SOCKS DPD fixes.

- Restricted the SOCKS 5 DPD signatures further.

- Added protocol violations.

scripts/base/frameworks/dpd/dpd.sig

@@ -194,14 +194,16 @@ signature dpd_socks4_reverse_server {
 
 signature dpd_socks5_client {
 	ip-proto == tcp
-	payload /^\x05/
+	# Watch for a few authentication methods to reduce false positives.
+	payload /^\x05.[\x00\x01\x02]/
 	tcp-state originator
 }
 
 signature dpd_socks5_server {
 	ip-proto == tcp
 	requires-reverse-signature dpd_socks5_client
-	payload /^\x05/
+	# Watch for a single authentication method to be chosen by the server.
+	payload /^\x05\x01[\x00\x01\x02]/
 	tcp-state responder
 	enable "socks"
 }

scripts/base/protocols/socks/consts.bro

@@ -11,7 +11,6 @@ export {
 		[1] = "GSSAPI",
 		[2] = "Username/Password",
 		[3] = "Challenge-Handshake Authentication Protocol",
-		[4] = "Unassigned",
 		[5] = "Challenge-Response Authentication Method",
 		[6] = "Secure Sockets Layer",
 		[7] = "NDS Authentication",