Project

General

Profile

Actions
Copy link

Feature #4965

open
PF VJ

protocol: SOCKS support

Feature #4965: protocol: SOCKS support

Added by Peter Fyon over 4 years ago. Updated 1 day ago.

Status:
Assigned
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:
Protocol

Description

Related issue: https://redmine.openinfosecfoundation.org/issues/2513

Suricata should apply application layer protocol parsers to protocols being tunneled through SOCKS.

Currently, an HTTP request being proxied through a SOCKS tunnel does not get recognized by the HTTP application layer parser. In my opinion, an HTTP request through a tunnel is still an HTTP request and should match against http.* keywords.

Likely there will need to be some keyword(s) to control this behaviour, eg. such that a signature writer could bypass the tunnel decapsulation and match traffic that pretends to be SOCKS but is not.

Ideally, this feature could be expanded in the future to apply to other types of tunneling protocols.

Files

aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap (121 KB) aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap Brandon Murphy, 03/25/2024 03:47 AM

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #2513: sslproxy: handle HTTP header FeedbackCommunity TicketActions

BM Updated by Brandon Murphy about 2 years ago Actions
Copy link
 #1

attached pcap of malware using SOCKS proxy. We're not able to use http protocol on this and instead forced to do unbuffered content matches.

reference: https://app.any.run/tasks/aa391f05-780d-4a98-a520-eff3a436b3cf

Note: Within wireshark, i had to set the SOCKS port to 9200 (default i think was 1080). Once I did that, everything decoded correctly.

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #2

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #3

  • Assignee set to OISF Dev
  • Target version set to TBD

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #4

  • Subject changed from Suricata should detect application layer protocol underneath SOCKS to protocol: SOCKS support
  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 8.0.0-beta1

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #5

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #6

  • Priority changed from Normal to Low

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #7

  • Target version changed from 8.0.0-beta1 to 9.0.0-beta1

VJ Updated by Victor Julien 1 day ago Actions
Copy link
 #8

  • Status changed from In Progress to Assigned
  • Priority changed from Low to Normal
Actions
Copy link

Also available in: PDF Atom