diff --git a/scripts/base/protocols/ldap/main.zeek b/scripts/base/protocols/ldap/main.zeek index 7992e05f6f..e5ecaf547a 100644 --- a/scripts/base/protocols/ldap/main.zeek +++ b/scripts/base/protocols/ldap/main.zeek @@ -53,19 +53,19 @@ export { version: int &log &optional; # normalized operations (e.g., bind_request and bind_response to "bind") - opcode: set[string] &log &optional; + opcodes: set[string] &log &optional; # Result code(s) - result: set[string] &log &optional; + results: set[string] &log &optional; # result diagnostic message(s) - diagnostic_message: vector of string &log &optional; + diagnostic_messages: vector of string &log &optional; # object(s) - object: vector of string &log &optional; + objects: vector of string &log &optional; # argument(s) - argument: vector of string &log &optional; + arguments: vector of string &log &optional; }; ############################################################################# @@ -88,20 +88,20 @@ export { message_id: int &log &optional; # sets of search scope and deref alias - scope: set[string] &log &optional; - deref: set[string] &log &optional; + scopes: set[string] &log &optional; + derefs: set[string] &log &optional; # base search objects - base_object: vector of string &log &optional; + base_objects: vector of string &log &optional; # number of results returned result_count: count &log &optional; # Result code (s) - result: set[string] &log &optional; + results: set[string] &log &optional; # result diagnostic message(s) - diagnostic_message: vector of string &log &optional; + diagnostic_messages: vector of string &log &optional; # a string representation of the search filter used in the query filter: string &log &optional; @@ -217,15 +217,15 @@ event LDAP::message(c: connection, set_session(c, message_id, opcode); if ( result != LDAP::ResultCode_Undef ) { - if ( ! c$ldap_searches[message_id]?$result ) - c$ldap_searches[message_id]$result = set(); - add c$ldap_searches[message_id]$result[RESULT_CODES[result]]; + if ( ! c$ldap_searches[message_id]?$results ) + c$ldap_searches[message_id]$results = set(); + add c$ldap_searches[message_id]$results[RESULT_CODES[result]]; } if ( diagnostic_message != "" ) { - if ( ! c$ldap_searches[message_id]?$diagnostic_message ) - c$ldap_searches[message_id]$diagnostic_message = vector(); - c$ldap_searches[message_id]$diagnostic_message += diagnostic_message; + if ( ! c$ldap_searches[message_id]?$diagnostic_messages ) + c$ldap_searches[message_id]$diagnostic_messages = vector(); + c$ldap_searches[message_id]$diagnostic_messages += diagnostic_message; } if (( ! c$ldap_searches[message_id]?$proto ) && c?$ldap_proto) @@ -237,43 +237,43 @@ event LDAP::message(c: connection, } else if (opcode !in OPCODES_SEARCH) { set_session(c, message_id, opcode); - if ( ! c$ldap_messages[message_id]?$opcode ) - c$ldap_messages[message_id]$opcode = set(); - add c$ldap_messages[message_id]$opcode[PROTOCOL_OPCODES[opcode]]; + if ( ! c$ldap_messages[message_id]?$opcodes ) + c$ldap_messages[message_id]$opcodes = set(); + add c$ldap_messages[message_id]$opcodes[PROTOCOL_OPCODES[opcode]]; if ( result != LDAP::ResultCode_Undef ) { - if ( ! c$ldap_messages[message_id]?$result ) - c$ldap_messages[message_id]$result = set(); - add c$ldap_messages[message_id]$result[RESULT_CODES[result]]; + if ( ! c$ldap_messages[message_id]?$results ) + c$ldap_messages[message_id]$results = set(); + add c$ldap_messages[message_id]$results[RESULT_CODES[result]]; } if ( diagnostic_message != "" ) { - if ( ! c$ldap_messages[message_id]?$diagnostic_message ) - c$ldap_messages[message_id]$diagnostic_message = vector(); - c$ldap_messages[message_id]$diagnostic_message += diagnostic_message; + if ( ! c$ldap_messages[message_id]?$diagnostic_messages ) + c$ldap_messages[message_id]$diagnostic_messages = vector(); + c$ldap_messages[message_id]$diagnostic_messages += diagnostic_message; } if ( object != "" ) { - if ( ! c$ldap_messages[message_id]?$object ) - c$ldap_messages[message_id]$object = vector(); - c$ldap_messages[message_id]$object += object; + if ( ! c$ldap_messages[message_id]?$objects ) + c$ldap_messages[message_id]$objects = vector(); + c$ldap_messages[message_id]$objects += object; } if ( argument != "" ) { - if ( ! c$ldap_messages[message_id]?$argument ) - c$ldap_messages[message_id]$argument = vector(); - if ("bind simple" in c$ldap_messages[message_id]$opcode && !default_capture_password) - c$ldap_messages[message_id]$argument += "REDACTED"; + if ( ! c$ldap_messages[message_id]?