> On Feb 12, 2015, at 7:24 PM, Seth Hall <[email protected]> wrote: > > >> On Feb 12, 2015, at 6:06 PM, Jonathan Siwek <[email protected]> wrote: >> >> -event socks_login_reply%(c: connection, code: count%); >> +event socks_login_userpass_reply%(c: connection, code: count%); > > Did you find evidence that SOCKS uses a different reply message for different > login types? When I was reading I thought that the same login reply message > structure was used in response to any login type.
The definition of SOCKS5 in RFC 1928 doesn’t seem to say anything about what different authentication methods should do. So RFC 1929 for username/password has a reply w/ [version octet, status octet] and RFC 1961 for GSSAPI has [version octet, message type octet, length octet, variable length opaque token]. Current parser won’t do well with GSSAPI negotiation, but not sure how useful it would be since it’s likely all further SOCKS requests/replies are going to be framed differently (e.g. encrypted). - Jon _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
