一些诡异的 SOCKS 命中记录 #128

trantuan-20048607 · 2024-04-10T14:54:25Z

trantuan-20048607
Apr 10, 2024

贴一段正常运行时的日志，这些连接被识别成了 SOCKS 协议，但 SOCKS 载荷中的地址（socks.req.addr）均为保留地址，且用户名（socks.req.auth.user_id）为乱码：

Wed Apr 10 22:44:47 2024 user.notice OpenGFW: 2024-04-10T14:44:47Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071636897964032, "src": "192.168.1.172:49084", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.4051723,"ex2":false,"ex3":0.8103448,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.9.16","addr_type":1,"auth":{"user_id":"\t\u0010"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:44:53 2024 user.notice OpenGFW: 2024-04-10T14:44:47Z	INFO	TCP stream action	{"id": 1778071636897964032, "src": "192.168.1.172:49084", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:44:53 2024 user.notice OpenGFW: 2024-04-10T14:44:47Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071636893769728, "src": "192.168.1.172:43820", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.4608696,"ex2":false,"ex3":0.82608694,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.139.106","addr_type":1,"auth":{"user_id":"\ufffdj"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:44:53 2024 user.notice OpenGFW: 2024-04-10T14:44:47Z	INFO	TCP stream action	{"id": 1778071636893769728, "src": "192.168.1.172:43820", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:44:53 2024 user.notice OpenGFW: 2024-04-10T14:44:50Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071649657032704, "src": "192.168.1.172:34058", "dst": "103.102.202.180:13507", "props": {"fet":{"ex1":2.8737864,"ex2":false,"ex3":0.47572815,"ex4":19,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.9.134.199","addr_type":1,"auth":{"user_id":"\ufffdǠ\ufffd\u0013\ufffd`\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:44:57 2024 user.notice OpenGFW: 2024-04-10T14:44:50Z	INFO	TCP stream action	{"id": 1778071649657032704, "src": "192.168.1.172:34058", "dst": "103.102.202.180:13507", "action": "block"}
Wed Apr 10 22:44:57 2024 user.notice OpenGFW: 2024-04-10T14:44:53Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071662378360832, "src": "192.168.1.172:43842", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.5278592,"ex2":false,"ex3":0.82697946,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.20.114","addr_type":1,"auth":{"user_id":"\u0014r`\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:44:57 2024 user.notice OpenGFW: 2024-04-10T14:44:53Z	INFO	TCP stream action	{"id": 1778071662378360832, "src": "192.168.1.172:43842", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:44:57 2024 user.notice OpenGFW: 2024-04-10T14:44:53Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071662378352640, "src": "192.168.1.172:49102", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.5174417,"ex2":false,"ex3":0.81686044,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.20.114","addr_type":1,"auth":{"user_id":"\u0014rШ\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:00 2024 user.notice OpenGFW: 2024-04-10T14:44:53Z	INFO	TCP stream action	{"id": 1778071662378352640, "src": "192.168.1.172:49102", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:45:00 2024 user.notice OpenGFW: 2024-04-10T14:44:57Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071675137433600, "src": "192.168.1.172:45526", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.4811594,"ex2":false,"ex3":0.82028985,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.25.165","addr_type":1,"auth":{"user_id":"\u0019\ufffd\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:00 2024 user.notice OpenGFW: 2024-04-10T14:44:57Z	INFO	TCP stream action	{"id": 1778071675137433600, "src": "192.168.1.172:45526", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:45:00 2024 user.notice OpenGFW: 2024-04-10T14:44:57Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071675137437696, "src": "192.168.1.172:49292", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.4626436,"ex2":false,"ex3":0.8103448,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.25.169","addr_type":1,"auth":{"user_id":"\u0019\ufffd\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:03 2024 user.notice OpenGFW: 2024-04-10T14:44:57Z	INFO	TCP stream action	{"id": 1778071675137437696, "src": "192.168.1.172:49292", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:45:03 2024 user.notice OpenGFW: 2024-04-10T14:45:00Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071687862956032, "src": "192.168.1.172:45530", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.4869566,"ex2":false,"ex3":0.8289855,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.205.59","addr_type":1,"auth":{"user_id":"\ufffd;8\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:03 2024 user.notice OpenGFW: 2024-04-10T14:45:00Z	INFO	TCP stream action	{"id": 1778071687862956032, "src": "192.168.1.172:45530", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:45:03 2024 user.notice OpenGFW: 2024-04-10T14:45:00Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071687867142144, "src": "192.168.1.172:49296", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.433908,"ex2":false,"ex3":0.8103448,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.25.161","addr_type":1,"auth":{"user_id":"\u0019\ufffd\b\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:06 