Merge remote-tracking branch 'origin/topic/awelzel/3099-fix-and-extend-socks5-sig'

* origin/topic/awelzel/3099-fix-and-extend-socks5-sig:
  socks/dpd: Add newer auth methods
  socks/dpd: Fix socks5_server side signature

(cherry picked from commit c389d9804b)

CHANGES

@@ -1,3 +1,29 @@
+6.0.0-rc1.3 | 2023-06-12 11:00:53 -0700
+
+  * socks/dpd: Add newer auth methods (Arne Welzel, Corelight)
+
+    The IANA has allocated a few more authentication methods, minimally
+    extend the signature to catch those.
+
+  * socks/dpd: Fix socks5_server side signature (Arne Welzel, Corelight)
+
+    The server replies with \x05 and identifier for the chosen method.
+    Not quite sure what the previous signature meant capture.
+
+    See also: https://datatracker.ietf.org/doc/html/rfc1928#section-3
+
+  * ci/windows: choco --localonly is gone (Arne Welzel, Corelight)
+
+    choco 2.0 is now used after some caching changes on the Cirrus side [1]
+    and the --localonly flag is gone from choco [2], remove its usage.
+
+    [1] https://github.com/cirruslabs/cirrus-ci-docs/issues/1174#issuecomment-1580928673
+    [2] https://docs.chocolatey.org/en-us/guides/upgrading-to-chocolatey-v2-v6#the-list-command-now-lists-local-packages-only-and-the-local-only-and-lo-options-have-been-removed
+
+    (cherry picked from commit 528e27e542b7641241e3d531b654f77ee09bcfea)
+
+  * Update link to slack in README.md (Tim Wojtulewicz, Corelight)
+
 6.0.0-rc1 | 2023-05-31 12:05:27 +0200
 
   * Update broker submodule to 2.6.0 release tag [nomail] [skip ci] (Tim Wojtulewicz, Corelight)

VERSION

@@ -1 +1 @@
-6.0.0-rc1
+6.0.0-rc1.3

scripts/base/protocols/socks/dpd.sig

@@ -31,7 +31,7 @@ signature dpd_socks4_reverse_server {
 signature dpd_socks5_client {
 	ip-proto == tcp
 	# Watch for a few authentication methods to reduce false positives.
-	payload /^\x05.[\x00\x01\x02]/
+	payload /^\x05.[\x00\x01\x02\x03\x05\x06\x07\x08\x09]/
 	tcp-state originator
 }
 
@@ -40,9 +40,23 @@ signature dpd_socks5_server {
 	requires-reverse-signature dpd_socks5_client
 	# Watch for a single authentication method to be chosen by the server or
 	# the server to indicate the no authentication is required.
-	payload /^\x05(\x00|\x01[\x00\x01\x02])/
+	# From wikipedia:
+	# 0x00: No authentication
+	# 0x01: GSSAPI (RFC 1961)
+	# 0x02: Username/password (RFC 1929)
+	# 0x03–0x7F: methods assigned by IANA[11]
+	# 0x03: Challenge-Handshake Authentication Protocol
+	# 0x04: Unassigned
+	# 0x05: Challenge-Response Authentication Method
+	# 0x06: Secure Sockets Layer
+	# 0x07: NDS Authentication
+	# 0x08: Multi-Authentication Framework
+	# 0x09: JSON Parameter Block
+	# 0x0A–0x7F: Unassigned
+	# 0x80–0xFE: methods reserved for private use
+	#
+	# Keep in sync with dpd_socks5_client, 0xff is "no acceptable methods"
+	payload /^\x05[\x00\x01\x02\x03\x05\x06\x07\x08\x09\xff]/
 	tcp-state responder
 	enable "socks"
 }
-
-

testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/conn.log.cut

@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+id.orig_h	id.orig_p	id.resp_h	id.resp_p	service	history
+192.168.0.2	55951	192.168.0.1	10080	socks	ShADad
+192.168.0.1	55951	192.168.0.2	22	-	ShA

testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/socks.log.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	status	bound.host	bound.name	bound_p
+192.168.0.2	55951	192.168.0.1	10080	5	succeeded	192.168.0.1	-	55951

testing/btest/scripts/base/protocols/socks/socks-auth-10080.zeek

@@ -0,0 +1,11 @@
+# @TEST-DOC: Socks V5 over a non-standard port.
+
+# @TEST-EXEC: zeek -r $TRACES/socks-auth-10080.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m id.orig_h id.orig_p id.resp_h id.resp_p service history < conn.log > conn.log.cut
+# @TEST-EXEC: zeek-cut -m id.orig_h id.orig_p id.resp_h id.resp_p version status bound.host bound.name bound_p < socks.log > socks.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff socks.log.cut
+
+@load base/protocols/socks
+
+redef SOCKS::default_capture_password = T;