从java SOCKS套接字检测协议
[英]Detect protocol from java SOCKS socket
问题描述
I'm developing a custom SOCKS5 server in Java. 
我正在用Java开发一个自定义SOCKS5服务器。 Other than the first CONNECT message that includes the HOST and PORT, is then any way to inspect the subsequent messages to determine the protocol of the data? 除了第一个包含HOST和PORT的CONNECT消息之外,是否可以通过任何方式检查后续消息以确定数据协议? For example, if the application data starts with "GET /...", the request is likely HyperText Transfer Protocol (HTTP), but that is far from a complete solution. 例如,如果应用程序数据以“GET / ...”开头,则该请求可能是超文本传输协议(HTTP),但这远非完整的解决方案。 Is there a way to see if the data is say HTTPS, or FTP, or "NetFlix streaming", etc...? 有没有办法看看数据是说HTTPS,FTP还是“NetFlix流媒体”等......?
Secondarily, if the data is http or https how would I forward the request to a dedicated HTTP proxy? 其次,如果数据是http或https,我如何将请求转发到专用HTTP代理?
1 个解决方案
解决方案1
1 已采纳 2016-03-06 07:17:42
is then any way to inspect the subsequent messages to determine the protocol of the data?... s there a way to see if the data is say HTTPS, or FTP, or "NetFlix streaming", etc...?
Basically you have destination port, destination IP address and maybe hostname (if DNS resolving is done through the SOCKS5 server too) and the payload. 基本上,您有目标端口,目标IP地址和主机名(如果DNS解析也通过SOCKS5服务器完成)和有效负载。 Based on the knowledge of well known target hosts, target ports and typical payloads you could build heuristics to guess the protocol. 基于众所周知的目标主机,目标端口和典型有效负载的知识,您可以构建启发式来猜测协议。
You will find such heuristics in today's Intrusion Detection Systems, better firewalls and traffic classifiers and they differ a lot in the detection quality and a determined user can often fool these heuristics. 您会在今天的入侵检测系统,更好的防火墙和流量分类器中找到这样的启发式方法,它们在检测质量上有很大差异,而且坚定的用户通常可以欺骗这些启发式方法。 This is a very wide topic but you might start looking at free deep inspection (DPI) libraries like nDPI and read more about DPI at Wikipedia . 这是一个非常广泛的主题,但您可能会开始查看像nDPI这样的免费深度检查(DPI)库,并在Wikipedia上阅读有关DPI的更多信息。
Secondarily, if the data is http or https how would I forward the request to a dedicated HTTP proxy?
First change the target from the target requested by the client to the proxy. 首先将目标从客户端请求的目标更改为代理。 This must be done of course before any data gets transferred which might conflict with the DPI you do on the data stream because some connections first get data from the server (like SMTP) while others like HTTP(S) first get data from the client. 当然,必须在传输任何可能与您在数据流上执行的DPI冲突的数据之前完成此操作,因为某些连接首先从服务器获取数据(如SMTP),而其他类似HTTP(S)的数据首先从客户端获取数据。 Thus you probably need to find out if this is HTTP(S) before getting any payload, ie only based on target port. 因此,您可能需要在获取任何有效负载之前确定这是否是HTTP(S),即仅基于目标端口。 For HTTPS you would then need then to establish a tunnel using a CONNECT request as described in RFC 2817 . 对于HTTPS,您需要使用RFC 2817中描述的CONNECT请求建立隧道。 For HTTP you would modify the request to include not only the path but the full URL (ie http://host[:port]/path ). 对于HTTP,您可以修改请求,不仅包括路径,还包括完整的URL(即http://host[:port]/path )。
As you can see all of this uses lots of heuristics which work for most but not all cases. 正如您所看到的,所有这些都使用了大量的启发式算法,这些启发式算法适用于大多数但不是所有情 Apart from that this can be a very complex task depending on the quality of traffic classification you need. 除此之外,这可能是一项非常复杂的任务,具体取决于您所需的流量分类质量。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.