2024 user.notice OpenGFW: 2024-04-10T14:45:00Z	INFO	TCP stream action	{"id": 1778071687867142144, "src": "192.168.1.172:49296", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:45:06 2024 user.notice OpenGFW: 2024-04-10T14:45:03Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071700596858880, "src": "192.168.1.172:45536", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.4724638,"ex2":false,"ex3":0.82608694,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.205.37","addr_type":1,"auth":{"user_id":"\ufffd%\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:06 2024 user.notice OpenGFW: 2024-04-10T14:45:03Z	INFO	TCP stream action	{"id": 1778071700596858880, "src": "192.168.1.172:45536", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:45:06 2024 user.notice OpenGFW: 2024-04-10T14:45:03Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071700596862976, "src": "192.168.1.172:49298", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.433908,"ex2":false,"ex3":0.8132184,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.25.160","addr_type":1,"auth":{"user_id":"\u0019\ufffd0\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:09 2024 user.notice OpenGFW: 2024-04-10T14:45:03Z	INFO	TCP stream action	{"id": 1778071700596862976, "src": "192.168.1.172:49298", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:45:09 2024 user.notice OpenGFW: 2024-04-10T14:45:06Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071713343340544, "src": "192.168.1.172:49130", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.454023,"ex2":false,"ex3":0.8132184,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.145.187","addr_type":1,"auth":{"user_id":"\ufffd\ufffd \ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:09 2024 user.notice OpenGFW: 2024-04-10T14:45:06Z	INFO	TCP stream action	{"id": 1778071713343340544, "src": "192.168.1.172:49130", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:45:09 2024 user.notice OpenGFW: 2024-04-10T14:45:06Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071713343344640, "src": "192.168.1.172:43870", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.4724638,"ex2":false,"ex3":0.8231884,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.145.186","addr_type":1,"auth":{"user_id":"\ufffd\ufffdP\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:12 2024 user.notice OpenGFW: 2024-04-10T14:45:06Z	INFO	TCP stream action	{"id": 1778071713343344640, "src": "192.168.1.172:43870", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:45:12 2024 user.notice OpenGFW: 2024-04-10T14:45:09Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071726131777536, "src": "192.168.1.172:49134", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.4454024,"ex2":false,"ex3":0.81609195,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.143.114","addr_type":1,"auth":{"user_id":"\ufffdr"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:12 2024 user.notice OpenGFW: 2024-04-10T14:45:09Z	INFO	TCP stream action	{"id": 1778071726131777536, "src": "192.168.1.172:49134", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:45:12 2024 user.notice OpenGFW: 2024-04-10T14:45:09Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071726135975936, "src": "192.168.1.172:43874", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.4695652,"ex2":false,"ex3":0.82608694,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.76.248","addr_type":1,"auth":{"user_id":"L\ufffd\ufffd\ufffd\u0013\ufffd@ו"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:15 2024 user.notice OpenGFW: 2024-04-10T14:45:09Z	INFO	TCP stream action	{"id": 1778071726135975936, "src": "192.168.1.172:43874", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:45:15 2024 user.notice OpenGFW: 2024-04-10T14:45:12Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071738895052800, "src": "192.168.1.172:43880", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.463768,"ex2":false,"ex3":0.8318841,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.98.73","addr_type":1,"auth":{"user_id":"bI\ufffd\ufffd\u0013\ufffd@ו"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:15 2024 user.notice OpenGFW: 2024-04-10T14:45:12Z	INFO	TCP stream action	{"id": 1778071738895052800, "src": "192.168.1.172:43880", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:45:15 2024 user.notice OpenGFW: 2024-04-10T14:45:12Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071738890854400, "src": "192.168.1.172:49140", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.4584527,"ex2":false,"ex3":0.81088823,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.121.242","addr_type":1,"auth":{"user_id":"y\ufffd\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:18 2024 user.notice OpenGFW: 2024-04-10T14:45:12Z	INFO	TCP stream action	{"id": 1778071738890854400, "src": "192.168.1.172:49140", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:45:18 2024 user.notice OpenGFW: 