mandiant/capa-rules

detect socks5 proxy capabilities

Open

#971 geöffnet am 6. Dez. 2024

Auf GitHub ansehen
 (15 Kommentare) (2 Reaktionen) (1 zugewiesene Person) (234 Forks)github user discovery
good first issuehelp wantedrule idea

Repository-Metriken

Stars
 (721 Stars)
PR-Merge-Metriken
 (PR-Metriken ausstehend)

Beschreibung

I've analyzed a few, small programs that function as SOCKS5 proxies and I've been able to identify the protocol based on the same offset and constant parsing completed in the code. Specifically, the client connection request when the parsing the DSTADDR field. This requires checking the address type (0x1, 0x3, 0x4) and command code (0x1, 0x2, 0x3).

I'm not sure if it's possible to check for comparisons to these constant values without introducing false positives but I wanted to note the idea here because I think it'd be helpful to quickly identify this common functionality.

Client connection request
                        VER	 CMD RSV DSTADDR DSTPORT
Byte Count	1	1	1	Variable	2
VER
    SOCKS version (0x05)
CMD
    command code:
        0x01: establish a TCP/IP stream connection
        0x02: establish a TCP/IP port binding
       0x03: associate a UDP port
RSV
    reserved, must be 0x00
DSTADDR
    destination address, see the address structure above.
DSTPORT
    port number in a [network byte order](https://en.wikipedia.org/wiki/Network_byte_order)
    
SOCKS5 address
                       TYPE	ADDR
Byte Count	1	variable
TYPE
    type of the address. One of:
        0x01: IPv4 address
        0x03: Domain name
        0x04: IPv6 address
ADDR
    the address data that follows. Depending on type:
         4 bytes for IPv4 address
         1 byte of name length followed by 1–255 bytes for the domain name
         16 bytes for IPv6 address

Source: https://en.wikipedia.org/wiki/SOCKS

Contributor Guide