From 26c4d0df8b58f060638b3e33250aaf5e3172419c Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Fri, 6 Sep 2024 14:52:34 +0200
Subject: [PATCH] btest/ldap: Add regression test for #3919

This works as expected in master, it's just that we forgot to backport
PR #3845 to 7.0.1. Add the PCAP from Martin anyhow.

Closes #3919.
---
 .../ldap.log                                  |  35 ++++++++++++++++++
 testing/btest/Traces/README                   |   4 +-
 .../Traces/ldap/ldap_invalid_credentials.pcap | Bin 0 -> 15618 bytes
 .../protocols/ldap/invalid_credentials.zeek   |   5 +++
 4 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.invalid_credentials/ldap.log
 create mode 100644 testing/btest/Traces/ldap/ldap_invalid_credentials.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ldap/invalid_credentials.zeek

diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.invalid_credentials/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.invalid_credentials/ldap.log
new file mode 100644
index 0000000000..4ca02e8489
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.invalid_credentials/ldap.log
@@ -0,0 +1,35 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ldap
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	version	opcode	result	diagnostic_message	object	argument
+#types	time	string	addr	port	addr	port	int	int	string	string	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	65	3	bind SASL	SASL bind in progress	-	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	66	3	bind SASL	invalid credentials	8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563?	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	83	3	bind SASL	SASL bind in progress	-	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	84	3	bind SASL	invalid credentials	8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563?	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	101	3	bind SASL	SASL bind in progress	-	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	102	3	bind SASL	invalid credentials	8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563?	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	119	3	bind SASL	SASL bind in progress	-	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	120	3	bind SASL	invalid credentials	8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563?	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	137	3	bind SASL	SASL bind in progress	-	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	138	3	bind SASL	invalid credentials	8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563?	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	155	3	bind SASL	SASL bind in progress	-	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	156	3	bind SASL	invalid credentials	8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563?	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	173	3	bind SASL	SASL bind in progress	-	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	174	3	bind SASL	invalid credentials	8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563?	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	191	3	bind SASL	SASL bind in progress	-	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	192	3	bind SASL	invalid credentials	8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563?	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	209	3	bind SASL	SASL bind in progress	-	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	210	3	bind SASL	invalid credentials	8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563?	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	227	3	bind SASL	SASL bind in progress	-	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	228	3	bind SASL	invalid credentials	8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563?	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	245	3	bind SASL	SASL bind in progress	-	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	246	3	bind SASL	invalid credentials	8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563?	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	263	3	bind SASL	SASL bind in progress	-	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	264	3	bind SASL	invalid credentials	8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563?	-	GSS-SPNEGO
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.66.141	53653	192.168.66.138	389	349	-	unbind	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README
index 818e32bd8b..0b2ccd1db1 100644
--- a/testing/btest/Traces/README
+++ b/testing/btest/Traces/README
@@ -21,9 +21,11 @@ Trace Index/Sources:
 - ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap: Harvested from CTU-SME-11
   (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 389 and port 50041.
   https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
+- ldap/ldap_invalid_credentials.pcap
+  Provided by Martin van Hensbergen in issue #3919.
 - dns/tkey.pcap: Harvested from CTU-SME-11
   (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 53.
   https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
 - dns/dynamic-update.pcap: : Harvested from CTU-SME-11
   (Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 53.
-  https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
\ No newline at end of file
+  https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
diff --git a/testing/btest/Traces/ldap/ldap_invalid_credentials.pcap b/testing/btest/Traces/ldap/ldap_invalid_credentials.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b273b140bd30aa6744355817214ef8a06fed2b0c
GIT binary patch
literal 15618
zcmdU#3tUWj8^`}M-Nx)R>E^O|nQ=)is!@l+?k7<bCDw%4O-4-@tI|jp_M%*47w@)<
zR!b{vSXr!<#aqIzdn%U*ADb+CH?k<=UGMXp=4j3s=gsGx&wQr;`TWhCn#<4cd7f|2
z`Tx)PBfG!j6LZo!%n1)pLi4_x`Z&gnEQaSeiO5x6atZ!TaOy80{)D6jc>0q0mV}fP
z_<aF$S^3wzMIvc+EG0YjY+M(KgJmTl9t+`}qxrny)9}e~KF`dY<m1yp=0dqbF+edc
z#9uzv+$AJ5c#J|Zj{fF-nSvU41#1Y&FLL;S4XQdCXGR8sM4T;pTC|}mUT^C|sOnZB
zDnezvMde?kB2ZR@swR)rsA>dNN|aJB<cZC}fhC!whS9;tkA}k=9;wW%n(OHk*7l$t
zZ-7&JtS9RUd=L?mNU(y~j3L8GC>c*ikubuC_i3N=h#kCk1o0p;GJs5h*Ni10@O@oK
zJW-Nlq9$=9jkuASB#}hIPi7J`(x3H?IQUHhyyA7Qx8V3JD<UAn5Aj85T`!_vbX<GK
zn~?<gFXGgVD}P#mm)^J*QL@ub;Gn(WK#PO?fqb4H#+C2-GOqmYthi?K#f+n7@Ks&l
zSO$+D@;>Bkghw1<FyDp)AMy8Uc<czr-=LPtTw23KJ~1=IIiD|f>d|T9p6@SQ^B+#4
zz>hfaC63IdT|_Sv;r$~a4-_N_;xU$t1IPWzMDRQqK3D(nU$tk;f+M|Ve!aM1ck$3p
zr+KtbkgXcm3WGw&xXs_V58rLNv9*MZ!f*;8&pfpMqi`}x>G<KNQrqT*bAkhNpJuo?