2024-04-10T14:45:15Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071751708639232, "src": "192.168.1.172:45558", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.4753623,"ex2":false,"ex3":0.82028985,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.25.175","addr_type":1,"auth":{"user_id":"\u0019\ufffd\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:18 2024 user.notice OpenGFW: 2024-04-10T14:45:15Z	INFO	TCP stream action	{"id": 1778071751708639232, "src": "192.168.1.172:45558", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:45:18 2024 user.notice OpenGFW: 2024-04-10T14:45:15Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071751708647424, "src": "192.168.1.172:49324", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.4555874,"ex2":false,"ex3":0.8051576,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.178.174","addr_type":1,"auth":{"user_id":"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:21 2024 user.notice OpenGFW: 2024-04-10T14:45:15Z	INFO	TCP stream action	{"id": 1778071751708647424, "src": "192.168.1.172:49324", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:45:21 2024 user.notice OpenGFW: 2024-04-10T14:45:18Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071764434157568, "src": "192.168.1.172:45562", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.4666667,"ex2":false,"ex3":0.82028985,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.25.162","addr_type":1,"auth":{"user_id":"\u0019\ufffd\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:21 2024 user.notice OpenGFW: 2024-04-10T14:45:18Z	INFO	TCP stream action	{"id": 1778071764434157568, "src": "192.168.1.172:45562", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:45:21 2024 user.notice OpenGFW: 2024-04-10T14:45:18Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071764450934784, "src": "192.168.1.172:49328", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.4555874,"ex2":false,"ex3":0.8051576,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.25.167","addr_type":1,"auth":{"user_id":"\u0019\ufffdȻ\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:24 2024 user.notice OpenGFW: 2024-04-10T14:45:18Z	INFO	TCP stream action	{"id": 1778071764450934784, "src": "192.168.1.172:49328", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:45:24 2024 user.notice OpenGFW: 2024-04-10T14:45:21Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071777214214144, "src": "192.168.1.172:45568", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.4695652,"ex2":false,"ex3":0.82028985,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.25.181","addr_type":1,"auth":{"user_id":"\u0019\ufffd\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:24 2024 user.notice OpenGFW: 2024-04-10T14:45:21Z	INFO	TCP stream action	{"id": 1778071777214214144, "src": "192.168.1.172:45568", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:45:24 2024 user.notice OpenGFW: 2024-04-10T14:45:21Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071777210011648, "src": "192.168.1.172:49332", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.4498568,"ex2":false,"ex3":0.8051576,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.25.183","addr_type":1,"auth":{"user_id":"\u0019\ufffd\u0010\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:27 2024 user.notice OpenGFW: 2024-04-10T14:45:21Z	INFO	TCP stream action	{"id": 1778071777210011648, "src": "192.168.1.172:49332", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:45:27 2024 user.notice OpenGFW: 2024-04-10T14:45:24Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071789964890112, "src": "192.168.1.172:43900", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.4434783,"ex2":false,"ex3":0.82608694,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.20.113","addr_type":1,"auth":{"user_id":"\u0014q\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:27 2024 user.notice OpenGFW: 2024-04-10T14:45:24Z	INFO	TCP stream action	{"id": 1778071789964890112, "src": "192.168.1.172:43900", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:45:27 2024 user.notice OpenGFW: 2024-04-10T14:45:24Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071789960699904, "src": "192.168.1.172:49160", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.4412608,"ex2":false,"ex3":0.81088823,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.142.72","addr_type":1,"auth":{"user_id":"\ufffdH\ufffd\ufffd\ufffd\ufffd\u0010׆"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:30 2024 user.notice OpenGFW: 2024-04-10T14:45:24Z	INFO	TCP stream action	{"id": 1778071789960699904, "src": "192.168.1.172:49160", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:45:30 2024 user.notice OpenGFW: 2024-04-10T14:45:27Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071802728161280, "src": "192.168.1.172:43904", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.408759,"ex2":false,"ex3":0.77737224,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.153.129","addr_type":1,"auth":{"user_id":"\ufffd\ufffd\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:30 2024 user.notice OpenGFW: 2024-04-10T14:45:27Z	INFO	TCP stream action	{"id": 1778071802728161280, "src": "192.168.1.172:43904", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:45:30 