Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Remove redundant storing of protocol in LDAP logs

Browse source
This commit is contained in:
Benjamin Bannier 2023-10-10 13:21:06 +02:00
parent 82b3a4048f
commit 301d8722bf
10 changed files with 27 additions and 70 deletions
Download patch file Download diff file Expand all files Collapse all files

40
scripts/base/protocols/ldap/main.zeek
View file

@ -46,9 +46,6 @@ export {
# The connection's 4-tuple of endpoint addresses/ports. # The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
# transport protocol
proto: string &log &optional;
# Message ID # Message ID
message_id: int &log &optional; message_id: int &log &optional;
@ -84,9 +81,6 @@ export {
# The connection's 4-tuple of endpoint addresses/ports. # The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
# transport protocol
proto: string &log &optional;
# Message ID # Message ID
message_id: int &log &optional; message_id: int &log &optional;
@ -148,7 +142,6 @@ global OPCODES_SEARCH: set[LDAP::ProtocolOpcode] = { LDAP::ProtocolOpcode_SEARCH
############################################################################# #############################################################################
redef record connection += { redef record connection += {
ldap_proto: string &optional;
ldap_messages: table[int] of MessageInfo &optional; ldap_messages: table[int] of MessageInfo &optional;
ldap_searches: table[int] of SearchInfo &optional; ldap_searches: table[int] of SearchInfo &optional;
}; };
@ -185,28 +178,8 @@ function set_session(c: connection, message_id: int, opcode: LDAP::ProtocolOpcod
$id=c$id, $id=c$id,
$message_id=message_id]; $message_id=message_id];
} }
} }
#############################################################################
@if (Version::at_least("5.2.0"))
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) {
if ( atype == Analyzer::ANALYZER_LDAP_TCP ) {
info$c$ldap_proto = "tcp";
}
}
@else @if (Version::at_least("4.2.0"))
event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) {
@else
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) {
@endif
if ( atype == Analyzer::ANALYZER_LDAP_TCP ) {
c$ldap_proto = "tcp";
}
}
@endif
############################################################################# #############################################################################
event LDAP::message(c: connection, event LDAP::message(c: connection,
message_id: int, message_id: int,
@ -234,9 +207,6 @@ event LDAP::message(c: connection,
searches$diagnostic_messages += diagnostic_message; searches$diagnostic_messages += diagnostic_message;
} }
if (( ! searches?$proto ) && c?$ldap_proto)
searches$proto = c$ldap_proto;
Log::write(LDAP::LDAP_SEARCH_LOG, searches); Log::write(LDAP::LDAP_SEARCH_LOG, searches);
delete c$ldap_searches[message_id]; delete c$ldap_searches[message_id];
@ -284,9 +254,6 @@ event LDAP::message(c: connection,
delete messages$opcodes[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]]; delete messages$opcodes[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]];
} }
if (( ! messages?$proto ) && c?$ldap_proto)
messages$proto = c$ldap_proto;
Log::write(LDAP::LDAP_LOG, messages); Log::write(LDAP::LDAP_LOG, messages);
delete c$ldap_messages[message_id]; delete c$ldap_messages[message_id];
} }
@ -379,9 +346,6 @@ hook finalize_ldap(c: connection) {
delete m$opcodes[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]]; delete m$opcodes[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]];
} }
if (( ! m?$proto ) && c?$ldap_proto)
m$proto = c$ldap_proto;
Log::write(LDAP::LDAP_LOG, m); Log::write(LDAP::LDAP_LOG, m);
} }
} }
@ -391,10 +355,6 @@ hook finalize_ldap(c: connection) {
if ( c?$ldap_searches && (|c$ldap_searches| > 0) ) { if ( c?$ldap_searches && (|c$ldap_searches| > 0) ) {
for ( [mid], s in c$ldap_searches ) { for ( [mid], s in c$ldap_searches ) {
if (mid > 0) { if (mid > 0) {
if (( ! s?$proto ) && c?$ldap_proto)
s$proto = c$ldap_proto;
Log::write(LDAP::LDAP_SEARCH_LOG, s); Log::write(LDAP::LDAP_SEARCH_LOG, s);
} }
} }