z^eK5*nK7ejx?k#EpFjJ{gy6UC=s*TRCPqO%&LZw_l#SY-^o4S0R(M6&>@PxWjvbji
zFCXi7SAiMX1TVs=Tfbzr^}jIt{us)x-_uPZ>9q#PKD)Can);1}?4#>9LdcUr{f2pa
zc=&jDdW;w%364_E@>i>eNJc6~jU3=H0)9>n^64*$OpK3LB_t1#43CUd%}Q3NBIl^%
zlG8^dCM2uUk|ip&I#JzU5~WO5N~nRV{*n|gYLF+11<f@zJT4N3>8qG)4V3JR3M)pN
zgbD+Z5LJCp%i|(p6{@<G&35vPN+iAR3#x3X!>uG#w3&pHDh~zUl`Q;;iE{fQ;o!kH
zIx{3h2W|i0kyt1joUf2@O2A}&alP(K$<8V<7X^DYB<#=Uh0-MK)k?xHIwTb6k`TyA
zlQ36fB@)m94u*s?;T%c$M2Cd?hvx?*)yLW%jTz~1xnH68tAAU1zcB-gRyEIbh!CfI
zTbk=cuD-}-7|8fl=~{52^uovtlxlhmWK^0a1Kku6<<DYjpEXU-Oi7aGWntb`{l(*A
z;ANVD5_aXDRf?oH)R1>JMXFW?h8l%|nV>oMw1A6&YxUL24K>tC8PZ0Zfhq$r5LNNc
z3b+{9L^Cj1$H_8qvJ{;RN^fPLs?7}CuHJTM(p5n$Rs)Xq#X$S&O??>#qJwXj3Ann!
z9KCTZrDSENz`>5%-C(rQy1~t*+buJePrh~P+=lIueMf)$x}NXNNhp|cJ9J}LbE|2!
zC11{ey5Ei=A>&%P&*n!(Vrc}%-SkMvs5DIyUhM8QD{6PLZ_4C}`&X<fc#hc@-5}s1
z;S-vKJa+w-of1iFnj!lfHYT)^FxqG&eDsTui-f!MRZLAYB|GPX6{AhUR0EPQ^`MZ0
zgkmvG!f>{e=X^xco1@Xm!$(?4nA&C%`lp9)>A5HAH>?I6?TdsD*Y9JIu;`GGsG$?Y
z`ARn!6|h@hTyKu1WaSh%Xd@_YagaZV&r738IH0u~?5WcY+Ua(KE8r{fx_ArP2m`yo
z?r<>OU<#aLH^>KV+SkS7=3YORvT9wJ^V11k*A+XQ*Ciod`;LHX;Zd+A@#Zu<DVZ>I
zLd3f@6YV;c*QE?v%FvK;u23$o%XU`6Dv&ACkWp!xG)%kOv|;7G;A0yH?zI1`x@s)a
zFy^R`gN9-ox`yl6HC#@Kq_-AB2HJi;ua$;rMx)_PM{BYK;*V3eYDjv(NqtpwYcW(!
zK4=zOp4Vs&g3Qh`AP%Q?wI-f$>4Z~vnSs|w+=sT(U&qRPu<{aGxm>7`)r7Lz%tJM0
zmGxPS1p4!q(Y|=dUs}fE;off6<Rjn>PTk1z!vjv~jqD{#R*?r5ItYq1Jah*Om(f7%
z(+b45b$}?;1tKmwBM{eXtV9rYf`b7f{N<;C*sODT{CW1>`1MZeS*i>6WP9KlKP8DF
zDp)2=h6U8w^pasRiGAY><O7X;!>PmR!?u>x=UD&z$wUT(jAedrJ(%L<dweyDHNCcw
zQE8eW+&<=Hv*Lw3J7w#O)$cFpvKK-44P{L>gO@mUtCy@1JJZ!$!LHtlJdyN{2vX0+
z^R%XV<1qD%Lc#?g`rfD(3ciMfH}%!a9T6p~w845|k#L=XNQkoD4{D*{Ye+bZ_R@{*
zWu*;x8BTjSSc`<~+Dt-gBEI*x%=sC{4@dhV;a5SoUy=|l91YtCbAW<4Um;;kK&{@$
zhEuZhn2z>>QVj`xARTjQ61umNu(u8g9dt>!3ceFbSb#plKmtnOU`Ut-=hzyWgE;Nh
zP^5@Ee$ln=T88hwq@OZodEs^mZk4EDlf(@c_7h-vAD_>L12>p-TgU&kapLe#x$WxQ
zkENn9?n&=7tLqsiGUh2e#bytydIx2iAQKstrpd(R&mVMqzUTLMf&*54oO!*UJ0{_o
zDJ?vF4HMs`>-Ye>j?ark(z;y4i~D{pCgvKAi8=GlxVpn<`YNX`7b<5Sh_+)fafbn!