2024 user.notice OpenGFW: 2024-04-10T14:45:27Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071802728157184, "src": "192.168.1.172:49168", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.3935018,"ex2":false,"ex3":0.7689531,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.153.130","addr_type":1,"auth":{"user_id":"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:33 2024 user.notice OpenGFW: 2024-04-10T14:45:27Z	INFO	TCP stream action	{"id": 1778071802728157184, "src": "192.168.1.172:49168", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:45:33 2024 user.notice OpenGFW: 2024-04-10T14:45:30Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071815483039744, "src": "192.168.1.172:43908", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.5337243,"ex2":false,"ex3":0.8181818,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.153.128","addr_type":1,"auth":{"user_id":"\ufffd\ufffdм\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:33 2024 user.notice OpenGFW: 2024-04-10T14:45:30Z	INFO	TCP stream action	{"id": 1778071815483039744, "src": "192.168.1.172:43908", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:45:33 2024 user.notice OpenGFW: 2024-04-10T14:45:30Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071815483035648, "src": "192.168.1.172:49170", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.5494187,"ex2":false,"ex3":0.81686044,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.67.221","addr_type":1,"auth":{"user_id":"C\ufffd\ufffd\ufffd\ufffd\ufffd\u0010׆"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:36 2024 user.notice OpenGFW: 2024-04-10T14:45:30Z	INFO	TCP stream action	{"id": 1778071815483035648, "src": "192.168.1.172:49170", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:45:36 2024 user.notice OpenGFW: 2024-04-10T14:45:33Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071828284055552, "src": "192.168.1.172:45584", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.423792,"ex2":false,"ex3":0.7769517,"ex4":88,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.25.175","addr_type":1,"auth":{"user_id":"\u0019\ufffd0\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:36 2024 user.notice OpenGFW: 2024-04-10T14:45:33Z	INFO	TCP stream action	{"id": 1778071828284055552, "src": "192.168.1.172:45584", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:45:36 2024 user.notice OpenGFW: 2024-04-10T14:45:33Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071828275662848, "src": "192.168.1.172:49346", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.411111,"ex2":false,"ex3":0.76296294,"ex4":88,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.25.175","addr_type":1,"auth":{"user_id":"\u0019\ufffd\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:39 2024 user.notice OpenGFW: 2024-04-10T14:45:33Z	INFO	TCP stream action	{"id": 1778071828275662848, "src": "192.168.1.172:49346", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:45:39 2024 user.notice OpenGFW: 2024-04-10T14:45:36Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071841043120128, "src": "192.168.1.172:45588", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.4275362,"ex2":false,"ex3":0.7789855,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.25.179","addr_type":1,"auth":{"user_id":"\u0019\ufffd\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:39 2024 user.notice OpenGFW: 2024-04-10T14:45:36Z	INFO	TCP stream action	{"id": 1778071841043120128, "src": "192.168.1.172:45588", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:45:39 2024 user.notice OpenGFW: 2024-04-10T14:45:36Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071841043132416, "src": "192.168.1.172:49350", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.4259927,"ex2":false,"ex3":0.7689531,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.25.174","addr_type":1,"auth":{"user_id":"\u0019\ufffd\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:42 2024 user.notice OpenGFW: 2024-04-10T14:45:36Z	INFO	TCP stream action	{"id": 1778071841043132416, "src": "192.168.1.172:49350", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:45:42 2024 user.notice OpenGFW: 2024-04-10T14:45:39Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071853932216320, "src": "192.168.1.172:45594", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.423792,"ex2":false,"ex3":0.7732342,"ex4":88,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.182.142","addr_type":1,"auth":{"user_id":"\ufffd\ufffd\u0010\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:42 2024 user.notice OpenGFW: 2024-04-10T14:45:39Z	INFO	TCP stream action	{"id": 1778071853932216320, "src": "192.168.1.172:45594", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:45:42 2024 user.notice OpenGFW: 2024-04-10T14:45:39Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071853928022016, "src": "192.168.1.172:49358", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.411111,"ex2":false,"ex3":0.76666665,"ex4":88,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.182.142","addr_type":1,"auth":{"user_id":"\ufffd\ufffd(\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:45 