Feature #4965: Suricata should detect application layer protocol underneath SOCKS - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #4965

open

Suricata should detect application layer protocol underneath SOCKS

Added by Peter Fyon over 2 years ago. Updated about 1 month ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

Effort:

Difficulty:

Label:

Protocol

Description

Related issue: https://redmine.openinfosecfoundation.org/issues/2513

Suricata should apply application layer protocol parsers to protocols being tunneled through SOCKS.

Currently, an HTTP request being proxied through a SOCKS tunnel does not get recognized by the HTTP application layer parser. In my opinion, an HTTP request through a tunnel is still an HTTP request and should match against http.* keywords.

Likely there will need to be some keyword(s) to control this behaviour, eg. such that a signature writer could bypass the tunnel decapsulation and match traffic that pretends to be SOCKS but is not.

Ideally, this feature could be expanded in the future to apply to other types of tunneling protocols.

Files

aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap (121 KB) aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap

Brandon Murphy, 03/25/2024 03:47 AM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #4965

Suricata should detect application layer protocol underneath SOCKS

Updated by Brandon Murphy about 1 month ago