zSeI$W)g3BmFFWgaIS;(7M=u+kwV1f0%}fk16VI)8eI9@XfunsfarQoe3$t#B>G*ho
z8A$}>;CzLN%7Ev3BU?|&E~J5lwt|BiCVB!B3uz`AV;ecC<o9mMxs5~mb$+oU?aU`{
z8EzYSL$QUzvHP~=y&YYM_pm~Wp&?^iW!LH``_l1r@tR(T$fz_;8cy1qxv<eU>62*x
zh)wH4PFrC5P2X<D)ggw`6}*XE!57j*(t2l1zkaZRN#C4;9b%!;Xjs3<f`f)~2YoeD
z?+i6_8%48dSZqKVCM~hxqTvkMOT5uX>z0}ex53L)l=WSn77dHrOvAmauf&CxSxrR}
z;%Hwq^elB^(J*DH1&IR^;(UdMAIKf`MmCj_U91HQI|_c*&~N~xV+l<|V{9e6S5K<D
zYgMqnc+~DquDb^M8e%JX?TQ19KX?~TbbD{{50c0mRSX9i!wSwMU+?tZuc;Vv)8inc
z(lj}EzrsCGu<l&s);?K&lcY|Ak%Q7~3oZ_RMAt5TgC5kc=61M?wIb>LZIF02eYH7Q
zVl)nR4is>4aDcvQxxbB)T~eTE76;1>$icUQ1Y8`<Kv}hS*&Mv2059=|N1NlPv^ZGa
zW)7bE$ZSx<<ilbt2psK;gOh&oW^qs!Ea2!0<!*W-`;3xRjROnCtgf)aXkB68$14iO
z%WqT)>`M>bZOUtS-Ieg0Z=iHYw!GouUES0%`nO{_ePYrX8Zx%U+x~m|iR=&dVBk%U
zhKx$nq+x_}r#-61eE#~Z9eK4Q|Iq_!SoXevi-wsr4O7?^Ts2N4{mTo|&!N}%T3um<
z(P-GyN61A(xxSkD%L{6z7)7&ac+-G1>^4-$MML_ApIV(Y*s5aiauLe%hZ|4n4jXq+
zZnm9<*_OK(k1v;FLEva#G<1y$V$pE(Fd>-@9U;zFx<ZvaP;X=xQL@Vi!9sgMiKZ(Y
z3>MbXG&IJRa+S>g)4|j8!YULG7IdiEKSh^@|KFB!<n&F67gtm_dmji1zvOu(pCKY+
z-IG7IK8p_e)e?hmdPHPYnkEse-y5@I7`3EfL`-DY$Q!$kAQ6N8gj__VZ|}Ml!6xG6
zgCgl8yg|;k2W-E+yiTq)8WDezinxe4O<&zSf_u`g^uxMg5%IABiD=VH#6`rND63Xy
z1@=lmk@T@WdikFmEh0W{GZE+AAJr_+`1u<w2psK;h#fMgvWVEbw}@j;S+3L<*~j*j
ztl9-Ev}5flH_}8j#-4JLU-6{wJIHvqoSpG@87p=gW>5Li4C%e6#k*wp{yh4l_~e0a
z7!op;MYza)CBs~zFzBX7LPn)&l5qX+m%|f=gg)64T-CEEEZQDPc-&RQMZzC3^=<{S
zNm%V7k~RfG>e)EKeflp+*l08o&XI|^NSLm#UYY`-Ue+LTv`NUbG9U>HJ;huk{FNr5
z&gyIR8t^g)y^Kz5B_YqM%_KaYdoj#v=4rUhZW-;1gz@#WStKm+5_9Y+%jfEiYz`&6
z`W0B%QF~9BC!k4aj6G#1i-p&M%nsXMJx@gyJbduN(0j_Ceg3fP9s8BCsnx0X937Ku
z874C3tsQIblXIfL78Ahqn8>I!O(qWU4(f4f$hW>H9LrWJ0+-!HCf-qqxtRDH%|scS
ziC4c8NuO3h5;}CwYGoo%U=$`U1kroGv?6|x062B8s)(0d@1FA0DoS?E3@gWSrAD+R
KpU(^TBmV_9cnq)r

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ldap/invalid_credentials.zeek b/testing/btest/scripts/base/protocols/ldap/invalid_credentials.zeek
new file mode 100644
index 0000000000..041d03464d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ldap/invalid_credentials.zeek
@@ -0,0 +1,5 @@
+# @TEST-DOC: Regression test case for #3919 for invalid credentials.
+#
+# @TEST-REQUIRES: have-spicy
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap_invalid_credentials.pcap %INPUT
+# @TEST-EXEC: btest-diff ldap.log