WIP socks

Author: victorjulien

tests/socks/bug-4965-socks-http-01/aa391f05-780d-4a98-a520-eff3a436b3cf_SOCKS_only.pcap

@@ -0,0 +1,26 @@
+requires:
+  min-version: 8
+
+args:
+- --set app-layer.protocols.socks.tcp.detection-ports.dp=9200
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: socks
+        socks.auth_methods.request[0]: "No authentication"
+        socks.auth_methods.request[1]: "No authentication"
+        socks.auth_methods.response: "No authentication"
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "/stld/2ed742b9631a445a90864552c8b213a9?u=YWRtaW4%3D&p=VVNFUi1QQw%3D%3D&i=ODQuMTcuNDguMTgy&co=R2VybWFueSAoREUp&ci=RnJhbmtmdXJ0IGFtIE1haW4%3D&t=Y2hyaWJvdHM%3D"
+        http.status: 200
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: http
+        app_proto_orig: socks

tests/socks/bug-4965-socks-http-01/test.yaml

@@ -0,0 +1,32 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: socks
+        socks.auth_methods.request[0]: "No authentication"
+        socks.auth_methods.request[1]: "GSSAPI"
+        socks.auth_methods.request[2]: "Username/Password"
+        socks.auth_methods.response: "Username/Password"
+  - filter:
+      count: 1
+      match:
+        event_type: socks
+        socks.auth_userpass.user: proxyuser
+        socks.auth_userpass.pass: securepassword
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.sni: suricata.io
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: tls
+        app_proto_orig: socks