diff --git a/tests/socks/bug-4965-socks-http-01/aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap b/tests/socks/bug-4965-socks-http-01/aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap new file mode 100644 index 000000000..61431f3cf Binary files /dev/null and b/tests/socks/bug-4965-socks-http-01/aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap differ diff --git a/tests/socks/bug-4965-socks-http-01/test.yaml b/tests/socks/bug-4965-socks-http-01/test.yaml new file mode 100644 index 000000000..abad899c1 --- /dev/null +++ b/tests/socks/bug-4965-socks-http-01/test.yaml @@ -0,0 +1,33 @@ +requires: + min-version: 8 + +args: +- --set app-layer.protocols.socks.tcp.detection-ports.dp=9200 + +checks: + - filter: + count: 1 + match: + event_type: socks + socks.auth_methods.request[0]: "No authentication" + socks.auth_methods.request[1]: "No authentication" + socks.auth_methods.response: "No authentication" + - filter: + count: 1 + match: + event_type: socks + socks.connect.domain: "eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion" + socks.connect.port: 80 + socks.connect.response: "Success" + - filter: + count: 1 + match: + event_type: http + http.url: "/stld/2ed742b9631a445a90864552c8b213a9?u=YWRtaW4%3D&p=VVNFUi1QQw%3D%3D&i=ODQuMTcuNDguMTgy&co=R2VybWFueSAoREUp&ci=RnJhbmtmdXJ0IGFtIE1haW4%3D&t=Y2hyaWJvdHM%3D" + http.status: 200 + - filter: + count: 1 + match: + event_type: flow + app_proto: http + app_proto_orig: socks diff --git a/tests/socks/bug-4965-socks-http-03-frames/suricata.yaml b/tests/socks/bug-4965-socks-http-03-frames/suricata.yaml new file mode 100644 index 000000000..bfcbe79e5 --- /dev/null +++ b/tests/socks/bug-4965-socks-http-03-frames/suricata.yaml @@ -0,0 +1,384 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + exception-policy: + #per-app-proto-errors: false # default: false. True will log errors for + # each app-proto. Warning: VERY verbose + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + # Enable for multi-threaded eve.json output; output files are amended with + # an identifier, e.g., eve.9.json + #threaded: false + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #ethernet: no # log ethernet header in events when available + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish, xadd|stream + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # ## xadd is using a Redis stream. "stream" is an alias for xadd + # key: suricata ## string denoting the key/channel/stream to use (default to suricata) + # stream-maxlen: 100000 ## Automatically trims the stream length to at most + ## this number of events. Set to 0 to disable trimming. + ## Only used when mode is set to xadd/stream. + # stream-trim-exact: false ## Trim exactly to the maximum stream length above. + ## Default: use inexact trimming (inexact by a few + ## tens of items) + ## Only used when mode is set to xadd/stream. + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting should be reserved to high traffic Suricata deployments. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entries to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + # include the name of the input pcap file in pcap file processing mode + pcap-file: false + + # Community Flow ID + # Adds a 'community_id' field to EVE records. These are meant to give + # records a predictable flow ID that can be used to match records to + # output of other tools such as Zeek (Bro). + # + # Takes a 'seed' that needs to be same across sensors and tools + # to make the id less predictable. + + # enable/disable the community id feature. + community-id: false + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available: "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported: "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported. If more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4 KiB # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # payload-length: yes # enable dumping payload length, including the gaps + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # If you want metadata, use: + # metadata: + # Include the decoded application layer (ie. http, dns) + #app-layer: true + # Log the current state of the flow record. + #flow: true + #rule: + # Log the metadata field from the rule in a structured + # format. + #metadata: true + # Log the raw rule text. + #raw: false + #reference: false # include reference information from the rule + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + # websocket-payload: yes # Requires metadata; enable dumping of WebSocket Payload in Base64 + # websocket-payload-printable: yes # Requires metadata; enable dumping of WebSocket Payload in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + # app layer frames + - frame: + # disabled by default as this is very verbose. + enabled: yes + # payload-buffer-size: 4 KiB # max size of frame payload buffer to output in eve-log + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - http: + extended: yes # enable this for extended logging information + # custom allows additional HTTP fields to be included in eve-log. + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + # set this value to one and only one from {both, request, response} + # to dump all HTTP headers for every HTTP request and/or response + # dump-all-headers: none + - dns: + # Suricata 8.0 uses a new DNS logging format, to keep with + # the old format while you upgrade the version can be set + # to 2. See https://docs.suricata.io/en/latest/upgrade/8.0-dns-logging-changes.html + #version: 3 + + # Enable/disable this logger. Default: enabled. + #enabled: yes + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # DNS record types to log, based on the query type. + # Default: all. + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom controls which TLS fields that are included in eve-log + # WARNING: enabling custom disables extended logging. + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname, client, client_certificate, client_chain, client_alpns, server_alpns] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + # Enable logging the final action taken on a packet by the engine + # (will show more information in case of a drop caused by 'reject') + # verdict: yes + - socks + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # Don't log stats counters that are zero. Default: true + #null-values: false # False will NOT log stats counters: 0 + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata + + # EXPERIMENTAL per packet output giving TCP state tracking details + # including internal state, flags, etc. + # This output is experimental, meant for debugging and subject to + # change in both config and output without any notice. + #- stream: + # all: false # log all TCP packets + # event-set: false # log packets that have a decoder/stream event + # state-update: false # log packets triggering a TCP state update + # spurious-retransmission: false # log spurious retransmission packets + + +# Configure the app-layer parsers. +# +# The exception policy error-policy setting applies to all app-layer parsers. +# Values can be "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", +# "reject" or "ignore" (the default). +# +# The protocol's section details each protocol. +# +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables protocol detection only (parser disabled). +app-layer: + # error-policy: ignore + protocols: + http: + enabled: yes + + # Byte Range Containers default settings + # byterange: + # memcap: 100 MiB + # timeout: 60 + + # memcap: Maximum memory capacity for HTTP + # Default is unlimited, values can be 64 MiB, e.g. + + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # + # For advanced options, see the user guide + + + # server-config: List of server configurations to use if address matches + # address: List of IP addresses or networks for this block + # personality: List of personalities used by this block + # + # Then, all the fields from default-config can be overloaded + # + # Currently Available Personalities: + # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, + # IIS_7_0, IIS_7_5, Apache_2 + libhtp: + default-config: + personality: IDS + + # Can be specified in KiB, MiB, GiB. Just a number indicates + # it's in bytes. + request-body-limit: 100 KiB + response-body-limit: 100 KiB + + # inspection limits + request-body-minimal-inspect-size: 32 KiB + request-body-inspect-window: 4 KiB + response-body-minimal-inspect-size: 40 KiB + response-body-inspect-window: 16 KiB + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + # Decompress SWF files. Disabled by default. + # Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma + # compress-depth: + # Specifies the maximum amount of data to decompress, + # set 0 for unlimited. + # decompress-depth: + # Specifies the maximum amount of decompressed data to obtain, + # set 0 for unlimited. + swf-decompression: + enabled: no + type: both + compress-depth: 100 KiB + decompress-depth: 