2024 user.notice OpenGFW: 2024-04-10T14:45:39Z	INFO	TCP stream action	{"id": 1778071853928022016, "src": "192.168.1.172:49358", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:45:45 2024 user.notice OpenGFW: 2024-04-10T14:45:42Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071866695491584, "src": "192.168.1.172:49188", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.4185185,"ex2":false,"ex3":0.7740741,"ex4":88,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.234.124","addr_type":1,"auth":{"user_id":"\ufffd|0\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:45 2024 user.notice OpenGFW: 2024-04-10T14:45:42Z	INFO	TCP stream action	{"id": 1778071866695491584, "src": "192.168.1.172:49188", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:45:45 2024 user.notice OpenGFW: 2024-04-10T14:45:42Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071866695483392, "src": "192.168.1.172:43928", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.4349442,"ex2":false,"ex3":0.78066915,"ex4":88,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.234.124","addr_type":1,"auth":{"user_id":"\ufffd|\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:48 2024 user.notice OpenGFW: 2024-04-10T14:45:42Z	INFO	TCP stream action	{"id": 1778071866695483392, "src": "192.168.1.172:43928", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:45:48 2024 user.notice OpenGFW: 2024-04-10T14:45:45Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071879576203264, "src": "192.168.1.172:49192", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.5406976,"ex2":false,"ex3":0.81104654,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.249.23","addr_type":1,"auth":{"user_id":"\ufffd\u0017\ufffd\ufffd\ufffd\ufffd\u0010ֆ"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:48 2024 user.notice OpenGFW: 2024-04-10T14:45:45Z	INFO	TCP stream action	{"id": 1778071879576203264, "src": "192.168.1.172:49192", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:45:48 2024 user.notice OpenGFW: 2024-04-10T14:45:45Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071879576195072, "src": "192.168.1.172:43932", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.5513196,"ex2":false,"ex3":0.8240469,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.234.124","addr_type":1,"auth":{"user_id":"\ufffd|е\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:51 2024 user.notice OpenGFW: 2024-04-10T14:45:45Z	INFO	TCP stream action	{"id": 1778071879576195072, "src": "192.168.1.172:43932", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:45:51 2024 user.notice OpenGFW: 2024-04-10T14:45:48Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071892465295360, "src": "192.168.1.172:43934", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.4163568,"ex2":false,"ex3":0.78438663,"ex4":88,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.234.121","addr_type":1,"auth":{"user_id":"\ufffdyP\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:51 2024 user.notice OpenGFW: 2024-04-10T14:45:48Z	INFO	TCP stream action	{"id": 1778071892465295360, "src": "192.168.1.172:43934", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:45:51 2024 user.notice OpenGFW: 2024-04-10T14:45:48Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071892465287168, "src": "192.168.1.172:49198", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.4037037,"ex2":false,"ex3":0.77037036,"ex4":88,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.234.121","addr_type":1,"auth":{"user_id":"\ufffdy\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:54 2024 user.notice OpenGFW: 2024-04-10T14:45:48Z	INFO	TCP stream action	{"id": 1778071892465287168, "src": "192.168.1.172:49198", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:45:54 2024 user.notice OpenGFW: 2024-04-10T14:45:51Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071905228566528, "src": "192.168.1.172:45614", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.5278592,"ex2":false,"ex3":0.82111436,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.25.160","addr_type":1,"auth":{"user_id":"\u0019\ufffd`\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:54 2024 user.notice OpenGFW: 2024-04-10T14:45:51Z	INFO	TCP stream action	{"id": 1778071905228566528, "src": "192.168.1.172:45614", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:45:54 2024 user.notice OpenGFW: 2024-04-10T14:45:51Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071905249538048, "src": "192.168.1.172:49380", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.5115607,"ex2":false,"ex3":0.80924857,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.25.163","addr_type":1,"auth":{"user_id":"\u0019\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:45:57 2024 user.notice OpenGFW: 2024-04-10T14:45:51Z	INFO	TCP stream action	{"id": 1778071905249538048, "src": "192.168.1.172:49380", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:45:57 2024 user.notice OpenGFW: 2024-04-10T14:45:54Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071917983440896, "src": "192.168.1.172:45620", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.423792,"ex2":false,"ex3":0.7732342,"ex4":88,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.25.175","addr_type":1,"auth":{"user_id":"\u0019\ufffd\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:45:57 