SOCKS DPD fixes.

- Restricted the SOCKS 5 DPD signatures further. - Added protocol violations.
2025-10-08 17:48:21 +00:00 · 2012-06-20 15:12:52 -04:00 · 2012-06-20 15:12:52 -04:00 · f59736cb17
commit f59736cb17
parent 886cc7368f
4 changed files with 37 additions and 4 deletions
--- a/scripts/base/frameworks/dpd/dpd.sig
+++ b/scripts/base/frameworks/dpd/dpd.sig
@ -194,14 +194,16 @@ signature dpd_socks4_reverse_server {
 signature dpd_socks5_client {
 	ip-proto == tcp
-	payload /^\x05/
+	# Watch for a few authentication methods to reduce false positives.
 	payload /^\x05.[\x00\x01\x02]/
 	tcp-state originator
 }
 signature dpd_socks5_server {
 	ip-proto == tcp
 	requires-reverse-signature dpd_socks5_client
-	payload /^\x05/
+	# Watch for a single authentication method to be chosen by the server.
 	payload /^\x05\x01[\x00\x01\x02]/
 	tcp-state responder
 	enable "socks"
 }
--- a/scripts/base/protocols/socks/consts.bro
+++ b/scripts/base/protocols/socks/consts.bro
@ -11,7 +11,6 @@ export {
 		[1] = "GSSAPI",
 		[2] = "Username/Password",
 		[3] = "Challenge-Handshake Authentication Protocol",
 		[4] = "Unassigned",
 		[5] = "Challenge-Response Authentication Method",
 		[6] = "Secure Sockets Layer",
 		[7] = "NDS Authentication",
--- a/src/socks-analyzer.pac
+++ b/src/socks-analyzer.pac
@ -22,6 +22,7 @@ refine connection SOCKS_Conn += {
 	function socks4_request(request: SOCKS4_Request): bool
 		%{
 		StringVal *dstname = 0;
 		if ( ${request.v4a} )
 			dstname = array_to_string(${request.name});
@ -59,6 +60,12 @@ refine connection SOCKS_Conn += {
 	function socks5_request(request: SOCKS5_Request): bool
 		%{
 		if ( ${request.reserved} != 0 )
 			{
 			bro_analyzer()->ProtocolViolation(fmt("invalid value in reserved field: %d", ${request.reserved}));
 			return false;
 			}
 		AddrVal *ip_addr = 0;
 		StringVal *domain_name = 0;
@ -77,6 +84,11 @@ refine connection SOCKS_Conn += {
 			case 4:
 				ip_addr = new AddrVal(IPAddr(IPv6, (const uint32_t*) ${request.remote_name.ipv6}, IPAddr::Network));
 				break;
 			default:
 				bro_analyzer()->ProtocolViolation(fmt("invalid SOCKSv5 addr type: %d", ${request.remote_name.addr_type}));
 				return false;
 				break;
 			}
 		if ( ! ip_addr )
@ -118,6 +130,11 @@ refine connection SOCKS_Conn += {
 			case 4:
 				ip_addr = new AddrVal(IPAddr(IPv6, (const uint32_t*) ${reply.bound.ipv6}, IPAddr::Network));
 				break;
 			default:
 				bro_analyzer()->ProtocolViolation(fmt("invalid SOCKSv5 addr type: %d", ${reply.bound.addr_type}));
 				return false;
 				break;
 			}
 		if ( ! ip_addr )
@ -138,6 +155,17 @@ refine connection SOCKS_Conn += {
 		return true;
 		%}
 	function version_error(version: uint8): bool
 		%{
 		bro_analyzer()->ProtocolViolation(fmt("unsupported/unknown SOCKS version %d", version));
 		return true;
 		%}
 };
 refine typeattr SOCKS_Version_Error += &let {
 	proc: bool = $context.connection.version_error(version);
 };
 refine typeattr SOCKS4_Request += &let {
--- a/src/socks-protocol.pac
+++ b/src/socks-protocol.pac
@ -4,10 +4,14 @@ type SOCKS_Version(is_orig: bool) = record {
 	msg:     case version of {
 		4       -> socks4_msg:     SOCKS4_Message(is_orig);
 		5       -> socks5_msg:     SOCKS5_Message(is_orig);
-		default -> socks_msg_fail: empty;
+		default -> socks_msg_fail: SOCKS_Version_Error(version);
 	};
 };
 type SOCKS_Version_Error(version: uint8) = record {
 	nothing: empty;
 };
 # SOCKS5 Implementation
 type SOCKS5_Message(is_orig: bool) = case $context.connection.v5_past_authentication() of {
 	true  -> msg:  SOCKS5_Real_Message(is_orig);