From b34e70e6cd24532a75d1d6d9068d0731d1baa61c Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 12 Jun 2023 10:56:55 -0700
Subject: [PATCH] Merge remote-tracking branch
 'origin/topic/awelzel/3099-fix-and-extend-socks5-sig'

* origin/topic/awelzel/3099-fix-and-extend-socks5-sig:
  socks/dpd: Add newer auth methods
  socks/dpd: Fix socks5_server side signature

(cherry picked from commit c389d9804bf06154ba7683d46c5ba93b6590c2cc)
---
 CHANGES                                       |  26 ++++++++++++++++++
 VERSION                                       |   2 +-
 scripts/base/protocols/socks/dpd.sig          |  22 ++++++++++++---
 .../conn.log.cut                              |   4 +++
 .../socks.log.cut                             |   3 ++
 testing/btest/Traces/socks-auth-10080.pcap    | Bin 0 -> 1326 bytes
 .../protocols/socks/socks-auth-10080.zeek     |  11 ++++++++
 7 files changed, 63 insertions(+), 5 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/conn.log.cut
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/socks.log.cut
 create mode 100644 testing/btest/Traces/socks-auth-10080.pcap
 create mode 100644 testing/btest/scripts/base/protocols/socks/socks-auth-10080.zeek

diff --git a/CHANGES b/CHANGES
index fd9ad79e4e..add8957498 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,29 @@
+6.0.0-rc1.3 | 2023-06-12 11:00:53 -0700
+
+  * socks/dpd: Add newer auth methods (Arne Welzel, Corelight)
+
+    The IANA has allocated a few more authentication methods, minimally
+    extend the signature to catch those.
+
+  * socks/dpd: Fix socks5_server side signature (Arne Welzel, Corelight)
+
+    The server replies with \x05 and identifier for the chosen method.
+    Not quite sure what the previous signature meant capture.
+
+    See also: https://datatracker.ietf.org/doc/html/rfc1928#section-3
+
+  * ci/windows: choco --localonly is gone (Arne Welzel, Corelight)
+
+    choco 2.0 is now used after some caching changes on the Cirrus side [1]
+    and the --localonly flag is gone from choco [2], remove its usage.
+
+    [1] https://github.com/cirruslabs/cirrus-ci-docs/issues/1174#issuecomment-1580928673
+    [2] https://docs.chocolatey.org/en-us/guides/upgrading-to-chocolatey-v2-v6#the-list-command-now-lists-local-packages-only-and-the-local-only-and-lo-options-have-been-removed
+
+    (cherry picked from commit 528e27e542b7641241e3d531b654f77ee09bcfea)
+
+  * Update link to slack in README.md (Tim Wojtulewicz, Corelight)
+
 6.0.0-rc1 | 2023-05-31 12:05:27 +0200
 
   * Update broker submodule to 2.6.0 release tag [nomail] [skip ci] (Tim Wojtulewicz, Corelight)
diff --git a/VERSION b/VERSION
index 3f76b8391b..13aabaa614 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-6.0.0-rc1
+6.0.0-rc1.3
diff --git a/scripts/base/protocols/socks/dpd.sig b/scripts/base/protocols/socks/dpd.sig
index 3dcd7a945a..8b58574b07 100644
--- a/scripts/base/protocols/socks/dpd.sig
+++ b/scripts/base/protocols/socks/dpd.sig
@@ -31,7 +31,7 @@ signature dpd_socks4_reverse_server {
 signature dpd_socks5_client {
 	ip-proto == tcp
 	# Watch for a few authentication methods to reduce false positives.
-	payload /^\x05.[\x00\x01\x02]/
+	payload /^\x05.[\x00\x01\x02\x03\x05\x06\x07\x08\x09]/
 	tcp-state originator
 }
 