2024 user.notice OpenGFW: 2024-04-10T14:45:54Z	INFO	TCP stream action	{"id": 1778071917983440896, "src": "192.168.1.172:45620", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:45:57 2024 user.notice OpenGFW: 2024-04-10T14:45:54Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071918000222208, "src": "192.168.1.172:49386", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.4,"ex2":false,"ex3":0.76296294,"ex4":88,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.25.179","addr_type":1,"auth":{"user_id":"\u0019\ufffd\b\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:46:00 2024 user.notice OpenGFW: 2024-04-10T14:45:54Z	INFO	TCP stream action	{"id": 1778071918000222208, "src": "192.168.1.172:49386", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:46:00 2024 user.notice OpenGFW: 2024-04-10T14:45:57Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071930729930752, "src": "192.168.1.172:45624", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.5306122,"ex2":false,"ex3":0.819242,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.25.161","addr_type":1,"auth":{"user_id":"\u0019\ufffd\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:46:00 2024 user.notice OpenGFW: 2024-04-10T14:45:57Z	INFO	TCP stream action	{"id": 1778071930729930752, "src": "192.168.1.172:45624", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:46:00 2024 user.notice OpenGFW: 2024-04-10T14:45:58Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071930755092480, "src": "192.168.1.172:49390", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.5173411,"ex2":false,"ex3":0.80924857,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.135.180","addr_type":1,"auth":{"user_id":"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:46:04 2024 user.notice OpenGFW: 2024-04-10T14:45:58Z	INFO	TCP stream action	{"id": 1778071930755092480, "src": "192.168.1.172:49390", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:46:04 2024 user.notice OpenGFW: 2024-04-10T14:46:00Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071943455449088, "src": "192.168.1.172:43958", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.483871,"ex2":false,"ex3":0.8240469,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.52.242","addr_type":1,"auth":{"user_id":"4\ufffd\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:46:04 2024 user.notice OpenGFW: 2024-04-10T14:46:00Z	INFO	TCP stream action	{"id": 1778071943455449088, "src": "192.168.1.172:43958", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:46:04 2024 user.notice OpenGFW: 2024-04-10T14:46:00Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071943476416512, "src": "192.168.1.172:49222", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.4563954,"ex2":false,"ex3":0.81395346,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.249.18","addr_type":1,"auth":{"user_id":"\ufffd\u0012@\ufffd\ufffd\ufffd\u0010ֆ"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:46:07 2024 user.notice OpenGFW: 2024-04-10T14:46:01Z	INFO	TCP stream action	{"id": 1778071943476416512, "src": "192.168.1.172:49222", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:46:07 2024 user.notice OpenGFW: 2024-04-10T14:46:04Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071956222914560, "src": "192.168.1.172:43962", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.4202898,"ex2":false,"ex3":0.78985506,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.234.114","addr_type":1,"auth":{"user_id":"\ufffdr0\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:46:07 2024 user.notice OpenGFW: 2024-04-10T14:46:04Z	INFO	TCP stream action	{"id": 1778071956222914560, "src": "192.168.1.172:43962", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:46:07 2024 user.notice OpenGFW: 2024-04-10T14:46:04Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071956243873792, "src": "192.168.1.172:49226", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.3978496,"ex2":false,"ex3":0.7706093,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.13.204","addr_type":1,"auth":{"user_id":"\r\ufffd0\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:46:10 2024 user.notice OpenGFW: 2024-04-10T14:46:04Z	INFO	TCP stream action	{"id": 1778071956243873792, "src": "192.168.1.172:49226", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:46:10 2024 user.notice OpenGFW: 2024-04-10T14:46:07Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071968998752256, "src": "192.168.1.172:43970", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.4311595,"ex2":false,"ex3":0.7826087,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.249.30","addr_type":1,"auth":{"user_id":"\ufffd\u001eP\ufffd\u0013\ufffd@֕"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:46:10 2024 user.notice OpenGFW: 2024-04-10T14:46:07Z	INFO	TCP stream action	{"id": 1778071968998752256, "src": "192.168.1.172:43970", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:46:10 2024 user.notice OpenGFW: 2024-04-10T14:46:07Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071969040699392, "src": "192.168.1.172:49234", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.400722,"ex2":false,"ex3":0.77978337,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.147.33","addr_type":1,"auth":{"user_id":"\ufffd!p\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:46:13 2024 user.notice OpenGFW: 2024-04-10T14:46:07Z	INFO	TCP stream action	{"id": 1778071969040699392, "src": "192.168.1.172:49234", "dst": "36.102.226.52:13504", "action": "block"}
