From d6ca1ec4f62704758c22dad9260c28c161ea9c0c Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Mon, 5 Jun 2023 13:34:42 +0200 Subject: [PATCH] socks/dpd: Fix socks5_server side signature The server replies with \x05 and identifier for the chosen method. Not quite sure what the previous signature meant capture. See also: https://datatracker.ietf.org/doc/html/rfc1928#section-3 Closes #3099. --- scripts/base/protocols/socks/dpd.sig | 4 +--- .../conn.log.cut | 4 ++++ .../socks.log.cut | 3 +++ testing/btest/Traces/socks-auth-10080.pcap | Bin 0 -> 1326 bytes .../base/protocols/socks/socks-auth-10080.zeek | 11 +++++++++++ 5 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/conn.log.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/socks.log.cut create mode 100644 testing/btest/Traces/socks-auth-10080.pcap create mode 100644 testing/btest/scripts/base/protocols/socks/socks-auth-10080.zeek diff --git a/scripts/base/protocols/socks/dpd.sig b/scripts/base/protocols/socks/dpd.sig index 3dcd7a945a..808a8bb12a 100644 --- a/scripts/base/protocols/socks/dpd.sig +++ b/scripts/base/protocols/socks/dpd.sig @@ -40,9 +40,7 @@ signature dpd_socks5_server { requires-reverse-signature dpd_socks5_client # Watch for a single authentication method to be chosen by the server or # the server to indicate the no authentication is required. - payload /^\x05(\x00|\x01[\x00\x01\x02])/ + payload /^\x05[\x00\x01\x02\xff]/ tcp-state responder enable "socks" } - - diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/conn.log.cut new file mode 100644 index 0000000000..640346b6bc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/conn.log.cut @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +id.orig_h id.orig_p id.resp_h id.resp_p service history +192.168.0.2 55951 192.168.0.1 10080 socks ShADad +192.168.0.1 55951 192.168.0.2 22 - ShA diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/socks.log.cut b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/socks.log.cut new file mode 100644 index 0000000000..22eed48205 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/socks.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +id.orig_h id.orig_p id.resp_h id.resp_p version status bound.host bound.name bound_p +192.168.0.2 55951 192.168.0.1 10080 5 succeeded 192.168.0.1 - 55951 diff --git a/testing/btest/Traces/socks-auth-10080.pcap b/testing/btest/Traces/socks-auth-10080.pcap new file mode 100644 index 0000000000000000000000000000000000000000..87201352230b11b3a9f240db1708261f25a678a9 GIT binary patch literal 1326 zcmaKsPiPZC6o=pJ>^5uH)>tLfP!ILsE($_SELjb05hW-s;@Llqtt|>t@#0BvPf}Q6 zlS>cw(%_|1<3U95q*x(`pb)emF(>gR9z5xxNqleOgq|7~N zq;<_TcSQg+-FTsE<{(&yEA*Ukt`nJmP{@MW<`Wr!$gge?mFRY^7G#$XG?89dA4%u$ zC&Of?OmrlR%yZQUoW?Iv^<+-@mqq6NU6~6=Z+TH(`1%VovcGvPr%YMhx(QjNQS}gA z|B4_E_a%<ke?&X=kZ>wL!c>qLCJ z+k!I~l1eUAN9shv6~q&LiKFTKMzKTOA)+BtJ{-2fDb+2I@~?{KN4lC{%`V58(D^_z zZNTPtC}m@h1+$otsz>LPKPQL-eTk^^$5EBY`26j8%{)XW!_o conn.log.cut +# @TEST-EXEC: zeek-cut -m id.orig_h id.orig_p id.resp_h id.resp_p version status bound.host bound.name bound_p < socks.log > socks.log.cut +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff socks.log.cut + +@load base/protocols/socks + +redef SOCKS::default_capture_password = T;