From b0106c9941681674a88a6be9c968d7143f36f7c4 Mon Sep 17 00:00:00 2001 From: KujouRinka Date: Fri, 26 Jan 2024 14:45:26 +0800 Subject: [PATCH] docs: add socks5 doc --- docs/Analyzers.md | 75 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 74 insertions(+), 1 deletion(-) diff --git a/docs/Analyzers.md b/docs/Analyzers.md index a3b5728..0baed97 100644 --- a/docs/Analyzers.md +++ b/docs/Analyzers.md @@ -266,4 +266,77 @@ Example for blocking Trojan connections: - name: Block Trojan action: block expr: trojan != nil && trojan.yes -``` \ No newline at end of file +``` + +## Socks5 + +Socks5 that don't need auth: + +``` json +{ + "socks5": { + "req": { + "cmd": 1, // 0x01: connect, 0x02: bind, 0x03: udp + "addr_type": 3, // 0x01: ipv4, 0x03: domain, 0x04: ipv6 + "addr": "google.com", + "port": 80, + "auth": { + "method": 0 // 0x00: no auth, 0x02: username/password + } + }, + "resp": { + "rep": 0, // 0x00: success + "addr_type": 1, // 0x01: ipv4, 0x03: domain, 0x04: ipv6 + "addr": "198.18.1.31", + "port": 80, + "auth": { + "method": 0 // 0x00: no auth, 0x02: username/password + } + } + } +} +``` + +Socks5 that need auth: + +``` json +{ + "socks5": { + "req": { + "cmd": 1, // 0x01: connect, 0x02: bind, 0x03: udp + "addr_type": 3, // 0x01: ipv4, 0x03: domain, 0x04: ipv6 + "addr": "google.com", + "port": 80, + "auth": { + "method": 2, // 0x00: no auth, 0x02: username/password + "username": "user", + "password": "pass" + } + }, + "resp": { + "rep": 0, // 0x00: success + "addr_type": 1, // 0x01: ipv4, 0x03: domain, 0x04: ipv6 + "addr": "198.18.1.31", + "port": 80, + "auth": { + "method": 2, // 0x00: no auth, 0x02: username/password + "status": 0 // 0x00: success, 0x01: failure + } + } + } +} +``` + +Example for blocking Socks5 connections: + +```yaml +# Block connection to google.com:80 +- name: Block Google + action: block + expr: string(socks5?.req?.addr) endsWith "google.com" && socks5?.req?.port == 80 + +# Block specified user +- name: Block user foobar + action: block + expr: socks5?.req?.auth?.method == 2 && socks5?.req?.auth?.username == "foobar" +```