Wed Apr 10 22:46:13 2024 user.notice OpenGFW: 2024-04-10T14:46:10Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071981816545280, "src": "192.168.1.172:45658", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.4275362,"ex2":false,"ex3":0.7826087,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.25.181","addr_type":1,"auth":{"user_id":"\u0019\ufffdx\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:46:13 2024 user.notice OpenGFW: 2024-04-10T14:46:10Z	INFO	TCP stream action	{"id": 1778071981816545280, "src": "192.168.1.172:45658", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:46:13 2024 user.notice OpenGFW: 2024-04-10T14:46:10Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071981820747776, "src": "192.168.1.172:49424", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.397112,"ex2":false,"ex3":0.77978337,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.114.200","addr_type":1,"auth":{"user_id":"r\ufffdp\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:46:16 2024 user.notice OpenGFW: 2024-04-10T14:46:10Z	INFO	TCP stream action	{"id": 1778071981820747776, "src": "192.168.1.172:49424", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:46:16 2024 user.notice OpenGFW: 2024-04-10T14:46:13Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071994672091136, "src": "192.168.1.172:45662", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.405248,"ex2":false,"ex3":0.82215744,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.16.134","addr_type":1,"auth":{"user_id":"\u0010\ufffdH\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:46:16 2024 user.notice OpenGFW: 2024-04-10T14:46:13Z	INFO	TCP stream action	{"id": 1778071994672091136, "src": "192.168.1.172:45662", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:46:16 2024 user.notice OpenGFW: 2024-04-10T14:46:13Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778071994672099328, "src": "192.168.1.172:49428", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.401734,"ex2":false,"ex3":0.8179191,"ex4":160,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.164.96","addr_type":1,"auth":{"user_id":"\ufffd`л\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:46:19 2024 user.notice OpenGFW: 2024-04-10T14:46:13Z	INFO	TCP stream action	{"id": 1778071994672099328, "src": "192.168.1.172:49428", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:46:19 2024 user.notice OpenGFW: 2024-04-10T14:46:16Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778072007431172096, "src": "192.168.1.172:45670", "dst": "103.102.202.180:13500", "props": {"fet":{"ex1":3.402174,"ex2":false,"ex3":0.7862319,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.164.96","addr_type":1,"auth":{"user_id":"\ufffd`\ufffd\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:46:19 2024 user.notice OpenGFW: 2024-04-10T14:46:16Z	INFO	TCP stream action	{"id": 1778072007431172096, "src": "192.168.1.172:45670", "dst": "103.102.202.180:13500", "action": "block"}
Wed Apr 10 22:46:19 2024 user.notice OpenGFW: 2024-04-10T14:46:16Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778072007426977792, "src": "192.168.1.172:49432", "dst": "103.107.217.18:13504", "props": {"fet":{"ex1":3.4043322,"ex2":false,"ex3":0.7761733,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.164.79","addr_type":1,"auth":{"user_id":"\ufffdO"},"cmd":2,"port":5},"version":4}}}
Wed Apr 10 22:46:22 2024 user.notice OpenGFW: 2024-04-10T14:46:16Z	INFO	TCP stream action	{"id": 1778072007426977792, "src": "192.168.1.172:49432", "dst": "103.107.217.18:13504", "action": "block"}
Wed Apr 10 22:46:22 2024 user.notice OpenGFW: 2024-04-10T14:46:19Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778072020198629376, "src": "192.168.1.172:44008", "dst": "36.102.226.53:13500", "props": {"fet":{"ex1":3.4384058,"ex2":false,"ex3":0.78985506,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.7.52.243","addr_type":1,"auth":{"user_id":"4\ufffdP\ufffd\u0013\ufffd@\ufffd\ufffd"},"cmd":2,"port":1},"version":4}}}
Wed Apr 10 22:46:22 2024 user.notice OpenGFW: 2024-04-10T14:46:19Z	INFO	TCP stream action	{"id": 1778072020198629376, "src": "192.168.1.172:44008", "dst": "36.102.226.53:13500", "action": "block"}
Wed Apr 10 22:46:22 2024 user.notice OpenGFW: 2024-04-10T14:46:19Z	INFO	ruleset log	{"name": "protocol_socks", "id": 1778072020181843968, "src": "192.168.1.172:49268", "dst": "36.102.226.52:13504", "props": {"fet":{"ex1":3.4368231,"ex2":false,"ex3":0.77978337,"ex4":93,"ex5":false,"yes":false},"socks":{"req":{"addr":"0.1.52.253","addr_type":1,"auth":{"user_id":"4\ufffdp\ufffd\ufffd\ufffd\u0010\ufffd\ufffd"},"cmd":2,"port":5},"version":4}}}

