From 1ae0455fd532c68dd8b6773636d5c38d70ee8c87 Mon Sep 17 00:00:00 2001 From: KujouRinka Date: Sat, 27 Jan 2024 14:09:21 +0800 Subject: [PATCH] docs: add sock4/4a doc --- docs/Analyzers.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/docs/Analyzers.md b/docs/Analyzers.md index 7333f7d..0534e93 100644 --- a/docs/Analyzers.md +++ b/docs/Analyzers.md @@ -269,6 +269,57 @@ Example for blocking Trojan connections: expr: trojan != nil && trojan.yes ``` +## SOCKS4/SOCKS4A + +SOCKS4: + +```json5 +{ + "socks4": { + "req": { + "cmd": 1, // 0x01: connect, 0x02: bind + "ip": "1.1.1.1", + "port": 443, + "user_id": "user_id" + }, + "resp": { + "rep": 90, // 0x5A(90): granted + "ip": "1.1.1.1", + "port": 443 + } + } +} +``` + +SOCKS4A: + +```json5 +{ + "socks4": { + "req": { + "cmd": 1, // 0x01: connect, 0x02: bind + "ip": "0.0.0.1", + "port": 443, + "user_id": "user_id", + "hostname": "google.com" + }, + "resp": { + "rep": 90, // 0x5A(90): granted + "ip": "0.0.0.1", + "port": 443 + } + } +} +``` + +Example for blocking connections to `google.com:80`: + +```yaml +- name: block baidu socks + action: block + expr: string(socks4?.req?.hostname) endsWith "bilibili.com" && socks4?.req?.port == 80 +``` + ## SOCKS5 SOCKS5 without auth: