Skip to content

SOCKS

SOCKS (Socket Secure) is a protocol that can be leveraged to route network traffic through a proxy server, effectively masking the origin of the traffic and adding a layer of anonymity. While this can be beneficial for protecting user privacy, it also presents a challenge, as attackers might exploit SOCKS proxies to conceal their activities, evade detection, or bypass security controls. It is sometimes used in data exfiltration or C&C activity.

SOCKS in nzyme

Nzyme parses SOCKS4, SOCKS4A and SOCKS5 traffic. The reported data includes:

  • Source Address
  • Destination Address (Tunnel Server)
  • Tunnel Destination (IP address or hostname)
  • SOCKS Type
  • Timestamps of tunnel establishment, most recent segment and termination

All tunnels are tracked over the duration of their lifetime and assigned a unique ID.

You can find a list of all recorded SOCKS tunnels on the Tunnels page under Ethernet in the sidebar of your nzyme web interface.