附拦截规则：

- name: protocol_socks
  action: block
  log: true
  expr: socks != nil

haruue · 2024-04-10T15:22:12Z

haruue
Apr 10, 2024
Maintainer

现有实现下，以 '\x04' 或者 '\x05' 开头的 TCP 连接会导致 socks != nil 。

同样的复现脚本。

import socket

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    message = b'\x05'
    sock.connect(("191.0.2.1", 80)) # 至少需要确保 TCP 连接可以建立
    sock.sendall(message)
finally:
    sock.close()

0 replies

tobyxdd · 2024-04-10T22:08:56Z

tobyxdd
Apr 10, 2024
Maintainer

@KujouRinka 能看下这个问题么（

0 replies

KujouRinka · 2024-04-11T02:33:12Z

KujouRinka
Apr 11, 2024

@trantuan-20048607 提到的这个问题，我之前写的时候没有验证 IP 的字段是否合法，这个之后我能够加上，有点疏忽了不好意思。

因为 Analyzer 是 “一步一步” 解析流的，所以只要检测到一个属于该协议的字段，就会把它填写到 PropMap 中。也就是说 socks 握手完成之前，只能怀疑这条流可能是 socks 连接，解析并利用到的字段越多，假阳性应该越低...

我想或许可以这样：

直到整个握手阶段结束后再更新 PropMap
或者在 PropMap 中提供一个字段指示这个流是否被解析完全

可能解析 socks 的行为过于 ”急切“ 了，正如 @haruue 所说的，目前收到以 0x04 或 0x05 开始的流就会更新 socks.version 字段，或许可以把更新行为延迟到 socks 握手的某个状态？

0 replies

tobyxdd · 2024-04-11T03:27:17Z

tobyxdd
Apr 11, 2024
Maintainer

可能主要是 SOCKS 这些结构太简单了，随机数据也可以套进去。。如果等完整握手再更新 PropMap 的话感觉也不好，这样单纯根据 req 的规则也会让让请求发出去收到回应以后才能匹配到

4 replies

trantuan-20048607 Apr 11, 2024
Author

我这里的随机数据还触发了 FET 和 Trojan 的假阳性。这两个感觉挺正常的，但是出现次数远少于 SOCKS，可能确实是数据包结构过于简单的原因。
关于等待完整握手，GFW 是如何处理的？

tobyxdd Apr 11, 2024
Maintainer

GFW 并不会阻挡 SOCKS 协议，也只是拦截特定网站。随机数据就算匹配上 SOCKS 也不可能正好 IP/域名这些也匹配上吧

trantuan-20048607 Apr 11, 2024
Author

类似这样？

- name: geosite_gfw_socks
  action: block
  log: true
  expr: socks?.req?.addr_type == 3 && geosite(string(socks.req.addr), "gfw")

- name: geoip_google_socks
  action: block
  log: true
  expr: socks?.req?.addr_type in [1, 4] && geoip(string(socks.req.addr), "google")

tobyxdd Apr 11, 2024
Maintainer

对差不多这个意思

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

一些诡异的 SOCKS 命中记录 #128

{{title}}

Replies: 4 comments 4 replies

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

一些诡异的 SOCKS 命中记录 #128

trantuan-20048607 Apr 10, 2024

Replies: 4 comments · 4 replies

haruue Apr 10, 2024 Maintainer

tobyxdd Apr 10, 2024 Maintainer

KujouRinka Apr 11, 2024

tobyxdd Apr 11, 2024 Maintainer

trantuan-20048607 Apr 11, 2024 Author

tobyxdd Apr 11, 2024 Maintainer

trantuan-20048607 Apr 11, 2024 Author

tobyxdd Apr 11, 2024 Maintainer

trantuan-20048607
Apr 10, 2024

Replies: 4 comments 4 replies

haruue
Apr 10, 2024
Maintainer

tobyxdd
Apr 10, 2024
Maintainer

KujouRinka
Apr 11, 2024

tobyxdd
Apr 11, 2024
Maintainer

trantuan-20048607 Apr 11, 2024
Author

tobyxdd Apr 11, 2024
Maintainer

trantuan-20048607 Apr 11, 2024
Author

tobyxdd Apr 11, 2024
Maintainer