From 8f7b4902c936e549b290b62944e14caa66e3a00f Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 5 Jun 2023 13:41:11 +0200
Subject: [PATCH] socks/dpd: Add newer auth methods

The IANA has allocated a few more authentication methods, minimally
extend the signature to catch those.
---
 scripts/base/protocols/socks/dpd.sig | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/scripts/base/protocols/socks/dpd.sig b/scripts/base/protocols/socks/dpd.sig
index 808a8bb12a..8b58574b07 100644
--- a/scripts/base/protocols/socks/dpd.sig
+++ b/scripts/base/protocols/socks/dpd.sig
@@ -31,7 +31,7 @@ signature dpd_socks4_reverse_server {
 signature dpd_socks5_client {
 	ip-proto == tcp
 	# Watch for a few authentication methods to reduce false positives.
-	payload /^\x05.[\x00\x01\x02]/
+	payload /^\x05.[\x00\x01\x02\x03\x05\x06\x07\x08\x09]/
 	tcp-state originator
 }
 
@@ -40,7 +40,23 @@ signature dpd_socks5_server {
 	requires-reverse-signature dpd_socks5_client
 	# Watch for a single authentication method to be chosen by the server or
 	# the server to indicate the no authentication is required.
-	payload /^\x05[\x00\x01\x02\xff]/
+	# From wikipedia:
+	# 0x00: No authentication
+	# 0x01: GSSAPI (RFC 1961)
+	# 0x02: Username/password (RFC 1929)
+	# 0x03–0x7F: methods assigned by IANA[11]
+	# 0x03: Challenge-Handshake Authentication Protocol
+	# 0x04: Unassigned
+	# 0x05: Challenge-Response Authentication Method
+	# 0x06: Secure Sockets Layer
+	# 0x07: NDS Authentication
+	# 0x08: Multi-Authentication Framework
+	# 0x09: JSON Parameter Block
+	# 0x0A–0x7F: Unassigned
+	# 0x80–0xFE: methods reserved for private use
+	#
+	# Keep in sync with dpd_socks5_client, 0xff is "no acceptable methods"
+	payload /^\x05[\x00\x01\x02\x03\x05\x06\x07\x08\x09\xff]/
 	tcp-state responder
 	enable "socks"
 }