@@ -40,9 +40,23 @@ signature dpd_socks5_server {
 	requires-reverse-signature dpd_socks5_client
 	# Watch for a single authentication method to be chosen by the server or
 	# the server to indicate the no authentication is required.
-	payload /^\x05(\x00|\x01[\x00\x01\x02])/
+	# From wikipedia:
+	# 0x00: No authentication
+	# 0x01: GSSAPI (RFC 1961)
+	# 0x02: Username/password (RFC 1929)
+	# 0x03–0x7F: methods assigned by IANA[11]
+	# 0x03: Challenge-Handshake Authentication Protocol
+	# 0x04: Unassigned
+	# 0x05: Challenge-Response Authentication Method
+	# 0x06: Secure Sockets Layer
+	# 0x07: NDS Authentication
+	# 0x08: Multi-Authentication Framework
+	# 0x09: JSON Parameter Block
+	# 0x0A–0x7F: Unassigned
+	# 0x80–0xFE: methods reserved for private use
+	#
+	# Keep in sync with dpd_socks5_client, 0xff is "no acceptable methods"
+	payload /^\x05[\x00\x01\x02\x03\x05\x06\x07\x08\x09\xff]/
 	tcp-state responder
 	enable "socks"
 }
-
-
diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/conn.log.cut
new file mode 100644
index 0000000000..640346b6bc
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/conn.log.cut
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+id.orig_h	id.orig_p	id.resp_h	id.resp_p	service	history
+192.168.0.2	55951	192.168.0.1	10080	socks	ShADad
+192.168.0.1	55951	192.168.0.2	22	-	ShA
diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/socks.log.cut b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/socks.log.cut
new file mode 100644
index 0000000000..22eed48205
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/socks.log.cut
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	status	bound.host	bound.name	bound_p
+192.168.0.2	55951	192.168.0.1	10080	5	succeeded	192.168.0.1	-	55951
diff --git a/testing/btest/Traces/socks-auth-10080.pcap b/testing/btest/Traces/socks-auth-10080.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..87201352230b11b3a9f240db1708261f25a678a9
GIT binary patch
literal 1326
zcmaKsPiPZC6o=pJ>^5uH)>tLfP!ILsE($_SELjb05hW-s;@Llqtt|>t@#0BvPf}Q6
zlS>cw(%_|1<3U95q*x(`pb)emF(>gR9z5xxNqleOgq<WBcwu*0zWu##=FO+A=S2;4
zkiS+7fZ<K_d*R}{_YpXc*Hk9hrI&m0f3vb+!dZZfe`y+~2aXNB*#HfT)dD;B>|7~N
zq;<_TcSQg+-FTsE<{(&yEA*Ukt`nJmP{@MW<`Wr!$gge?mFRY^7G#$XG?89dA4%u$
zC&Of?OmrlR%yZQUoW?Iv^<+-@mqq6NU6~6=Z+TH(`1%VovcGvPr%YMhx(QjNQS}gA
z|B4_E_a%<<!k3R7VjYlZaNrtYmk=8Yswzk&(u7?}cPVJ0f>ke?&X=kZ>wL!c>qLCJ
z+k!I~l1eUAN9shv6~q&LiKFTKMzKTOA)+BtJ{-2fDb+2I@~?{KN4lC{%`V58(D^_z
zZNTPtC}m@h1+$otsz>LPKPQL-eTk^^$5EBY`26j8<Jzs83yTEb7ggeROFbzROsERt
z45b!@)O!-{paNU$rzd0om3m4LlYNOO_351su|Y&8n3aPT%wYReJqjlMTweu6l*&C+
zF!oq7ZH7`C25V0V#K^#f<5qZPRRfvr>%{)XW!_o<v6VxOM;JuRtUjeoR+FB~$y!P(
zWOXZqXI7jB5UT~_)!#EnU!$4bx*I0j8YXYb)8I9d|2+!Ziz4%2SLQXO&w5eU{8^Sh
roF+OJ+ty7fhE)rbiHumaBa+xYU*a71!KR0+HZ-mfnSr<TZY}r&J*iLy

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/socks/socks-auth-10080.zeek b/testing/btest/scripts/base/protocols/socks/socks-auth-10080.zeek
new file mode 100644
index 0000000000..d272aed38e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/socks/socks-auth-10080.zeek
@@ -0,0 +1,11 @@
+# @TEST-DOC: Socks V5 over a non-standard port.
+
+# @TEST-EXEC: zeek -r $TRACES/socks-auth-10080.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m id.orig_h id.orig_p id.resp_h id.resp_p service history < conn.log > conn.log.cut
+# @TEST-EXEC: zeek-cut -m id.orig_h id.orig_p id.resp_h id.resp_p version status bound.host bound.name bound_p < socks.log > socks.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff socks.log.cut
+
+@load base/protocols/socks
+
+redef SOCKS::default_capture_password = T;