[Bro-Dev] [Bro-Commits] [git/bro] topic/jsiwek/socks-authentication: Refactor SOCKS5 user/pass authentication support. (961fd06)

Siwek, Jon jsiwek at illinois.edu
Fri Feb 13 02:42:00 PST 2015


> On Feb 12, 2015, at 7:24 PM, Seth Hall <seth at icir.org> wrote:
> 
> 
>> On Feb 12, 2015, at 6:06 PM, Jonathan Siwek <jsiwek at ncsa.illinois.edu> wrote:
>> 
>> -event socks_login_reply%(c: connection, code: count%);
>> +event socks_login_userpass_reply%(c: connection, code: count%);
> 
> Did you find evidence that SOCKS uses a different reply message for different login types?  When I was reading I thought that the same login reply message structure was used in response to any login type.

The definition of SOCKS5 in RFC 1928 doesn’t seem to say anything about what different authentication methods should do.  So RFC 1929 for username/password has a reply w/ [version octet, status octet] and RFC 1961 for GSSAPI has [version octet, message type octet, length octet, variable length opaque token].

Current parser won’t do well with GSSAPI negotiation, but not sure how useful it would be since it’s likely all further SOCKS requests/replies are going to be framed differently (e.g. encrypted).

- Jon



More information about the bro-dev mailing list