main.zeek¶

Namespace:	SOCKS
Imports:	base/frameworks/tunnels, base/protocols/conn/removal-hooks.zeek, base/protocols/socks/consts.zeek

Summary¶

SOCKS::default_capture_password: bool &redef Whether passwords are captured or not.

SOCKS::Info: record The record type which contains the fields of the SOCKS log.

New Fields:

likely_server_ports: set &redef

SOCKS::log_socks: event Event that can be handled to access the SOCKS record as it is sent on to the logging framework.

`SOCKS::finalize_socks`: `Conn::RemovalHook`	SOCKS finalization hook.
`SOCKS::log_policy`: `Log::PolicyHook`

SOCKS::default_capture_password¶

Whether passwords are captured or not.

SOCKS::Info¶

Type:

ts: time &log: Time when the proxy connection was first detected.
uid: string &log: Unique ID for the tunnel - may correspond to connection uid or be non-existent.
id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.
version: count &log: Protocol version of SOCKS.
user: string &log &optional: Username used to request a login to the proxy.
password: string &log &optional: Password used to request a login to the proxy.
status: string &log &optional: Server status for the attempt at using the proxy.
request: SOCKS::Address &log &optional: Client requested SOCKS address. Could be an address, a name or both.
request_p: port &log &optional: Client requested port.
bound: SOCKS::Address &log &optional: Server bound address. Could be an address, a name or both.
bound_p: port &log &optional: Server bound port.
capture_password: bool &default = SOCKS::default_capture_password &optional: Determines if the password will be captured for this request.

The record type which contains the fields of the SOCKS log.

SOCKS::log_socks¶

Type:	`event` (rec: `SOCKS::Info`)

Event that can be handled to access the SOCKS record as it is sent on to the logging framework.

SOCKS::finalize_socks¶

Type:	`Conn::RemovalHook`

SOCKS finalization hook. Remaining SOCKS info may get logged when it’s called.

SOCKS::log_policy¶

Type:	`Log::PolicyHook`