On Feb 12, 2015, at 7:24 PM, Seth Hall
On Feb 12, 2015, at 6:06 PM, Jonathan Siwek
-event socks_login_reply%(c: connection, code: count%);
+event socks_login_userpass_reply%(c: connection, code: count%);
Did you find evidence that SOCKS uses a different reply message for different login
types? When I was reading I thought that the same login reply message structure was used
in response to any login type.
The definition of SOCKS5 in RFC 1928 doesn’t seem to say anything about what different
authentication methods should do. So RFC 1929 for username/password has a reply w/
[version octet, status octet] and RFC 1961 for GSSAPI has [version octet, message type
octet, length octet, variable length opaque token].
Current parser won’t do well with GSSAPI negotiation, but not sure how useful it would be
since it’s likely all further SOCKS requests/replies are going to be framed differently