From b0106c9941681674a88a6be9c968d7143f36f7c4 Mon Sep 17 00:00:00 2001
From: KujouRinka <kujourinka@gmail.com>
Date: Fri, 26 Jan 2024 14:45:26 +0800
Subject: [PATCH] docs: add socks5 doc

---
 docs/Analyzers.md | 75 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 74 insertions(+), 1 deletion(-)

diff --git a/docs/Analyzers.md b/docs/Analyzers.md
index a3b5728..0baed97 100644
--- a/docs/Analyzers.md
+++ b/docs/Analyzers.md
@@ -266,4 +266,77 @@ Example for blocking Trojan connections:
 - name: Block Trojan
   action: block
   expr: trojan != nil && trojan.yes
-```
\ No newline at end of file
+```
+
+## Socks5
+
+Socks5 that don't need auth:
+
+``` json
+{
+  "socks5": {
+    "req": {
+      "cmd": 1,         // 0x01: connect, 0x02: bind, 0x03: udp
+      "addr_type": 3,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
+      "addr": "google.com",
+      "port": 80,
+      "auth": {
+        "method": 0     // 0x00: no auth, 0x02: username/password
+      }
+    },
+    "resp": {
+      "rep": 0,         // 0x00: success
+      "addr_type": 1,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
+      "addr": "198.18.1.31",
+      "port": 80,
+      "auth": {
+        "method": 0     // 0x00: no auth, 0x02: username/password
+      }
+    }
+  }
+}
+```
+
+Socks5 that need auth:
+
+``` json
+{
+  "socks5": {
+    "req": {
+      "cmd": 1,         // 0x01: connect, 0x02: bind, 0x03: udp
+      "addr_type": 3,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
+      "addr": "google.com",
+      "port": 80,
+      "auth": {
+        "method": 2,    // 0x00: no auth, 0x02: username/password
+        "username": "user",
+        "password": "pass"
+      }
+    },
+    "resp": {
+      "rep": 0,         // 0x00: success
+      "addr_type": 1,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
+      "addr": "198.18.1.31",
+      "port": 80,
+      "auth": {
+        "method": 2,    // 0x00: no auth, 0x02: username/password
+        "status": 0     // 0x00: success, 0x01: failure
+      }
+    }
+  }
+}
+```
+
+Example for blocking Socks5 connections:
+
+```yaml
+# Block connection to google.com:80
+- name: Block Google
+  action: block
+  expr: string(socks5?.req?.addr) endsWith "google.com" && socks5?.req?.port == 80
+
+# Block specified user
+- name: Block user foobar
+  action: block
+  expr: socks5?.req?.auth?.method == 2 && socks5?.req?.auth?.username == "foobar"
+```