Merge remote-tracking branch 'origin/topic/johanna/socks-password'

* origin/topic/johanna/socks-password:
  Do not log SOCKS passwords by default.

BIT-1791 #merged

CHANGES

@@ -1,4 +1,11 @@
 
+2.5-362 | 2017-12-02 09:45:04 -0600
+
+  * BIT-1791: Do not log SOCKS passwords by default and add
+    SOCKS::default_capture_password option.  (Johanna Amann)
+
+  * Add missing ; in SSL binpac parser, found by Luke Valenta. (Johanna Amann)
+
 2.5-359 | 2017-11-29 14:01:37 -0600
 
   * Add --ccache option to configure script (requires CMake 3.10+). (Corelight)

NEWS

@@ -48,6 +48,14 @@ Changed Functionality
   event is considered deprecated and will be removed in a future
   version of Bro.
 
+- The Socks analyzer no longer logs passwords by default. This
+  brings its behavior in line with the FTP/HTTP analyzers which also
+  do not log passwords by default.
+
+  To restore the previous behavior and log Socks passwords, use:
+
+  redef SOCKS::default_capture_password = T;
+
 Removed Functionality
 ---------------------
 

VERSION

@@ -1 +1 @@
-2.5-359
+2.5-362

scripts/base/protocols/socks/main.bro

@@ -6,32 +6,37 @@ module SOCKS;
 export {
 	redef enum Log::ID += { LOG };
 
+	## Whether passwords are captured or not.
+	const default_capture_password = F &redef;
+
 	## The record type which contains the fields of the SOCKS log.
 	type Info: record {
 		## Time when the proxy connection was first detected.
-		ts:          time            &log;
+		ts:               time            &log;
 		## Unique ID for the tunnel - may correspond to connection uid
 		## or be non-existent.
-		uid:         string          &log;
+		uid:              string          &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id:          conn_id         &log;
+		id:               conn_id         &log;
 		## Protocol version of SOCKS.
-		version:     count           &log;
+		version:          count           &log;
 		## Username used to request a login to the proxy.
-		user:        string          &log &optional;
+		user:             string          &log &optional;
 		## Password used to request a login to the proxy.
-		password:    string          &log &optional;
+		password:         string          &log &optional;
 		## Server status for the attempt at using the proxy.
-		status:      string          &log &optional;
+		status:           string          &log &optional;
 		## Client requested SOCKS address. Could be an address, a name
 		## or both.
-		request:     SOCKS::Address  &log &optional;
+		request:          SOCKS::Address  &log &optional;
 		## Client requested port.
-		request_p:   port            &log &optional;
+		request_p:        port            &log &optional;
 		## Server bound address. Could be an address, a name or both.
-		bound:       SOCKS::Address  &log &optional;
+		bound:            SOCKS::Address  &log &optional;
 		## Server bound port.
-		bound_p:     port            &log &optional;
+		bound_p:          port            &log &optional;
+		## Determines if the password will be captured for this request.
+		capture_password: bool            &default=default_capture_password;
 	};
 
 	## Event that can be handled to access the SOCKS
@@ -90,10 +95,12 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres
 event socks_login_userpass_request(c: connection, user: string, password: string) &priority=5
 	{
 	# Authentication only possible with the version 5.
-	set_session(c, 5); 
+	set_session(c, 5);
 
 	c$socks$user = user;
-	c$socks$password = password;
+
+	if ( c$socks$capture_password )
+		c$socks$password = password;
 	}
 
 event socks_login_userpass_reply(c: connection, code: count) &priority=5

testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	socks
+#open	2017-12-01-22-33-17
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	user	password	status	request.host	request.name	request_p	bound.host	bound.name	bound_p
+#types	time	string	addr	port	addr	port	count	string	string	string	addr	string	port	addr	string	port
+1368517392.724989	CHhAvVGS1DHFjwGM9	192.168.0.2	55951	192.168.0.1	1080	5	bob	-	succeeded	192.168.0.2	-	22	192.168.0.1	-	55951
+#close	2017-12-01-22-33-17

testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2017-12-01-22-33-17
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1368517392.728523	-	192.168.0.2	0	192.168.0.1	1080	Tunnel::SOCKS	Tunnel::DISCOVER
+#close	2017-12-01-22-33-17

testing/btest/scripts/base/protocols/socks/socks-auth.bro

@@ -3,3 +3,9 @@
 # @TEST-EXEC: btest-diff tunnel.log
 
 @load base/protocols/socks
+
+redef SOCKS::default_capture_password = T;
+
+@TEST-START-NEXT
+
+@load base/protocols/socks