Actions
Feature #4965
openprotocol: SOCKS support
Effort:
Difficulty:
Label:
Protocol
Description
Related issue: https://redmine.openinfosecfoundation.org/issues/2513
Suricata should apply application layer protocol parsers to protocols being tunneled through SOCKS.
Currently, an HTTP request being proxied through a SOCKS tunnel does not get recognized by the HTTP application layer parser. In my opinion, an HTTP request through a tunnel is still an HTTP request and should match against http.* keywords.
Likely there will need to be some keyword(s) to control this behaviour, eg. such that a signature writer could bypass the tunnel decapsulation and match traffic that pretends to be SOCKS but is not.
Ideally, this feature could be expanded in the future to apply to other types of tunneling protocols.
Files
Updated by Philippe Antoine 12 months ago
- Related to Feature #2513: Suricata read the SSLProxy header added
Updated by Victor Julien 6 months ago
- Subject changed from Suricata should detect application layer protocol underneath SOCKS to protocol: SOCKS support
- Status changed from New to In Progress
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 8.0.0-beta1
Actions