100 KiB + + # Use a random value for inspection sizes around the specified value. + # This lowers the risk of some evasion techniques but could lead + # to detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: yes + # If "randomize-inspection-sizes" is active, the value of various + # inspection size will be chosen from the [1 - range%, 1 + range%] + # range + # Default value of "randomize-inspection-range" is 10. + #randomize-inspection-range: 10 + + # decoding + double-decode-path: no + double-decode-query: no + + # Can enable LZMA decompression + #lzma-enabled: false + # Memory limit usage for LZMA decompression dictionary + # Data is decompressed until dictionary reaches this size + #lzma-memlimit: 1 MiB + # Maximum decompressed size with a compression ratio + # above 2048 (only LZMA can reach this ratio, deflate cannot) + #compression-bomb-limit: 1 MiB + # Maximum time spent decompressing a single transaction in usec + #decompression-time-limit: 100000 + # Maximum number of live transactions per flow + #max-tx: 512 + # Maximum used number of HTTP1 headers in one request or response + #headers-limit: 1024 + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in KiB, MiB, GiB. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in KiB, MiB, GiB. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + socks: + enabled: yes diff --git a/tests/socks/bug-4965-socks-http-03-frames/test.rules b/tests/socks/bug-4965-socks-http-03-frames/test.rules new file mode 100644 index 000000000..776f15e7f --- /dev/null +++ b/tests/socks/bug-4965-socks-http-03-frames/test.rules @@ -0,0 +1,2 @@ +alert socks any any -> any any (frame:pdu; content:"|05|"; startswith; sid:1;) +alert socks any any -> any any (frame:connect.domain; content:"eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion"; startswith; endswith; sid:2;) diff --git a/tests/socks/bug-4965-socks-http-03-frames/test.yaml b/tests/socks/bug-4965-socks-http-03-frames/test.yaml new file mode 100644 index 000000000..599477ffa --- /dev/null +++ b/tests/socks/bug-4965-socks-http-03-frames/test.yaml @@ -0,0 +1,41 @@ +requires: + min-version: 8 + +pcap: ../bug-4965-socks-http-01/aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap + +args: +- --set app-layer.protocols.socks.tcp.detection-ports.dp=9200 + +checks: + - filter: + count: 1 + match: + event_type: socks + socks.auth_methods.request[0]: "No authentication" + socks.auth_methods.request[1]: "No authentication" + socks.auth_methods.response: "No authentication" + - filter: + count: 1 + match: + event_type: socks + socks.connect.domain: "eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion" + socks.connect.port: 80 + socks.connect.response: "Success" + - filter: + count: 1 + match: + event_type: frame + frame.type: connect.domain + frame.payload_printable: "eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion" + - filter: + count: 1 + match: + event_type: http + http.url: "/stld/2ed742b9631a445a90864552c8b213a9?u=YWRtaW4%3D&p=VVNFUi1QQw%3D%3D&i=ODQuMTcuNDguMTgy&co=R2VybWFueSAoREUp&ci=RnJhbmtmdXJ0IGFtIE1haW4%3D&t=Y2hyaWJvdHM%3D" + http.status: 200 + - filter: + count: 1 + match: + event_type: flow + app_proto: http + app_proto_orig: socks diff --git a/tests/socks/bug-4965-socks-tls-02/socks5-localhost3-tcp-1080.pcap b/tests/socks/bug-4965-socks-tls-02/socks5-localhost3-tcp-1080.pcap new file mode 100644 index 000000000..ae40129de Binary files /dev/null and b/tests/socks/bug-4965-socks-tls-02/socks5-localhost3-tcp-1080.pcap differ diff --git a/tests/socks/bug-4965-socks-tls-02/test.yaml b/tests/socks/bug-4965-socks-tls-02/test.yaml new file mode 100644 index 000000000..de824a990 --- /dev/null +++ b/tests/socks/bug-4965-socks-tls-02/test.yaml @@ -0,0 +1,40 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: socks + socks.auth_methods.request[0]: "No authentication" + socks.auth_methods.request[1]: "GSSAPI" + socks.auth_methods.request[2]: "Username/Password" + socks.auth_methods.response: "Username/Password" + - filter: + count: 1 + match: + event_type: socks + socks.auth_userpass.user: proxyuser + socks.auth_userpass.pass: securepassword + socks.auth_userpass.response: "Success" + - filter: + count: 1 + match: + event_type: socks + socks.connect.ipv4: 35.212.0.44 + socks.connect.port: 443 + socks.connect.response: "Success" + - filter: + count: 1 + match: + event_type: tls + tls.sni: suricata.io + - filter: + count: 1 + match: + event_type: flow + app_proto: tls + app_proto_orig: socks