From bd724f43c0c72141e81bf005b5862550fe822fbe Mon Sep 17 00:00:00 2001
From: KujouRinka <kujourinka@gmail.com>
Date: Sat, 27 Jan 2024 20:59:41 +0800
Subject: [PATCH] docs: update socks doc

---
 docs/Analyzers.md | 67 ++++++++++++++++-------------------------------
 1 file changed, 23 insertions(+), 44 deletions(-)

diff --git a/docs/Analyzers.md b/docs/Analyzers.md
index 0534e93..6f8dfa1 100644
--- a/docs/Analyzers.md
+++ b/docs/Analyzers.md
@@ -269,64 +269,42 @@ Example for blocking Trojan connections:
   expr: trojan != nil && trojan.yes
 ```
 
-## SOCKS4/SOCKS4A
+## SOCKS
 
 SOCKS4:
 
 ```json5
 {
-  "socks4": {
+  "socks": {
+    "version": 4,
     "req": {
-      "cmd": 1,         // 0x01: connect, 0x02: bind
-      "ip": "1.1.1.1",
+      "cmd": 1,
+      "addr_type": 1,     // same with socks5
+      "addr": "1.1.1.1",
+      // for socks4a
+      // "addr_type": 3,
+      // "addr": "google.com",
       "port": 443,
-      "user_id": "user_id"
+      "auth": {
+        "user_id": "user"
+      }
     },
     "resp": {
-      "rep": 90,        // 0x5A(90): granted
-      "ip": "1.1.1.1",
+      "rep": 90,          // 0x5A(90) granted
+      "addr_type": 1,
+      "addr": "1.1.1.1",
       "port": 443
     }
   }
 }
 ```
 
-SOCKS4A:
-
-```json5
-{
-  "socks4": {
-    "req": {
-      "cmd": 1,         // 0x01: connect, 0x02: bind
-      "ip": "0.0.0.1",
-      "port": 443,
-      "user_id": "user_id",
-      "hostname": "google.com"
-    },
-    "resp": {
-      "rep": 90,        // 0x5A(90): granted
-      "ip": "0.0.0.1",
-      "port": 443
-    }
-  }
-}
-```
-
-Example for blocking connections to `google.com:80`:
-
-```yaml
-- name: block baidu socks
-  action: block
-  expr: string(socks4?.req?.hostname) endsWith "bilibili.com" && socks4?.req?.port == 80
-```
-
-## SOCKS5
-
 SOCKS5 without auth:
 
 ```json5
 {
-  "socks5": {
+  "socks": {
+    "version": 5,
     "req": {
       "cmd": 1,         // 0x01: connect, 0x02: bind, 0x03: udp
       "addr_type": 3,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
@@ -353,7 +331,8 @@ SOCKS5 with auth:
 
 ```json5
 {
-  "socks5": {
+  "socks": {
+    "version": 5,
     "req": {
       "cmd": 1,         // 0x01: connect, 0x02: bind, 0x03: udp
       "addr_type": 3,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
@@ -382,11 +361,11 @@ SOCKS5 with auth:
 Example for blocking connections to `google.com:80` and user `foobar`:
 
 ```yaml
-- name: Block SOCKS5 google.com:80
+- name: Block SOCKS google.com:80
   action: block
-  expr: string(socks5?.req?.addr) endsWith "google.com" && socks5?.req?.port == 80
+  expr: string(socks?.req?.addr) endsWith "google.com" && socks?.req?.port == 80
 
-- name: Block SOCKS5 user foobar
+- name: Block SOCKS user foobar
   action: block
-  expr: socks5?.req?.auth?.method == 2 && socks5?.req?.auth?.username == "foobar"
+  expr: socks?.req?.auth?.method == 2 && socks?.req?.auth?.username == "foobar"
 ```