[Bro] binpac documentation
nicolas.retrain at cea.fr
nicolas.retrain at cea.fr
Wed May 15 05:52:38 PDT 2013
I saw a bug in the socks analyzer. I want to fix it, unfortunately I
don't speek binpac. Is there documentation on it?
(http://www.bro.org/development/howtos/binpac-sample-analyzer.html is
not sufficient).
>
> What's the bug?
>
> .Seth
>
>
It appears using the username authentication with SOCKS 5.
After the client and the server have chosen the username authentication,
the client has to send the following packet :
Client request (RFC 1929) :
+----+------+----------+------+----------+
|VER | ULEN | UNAME | PLEN | PASSWD |
+----+------+----------+------+----------+
| 1 | 1 | 1 to 255 | 1 | 1 to 255 |
+----+------+----------+------+----------+
Here the first byte must be 0x1, it specifies the version of the
authentication mechanisme, not the SOCKS version (0x5) like in all
others packets.
However in the socks-protocol.pac the type SOCKS_Version never parses
data if the first byte is 0x1, and it goes to an error.
1
2 type SOCKS_Version(is_orig: bool) = record {
3 version: uint8;
4 msg: case version of {
5 4 -> socks4_msg: SOCKS4_Message(is_orig);
6 5 -> socks5_msg: SOCKS5_Message(is_orig);
7 default -> socks_msg_fail:
SOCKS_Version_Error(version);
8 };
9 };
--
Nicolas
More information about the Bro
mailing list