main.zeek

SOCKS

Namespace:: SOCKS
Imports:: base/frameworks/tunnels, base/protocols/conn/removal-hooks.zeek, base/protocols/socks/consts.zeek

Summary

Runtime Options

SOCKS::default_capture_password: bool &redef

Whether passwords are captured or not.

Redefinable Options

SOCKS::ports: set &redef

Well-known ports for SOCKS.

Types

SOCKS::Info: record

The record type which contains the fields of the SOCKS log.

Redefinitions

`Log::ID`: `enum`	`SOCKS::LOG`
`connection`: `record`	New Fields: `connection` socks: `SOCKS::Info` `&optional`

Events

SOCKS::log_socks: event

Event that can be handled to access the SOCKS record as it is sent on to the logging framework.

Hooks

`SOCKS::finalize_socks`: `Conn::RemovalHook`	SOCKS finalization hook.
`SOCKS::log_policy`: `Log::PolicyHook`

Detailed Interface

Runtime Options

SOCKS::default_capture_password 

Type:: bool
Attributes:: &redef
Default:: F

Whether passwords are captured or not.

Redefinable Options

SOCKS::ports 

Type:

set [port]

Attributes:

&redef

Default:

{
   1080/tcp
}

Well-known ports for SOCKS.

Types

SOCKS::Info 

Type:

record

Fields:

ts: time &log: Time when the proxy connection was first detected.

uid: string &log: Unique ID for the tunnel - may correspond to connection uid or be nonexistent.

id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.

version: count &log: Protocol version of SOCKS.

user: string &log &optional: Username used to request a login to the proxy.

password: string &log &optional: Password used to request a login to the proxy.

status: string &log &optional: Server status for the attempt at using the proxy.

request: SOCKS::Address &log &optional: Client requested SOCKS address. Could be an address, a name or both.

request_p: port &log &optional: Client requested port.

bound: SOCKS::Address &log &optional: Server bound address. Could be an address, a name or both.

bound_p: port &log &optional: Server bound port.

capture_password: bool &default = SOCKS::default_capture_password &optional: Determines if the password will be captured for this request.

The record type which contains the fields of the SOCKS log.

Events

SOCKS::log_socks 

Type:: event (rec: SOCKS::Info)

Event that can be handled to access the SOCKS record as it is sent on to the logging framework.

Hooks

SOCKS::finalize_socks 

Type:: Conn::RemovalHook

SOCKS finalization hook. Remaining SOCKS info may get logged when it’s called.

SOCKS::log_policy 

Type:: Log::PolicyHook