socks/dpd: Fix socks5_server side signature

The server replies with \x05 and identifier for the chosen method.
Not quite sure what the previous signature meant capture.

See also: https://datatracker.ietf.org/doc/html/rfc1928#section-3

Closes #3099.

scripts/base/protocols/socks/dpd.sig

@@ -40,9 +40,7 @@ signature dpd_socks5_server {
 	requires-reverse-signature dpd_socks5_client
 	# Watch for a single authentication method to be chosen by the server or
 	# the server to indicate the no authentication is required.
-	payload /^\x05(\x00|\x01[\x00\x01\x02])/
+	payload /^\x05[\x00\x01\x02\xff]/
 	tcp-state responder
 	enable "socks"
 }
-
-

testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/conn.log.cut

@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+id.orig_h	id.orig_p	id.resp_h	id.resp_p	service	history
+192.168.0.2	55951	192.168.0.1	10080	socks	ShADad
+192.168.0.1	55951	192.168.0.2	22	-	ShA

testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-10080/socks.log.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	status	bound.host	bound.name	bound_p
+192.168.0.2	55951	192.168.0.1	10080	5	succeeded	192.168.0.1	-	55951

testing/btest/scripts/base/protocols/socks/socks-auth-10080.zeek

@@ -0,0 +1,11 @@
+# @TEST-DOC: Socks V5 over a non-standard port.
+
+# @TEST-EXEC: zeek -r $TRACES/socks-auth-10080.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m id.orig_h id.orig_p id.resp_h id.resp_p service history < conn.log > conn.log.cut
+# @TEST-EXEC: zeek-cut -m id.orig_h id.orig_p id.resp_h id.resp_p version status bound.host bound.name bound_p < socks.log > socks.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff socks.log.cut
+
+@load base/protocols/socks
+
+redef SOCKS::default_capture_password = T;