ldap: Implement extended request/response and StartTLS support

PCAP was produced with a local OpenLDAP server configured to support StartTLS. This puts the Zeek calls into a separate ldap_zeek.spicy file/module to separate it from LDAP.
2025-10-02 06:38:20 +00:00 · 2024-07-17 17:00:53 +02:00 · 2024-07-17 17:00:53 +02:00 · 09a48c7028
commit 09a48c7028
parent f4a79fa703
19 changed files with 269 additions and 22 deletions
--- a/scripts/base/protocols/ldap/consts.zeek
+++ b/scripts/base/protocols/ldap/consts.zeek
@ -120,4 +120,11 @@ export {
 	    "searching", [ LDAP::SearchDerefAlias_DEREF_FINDING_BASE ] =
 	    "finding", [ LDAP::SearchDerefAlias_DEREF_ALWAYS ] = "always",  }
 	    &default="unknown";
+
+	const EXTENDED_REQUESTS = {
+	   # StartTLS, https://datatracker.ietf.org/doc/html/rfc4511#section-4.14.1
+	   [ "1.3.6.1.4.1.1466.20037" ] = "StartTLS",
+	   # whoami, https://datatracker.ietf.org/doc/html/rfc4532#section-2
+	   [ "1.3.6.1.4.1.4203.1.11.3" ] = "whoami",
+	} &default="unknown" &redef;
 }
--- a/scripts/base/protocols/ldap/main.zeek
+++ b/scripts/base/protocols/ldap/main.zeek
@ -258,6 +258,9 @@ event LDAP::message(c: connection,
      }

      m$object = object;
+
+      if ( opcode == LDAP::ProtocolOpcode_EXTENDED_REQUEST )
+        m$object += fmt(" (%s)", EXTENDED_REQUESTS[object]);
    }

    if ( argument != "" ) {
--- a/scripts/base/protocols/ldap/spicy-events.zeek
+++ b/scripts/base/protocols/ldap/spicy-events.zeek
@ -98,3 +98,44 @@ global LDAP::search_result_entry: event (
  message_id: int,
  object_name: string
 );
+
+## Event generated for each ExtendedRequest in LDAP messages.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## request_name: The name of the extended request.
+##
+## request_value: The value of the extended request (empty if missing).
+global LDAP::extended_request: event (
+  c: connection,
+  message_id: int,
+  request_name: string,
+  request_value: string
+);
+
+## Event generated for each ExtendedResponse in LDAP messages.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## result: The result code of the response.
+##
+## response_name: The name of the extended response (empty if missing).
+##
+## response_value: The value of the extended response (empty if missing).
+global LDAP::extended_response: event (
+  c: connection,
+  message_id: int,
+  result: LDAP::ResultCode,
+  response_name: string,
+  response_value: string
+);
+
+## Event generated when a plaintext LDAP connection switched to TLS.
+##
+## c: The connection.
+##
+global LDAP::starttls: event(c: connection);