Return of Robin's old SOCKS analyzer/decapsulator and tunnel code checkpoint.

- More discussion is needed to figure out how to integrate the SOCKS analyzer best.

- Tunnels framework now logs for the SOCKS analyzer.

scripts/base/frameworks/dpd/dpd.sig

@@ -155,3 +155,34 @@ signature dpd_ssl_client {
 #  payload /^..\x11\x29/
 #  enable "ayiya"
 #}
+
+signature dpd_socks_client {
+	ip-proto == tcp
+	# '32' is a rather arbitrary max length for the user name.
+	payload /^\x04[\x01\x02].{0,32}\x00/
+	tcp-state originator
+}
+
+signature dpd_socks_server {
+	ip-proto == tcp
+	requires-reverse-signature dpd_socks_client
+	payload /^\x00[\x5a\x5b\x5c\x5d]/
+	tcp-state responder
+	enable "socks"
+}
+
+signature dpd_socks_reverse_client {
+	ip-proto == tcp
+	# '32' is a rather arbitrary max length for the user name.
+	payload /^\x04[\x01\x02].{0,32}\x00/
+	tcp-state responder
+}
+
+signature dpd_socks_reverse_server {
+	ip-proto == tcp
+	requires-reverse-signature dpd_socks_client
+	payload /^\x00[\x5a\x5b\x5c\x5d]/
+	tcp-state originator
+	enable "socks"
+}
+

scripts/base/frameworks/tunnels/__load__.bro

@@ -1 +1,4 @@
-@load ./main
+@load ./main
+
+const ports = { 5072/udp } &redef;
+redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ports] };

scripts/base/frameworks/tunnels/main.bro

@@ -1,8 +1,53 @@
 module Tunnels;
 
 export {
-
+	redef enum Log::ID += { LOG };
+	
+	type Action: enum {
+		DISCOVER,
+		CLOSE,
+	};
+	
+	type Info: record {
+		ts:          time    &log;
+		uid:         string  &log;
+		id:          conn_id &log;
+		action:      Action  &log;
+		tunnel_type: string  &log;
+		user:        string  &log &optional;
+	};
+	
+	global register: function(c: connection, tunnel_type: string);
+	
+	global active: table[conn_id] of Tunnels::Info = table();
 }
 
-const ports = { 5072/udp } &redef;
-redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ports] };
+event bro_init() &priority=5
+	{
+	Log::create_stream(Tunnels::LOG, [$columns=Info]);
+	}
+
+function register(c: connection, tunnel_type: string)
+	{
+	local tunnel: Info;
+	tunnel$ts = network_time();
+	tunnel$uid = c$uid;
+	tunnel$id = c$id;
+	tunnel$action = DISCOVER;
+	tunnel$tunnel_type = tunnel_type;
+	
+	active[c$id] = tunnel;
+	Log::write(LOG, tunnel);
+	}
+	
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c$id in active )
+		{
+		local tunnel = active[c$id];
+		tunnel$action=CLOSE;
+		Log::write(LOG, tunnel);
+		
+		delete active[c$id];
+		}
+	}