3
testing/btest/Baseline/coverage.record-fields/out.default
View file

@ -369,13 +369,11 @@ connection {
* message_id: int, log=T, optional=T * message_id: int, log=T, optional=T
* objects: vector of string, log=T, optional=T * objects: vector of string, log=T, optional=T
* opcodes: set[string], log=T, optional=T * opcodes: set[string], log=T, optional=T
* proto: string, log=T, optional=T
* results: set[string], log=T, optional=T * results: set[string], log=T, optional=T
* ts: time, log=T, optional=F * ts: time, log=T, optional=F
* uid: string, log=T, optional=F * uid: string, log=T, optional=F
* version: int, log=T, optional=T * version: int, log=T, optional=T
} }
* ldap_proto: string, log=F, optional=T
* ldap_searches: table[int] of record LDAP::SearchInfo, log=F, optional=T * ldap_searches: table[int] of record LDAP::SearchInfo, log=F, optional=T
LDAP::SearchInfo { LDAP::SearchInfo {
* attributes: vector of string, log=T, optional=T * attributes: vector of string, log=T, optional=T
@ -386,7 +384,6 @@ connection {
* id: record conn_id, log=T, optional=F * id: record conn_id, log=T, optional=F
conn_id { ... } conn_id { ... }
* message_id: int, log=T, optional=T * message_id: int, log=T, optional=T
* proto: string, log=T, optional=T
* result_count: count, log=T, optional=T * result_count: count, log=T, optional=T
* results: set[string], log=T, optional=T * results: set[string], log=T, optional=T
* scopes: set[string], log=T, optional=T * scopes: set[string], log=T, optional=T

8
testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log
View file

@ -5,8 +5,8 @@
#unset_field - #unset_field -
#path ldap #path ldap
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcodes results diagnostic_messages objects arguments #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcodes results diagnostic_messages objects arguments
#types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string] #types time string addr port addr port int int set[string] set[string] vector[string] vector[string] vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path ldap_search #path ldap_search
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes
#types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string] #types time string addr port addr port int set[string] set[string] vector[string] count set[string] vector[string] string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) sAMAccountName XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) sAMAccountName
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

8
testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log
View file

@ -5,8 +5,8 @@
#unset_field - #unset_field -
#path ldap #path ldap
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcodes results diagnostic_messages objects arguments #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcodes results diagnostic_messages objects arguments
#types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string] #types time string addr port addr port int int set[string] set[string] vector[string] vector[string] vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path ldap_search #path ldap_search
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes
#types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string] #types time string addr port addr port int set[string] set[string] vector[string] count set[string] vector[string] string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

8
testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log
View file

@ -5,8 +5,8 @@
#unset_field - #unset_field -
#path ldap #path ldap
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcodes results diagnostic_messages objects arguments #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcodes results diagnostic_messages objects arguments
#types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string] #types time string addr port addr port int int set[string] set[string] vector[string] vector[string] vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path ldap_search #path ldap_search
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes
#types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string] #types time string addr port addr port int set[string] set[string] vector[string] count set[string] vector[string] string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path ldap #path ldap
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcodes results diagnostic_messages objects arguments #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcodes results diagnostic_messages objects arguments
#types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string] #types time string addr port addr port int int set[string] set[string] vector[string] vector[string] vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 tcp 215 3 bind SASL success - - GSS-SPNEGO XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 215 3 bind SASL success - - GSS-SPNEGO
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path ldap_search #path ldap_search
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes
#types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string] #types time string addr port addr port int set[string] set[string] vector[string] count set[string] vector[string] string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 tcp 213 base never - 1 success - (objectclass=*) - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 213 base never - 1 success - (objectclass=*) -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX