Feature #4965
openSuricata should detect application layer protocol underneath SOCKS
Description
Related issue: https://redmine.openinfosecfoundation.org/issues/2513
Suricata should apply application layer protocol parsers to protocols being tunneled through SOCKS.
Currently, an HTTP request being proxied through a SOCKS tunnel does not get recognized by the HTTP application layer parser. In my opinion, an HTTP request through a tunnel is still an HTTP request and should match against http.* keywords.
Likely there will need to be some keyword(s) to control this behaviour, eg. such that a signature writer could bypass the tunnel decapsulation and match traffic that pretends to be SOCKS but is not.
Ideally, this feature could be expanded in the future to apply to other types of tunneling protocols.
Files
Updated by Brandon Murphy 26 days ago
- File aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap added
attached pcap of malware using SOCKS proxy. We're not able to use http protocol on this and instead forced to do unbuffered content matches.
reference: https://app.any.run/tasks/aa391f05-780d-4a98-a520-eff3a436b3cf
Note: Within wireshark, i had to set the SOCKS port to 9200 (default i think was 1080). Once I did that, everything decoded correctly.