also
+  do not log passwords by default.
+
+  To restore the previous behavior and log Socks passwords, use:
+
+  redef SOCKS::default_capture_password = T;
+
 Removed Functionality
 ---------------------

--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@ -6,6 +6,10 @@ module SOCKS;
 export {
 	redef enum Log::ID += { LOG };

+	## This setting changes if passwords are captured or
+	## not.
+	const default_capture_password = F &redef;
+
 	## The record type which contains the fields of the SOCKS log.
 	type Info: record {
 		## Time when the proxy connection was first detected.
@ -32,6 +36,8 @@ export {
 		bound:            SOCKS::Address  &log &optional;
 		## Server bound port.
 		bound_p:          port            &log &optional;
+		## Determines if the password will be captured for this request.
+		capture_password: bool      &default=default_capture_password;
 	};

 	## Event that can be handled to access the SOCKS
@ -93,6 +99,7 @@ event socks_login_userpass_request(c: connection, user: string, password: string
 	set_session(c, 5);

 	c$socks$user = user;
+	if ( c$socks$capture_password )
 		c$socks$password = password;
 	}

--- a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	socks
+#open	2017-12-01-22-33-17
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	user	password	status	request.host	request.name	request_p	bound.host	bound.name	bound_p
+#types	time	string	addr	port	addr	port	count	string	string	string	addr	string	port	addr	string	port
+1368517392.724989	CHhAvVGS1DHFjwGM9	192.168.0.2	55951	192.168.0.1	1080	5	bob	-	succeeded	192.168.0.2	-	22	192.168.0.1	-	55951
+#close	2017-12-01-22-33-17
--- a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2017-12-01-22-33-17
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1368517392.728523	-	192.168.0.2	0	192.168.0.1	1080	Tunnel::SOCKS	Tunnel::DISCOVER
+#close	2017-12-01-22-33-17
--- a/testing/btest/scripts/base/protocols/socks/socks-auth.bro
+++ b/testing/btest/scripts/base/protocols/socks/socks-auth.bro
@ -3,3 +3,9 @@
 # @TEST-EXEC: btest-diff tunnel.log

@load base/protocols/socks
+
+redef SOCKS::default_capture_password = T;
+
+@TEST-START-NEXT
+
+@load base/protocols/socks