mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge remote-tracking branch 'origin/topic/awelzel/3099-fix-and-extend-socks5-sig'
* origin/topic/awelzel/3099-fix-and-extend-socks5-sig:
socks/dpd: Add newer auth methods
socks/dpd: Fix socks5_server side signature
(cherry picked from commit c389d9804b)
This commit is contained in:
Tim Wojtulewicz
parent
e41a5c3a93
commit
b34e70e6cd
7 changed files with 63 additions and 5 deletions
26
CHANGES
26
CHANGES
|
|
@ -1,3 +1,29 @@
|
||||||
|
6.0.0-rc1.3 | 2023-06-12 11:00:53 -0700
|
||||||
|
|
||||||
|
* socks/dpd: Add newer auth methods (Arne Welzel, Corelight)
|
||||||
|
|
||||||
|
The IANA has allocated a few more authentication methods, minimally
|
||||||
|
extend the signature to catch those.
|
||||||
|
|
||||||
|
* socks/dpd: Fix socks5_server side signature (Arne Welzel, Corelight)
|
||||||
|
|
||||||
|
The server replies with \x05 and identifier for the chosen method.
|
||||||
|
Not quite sure what the previous signature meant capture.
|
||||||
|
|
||||||
|
See also: https://datatracker.ietf.org/doc/html/rfc1928#section-3
|
||||||
|
|
||||||
|
* ci/windows: choco --localonly is gone (Arne Welzel, Corelight)
|
||||||
|
|
||||||
|
choco 2.0 is now used after some caching changes on the Cirrus side [1]
|
||||||
|
and the --localonly flag is gone from choco [2], remove its usage.
|
||||||
|
|
||||||
|
[1] https://github.com/cirruslabs/cirrus-ci-docs/issues/1174#issuecomment-1580928673
|
||||||
|
[2] https://docs.chocolatey.org/en-us/guides/upgrading-to-chocolatey-v2-v6#the-list-command-now-lists-local-packages-only-and-the-local-only-and-lo-options-have-been-removed
|
||||||
|
|
||||||
|
(cherry picked from commit 528e27e542b7641241e3d531b654f77ee09bcfea)
|
||||||
|
|
||||||
|
* Update link to slack in README.md (Tim Wojtulewicz, Corelight)
|
||||||
|
|
||||||
6.0.0-rc1 | 2023-05-31 12:05:27 +0200
|
6.0.0-rc1 | 2023-05-31 12:05:27 +0200
|
||||||
|
|
||||||
* Update broker submodule to 2.6.0 release tag [nomail] [skip ci] (Tim Wojtulewicz, Corelight)
|
* Update broker submodule to 2.6.0 release tag [nomail] [skip ci] (Tim Wojtulewicz, Corelight)
|
||||||
|
|
|
||||||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
||||||
6.0.0-rc1
|
6.0.0-rc1.3
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@ signature dpd_socks4_reverse_server {
|
||||||
signature dpd_socks5_client {
|
signature dpd_socks5_client {
|
||||||
ip-proto == tcp
|
ip-proto == tcp
|
||||||
# Watch for a few authentication methods to reduce false positives.
|
# Watch for a few authentication methods to reduce false positives.
|
||||||
payload /^\x05.[\x00\x01\x02]/
|
payload /^\x05.[\x00\x01\x02\x03\x05\x06\x07\x08\x09]/
|
||||||
tcp-state originator
|
tcp-state originator
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -40,9 +40,23 @@ signature dpd_socks5_server {
|
||||||
requires-reverse-signature dpd_socks5_client
|
requires-reverse-signature dpd_socks5_client
|
||||||
# Watch for a single authentication method to be chosen by the server or
|
# Watch for a single authentication method to be chosen by the server or
|
||||||
# the server to indicate the no authentication is required.
|
# the server to indicate the no authentication is required.
|
||||||
payload /^\x05(\x00|\x01[\x00\x01\x02])/
|
# From wikipedia:
|
||||||
|
# 0x00: No authentication
|
||||||
|
# 0x01: GSSAPI (RFC 1961)
|
||||||
|
# 0x02: Username/password (RFC 1929)
|
||||||
|
# 0x03–0x7F: methods assigned by IANA[11]
|
||||||
|
# 0x03: Challenge-Handshake Authentication Protocol
|
||||||
|
# 0x04: Unassigned
|
||||||
|
# 0x05: Challenge-Response Authentication Method
|
||||||
|
# 0x06: Secure Sockets Layer
|
||||||
|
# 0x07: NDS Authentication
|
||||||
|
# 0x08: Multi-Authentication Framework
|
||||||
|
# 0x09: JSON Parameter Block
|
||||||
|
# 0x0A–0x7F: Unassigned
|
||||||
|
# 0x80–0xFE: methods reserved for private use
|
||||||
|
#
|
||||||
|
# Keep in sync with dpd_socks5_client, 0xff is "no acceptable methods"
|
||||||
|
payload /^\x05[\x00\x01\x02\x03\x05\x06\x07\x08\x09\xff]/
|
||||||
tcp-state responder
|
tcp-state responder
|
||||||
enable "socks"
|
enable "socks"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,4 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
id.orig_h id.orig_p id.resp_h id.resp_p service history
|
||||||
|
192.168.0.2 55951 192.168.0.1 10080 socks ShADad
|
||||||
|
192.168.0.1 55951 192.168.0.2 22 - ShA
|
||||||
|
|
@ -0,0 +1,3 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
id.orig_h id.orig_p id.resp_h id.resp_p version status bound.host bound.name bound_p
|
||||||
|
192.168.0.2 55951 192.168.0.1 10080 5 succeeded 192.168.0.1 - 55951
|
||||||
BIN
testing/btest/Traces/socks-auth-10080.pcap
Normal file
BIN
testing/btest/Traces/socks-auth-10080.pcap
Normal file
Binary file not shown.
|
|
@ -0,0 +1,11 @@
|
||||||
|
# @TEST-DOC: Socks V5 over a non-standard port.
|
||||||
|
|
||||||
|
# @TEST-EXEC: zeek -r $TRACES/socks-auth-10080.pcap %INPUT
|
||||||
|
# @TEST-EXEC: zeek-cut -m id.orig_h id.orig_p id.resp_h id.resp_p service history < conn.log > conn.log.cut
|
||||||
|
# @TEST-EXEC: zeek-cut -m id.orig_h id.orig_p id.resp_h id.resp_p version status bound.host bound.name bound_p < socks.log > socks.log.cut
|
||||||
|
# @TEST-EXEC: btest-diff conn.log.cut
|
||||||
|
# @TEST-EXEC: btest-diff socks.log.cut
|
||||||
|
|
||||||
|
@load base/protocols/socks
|
||||||
|
|
||||||
|
redef SOCKS::default_capture_password = T;
|
||||||
Loading…
Add table
Add a link
Reference in a new issue