Project

General

Profile

Actions

Feature #4965

open

protocol: SOCKS support

Added by Peter Fyon almost 3 years ago. Updated 9 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:
Protocol

Description

Related issue: https://redmine.openinfosecfoundation.org/issues/2513

Suricata should apply application layer protocol parsers to protocols being tunneled through SOCKS.

Currently, an HTTP request being proxied through a SOCKS tunnel does not get recognized by the HTTP application layer parser. In my opinion, an HTTP request through a tunnel is still an HTTP request and should match against http.* keywords.

Likely there will need to be some keyword(s) to control this behaviour, eg. such that a signature writer could bypass the tunnel decapsulation and match traffic that pretends to be SOCKS but is not.

Ideally, this feature could be expanded in the future to apply to other types of tunneling protocols.


Files


Related issues 1 (1 open0 closed)

Related to Suricata - Feature #2513: Suricata read the SSLProxy header FeedbackCommunity TicketActions
Actions #1

Updated by Brandon Murphy 9 months ago

attached pcap of malware using SOCKS proxy. We're not able to use http protocol on this and instead forced to do unbuffered content matches.

reference: https://app.any.run/tasks/aa391f05-780d-4a98-a520-eff3a436b3cf

Note: Within wireshark, i had to set the SOCKS port to 9200 (default i think was 1080). Once I did that, everything decoded correctly.

Actions #2

Updated by Philippe Antoine 6 months ago

  • Related to Feature #2513: Suricata read the SSLProxy header added
Actions #3

Updated by Philippe Antoine 6 months ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #4

Updated by Victor Julien 11 days ago

  • Subject changed from Suricata should detect application layer protocol underneath SOCKS to protocol: SOCKS support
  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 8.0.0-beta1
Actions #5

Updated by Victor Julien 9 days ago

Actions

Also available in: Atom PDF