$arguments ) + c$ldap_messages[message_id]$arguments = vector(); + if ("bind simple" in c$ldap_messages[message_id]$opcodes && !default_capture_password) + c$ldap_messages[message_id]$arguments += "REDACTED"; else - c$ldap_messages[message_id]$argument += argument; + c$ldap_messages[message_id]$arguments += argument; } if (opcode in OPCODES_FINISHED) { - if ((BIND_SIMPLE in c$ldap_messages[message_id]$opcode) || - (BIND_SASL in c$ldap_messages[message_id]$opcode)) { + if ((BIND_SIMPLE in c$ldap_messages[message_id]$opcodes) || + (BIND_SASL in c$ldap_messages[message_id]$opcodes)) { # don't have both "bind" and "bind " in the operations list - delete c$ldap_messages[message_id]$opcode[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]]; + delete c$ldap_messages[message_id]$opcodes[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]]; } if (( ! c$ldap_messages[message_id]?$proto ) && c?$ldap_proto) @@ -301,21 +301,21 @@ event LDAP::searchreq(c: connection, set_session(c, message_id, LDAP::ProtocolOpcode_SEARCH_REQUEST); if ( scope != LDAP::SearchScope_Undef ) { - if ( ! c$ldap_searches[message_id]?$scope ) - c$ldap_searches[message_id]$scope = set(); - add c$ldap_searches[message_id]$scope[SEARCH_SCOPES[scope]]; + if ( ! c$ldap_searches[message_id]?$scopes ) + c$ldap_searches[message_id]$scopes = set(); + add c$ldap_searches[message_id]$scopes[SEARCH_SCOPES[scope]]; } if ( deref != LDAP::SearchDerefAlias_Undef ) { - if ( ! c$ldap_searches[message_id]?$deref ) - c$ldap_searches[message_id]$deref = set(); - add c$ldap_searches[message_id]$deref[SEARCH_DEREF_ALIASES[deref]]; + if ( ! c$ldap_searches[message_id]?$derefs ) + c$ldap_searches[message_id]$derefs = set(); + add c$ldap_searches[message_id]$derefs[SEARCH_DEREF_ALIASES[deref]]; } if ( base_object != "" ) { - if ( ! c$ldap_searches[message_id]?$base_object ) - c$ldap_searches[message_id]$base_object = vector(); - c$ldap_searches[message_id]$base_object += base_object; + if ( ! c$ldap_searches[message_id]?$base_objects ) + c$ldap_searches[message_id]$base_objects = vector(); + c$ldap_searches[message_id]$base_objects += base_object; } c$ldap_searches[message_id]$filter = filter; @@ -347,13 +347,13 @@ event LDAP::bindreq(c: connection, if ( ! c$ldap_messages[message_id]?$version ) c$ldap_messages[message_id]$version = version; - if ( ! c$ldap_messages[message_id]?$opcode ) - c$ldap_messages[message_id]$opcode = set(); + if ( ! c$ldap_messages[message_id]?$opcodes ) + c$ldap_messages[message_id]$opcodes = set(); if (authType == LDAP::BindAuthType_BIND_AUTH_SIMPLE) { - add c$ldap_messages[message_id]$opcode[BIND_SIMPLE]; + add c$ldap_messages[message_id]$opcodes[BIND_SIMPLE]; } else if (authType == LDAP::BindAuthType_BIND_AUTH_SASL) { - add c$ldap_messages[message_id]$opcode[BIND_SASL]; + add c$ldap_messages[message_id]$opcodes[BIND_SASL]; } } @@ -367,9 +367,9 @@ event connection_state_remove(c: connection) { for ( [mid], m in c$ldap_messages ) { if (mid > 0) { - if ((BIND_SIMPLE in m$opcode) || (BIND_SASL in m$opcode)) { + if ((BIND_SIMPLE in m$opcodes) || (BIND_SASL in m$opcodes)) { # don't have both "bind" and "bind " in the operations list - delete m$opcode[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]]; + delete m$opcodes[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]]; } if (( ! m?$proto ) && c?$ldap_proto) diff --git a/testing/btest/Baseline/coverage.record-fields/out.default b/testing/btest/Baseline/coverage.record-fields/out.default index 57eb1712bc..6c054e555f 100644 --- a/testing/btest/Baseline/coverage.record-fields/out.default +++ b/testing/btest/Baseline/coverage.record-fields/out.default @@ -362,15 +362,15 @@ connection { } * ldap_messages: table[int] of record LDAP::MessageInfo, log=F, optional=T LDAP::MessageInfo { - * argument: vector of string, log=T, optional=T - * diagnostic_message: vector of string, log=T, optional=T + * arguments: vector of string, log=T, optional=T + * diagnostic_messages: vector of string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * message_id: int, log=T, optional=T - * object: vector of string, log=T, optional=T - * opcode: set[string], log=T, optional=T + * objects: vector of string, log=T, optional=T + * opcodes: set[string], log=T, optional=T * proto: string, log=T, optional=T - * result: set[string], log=T, optional=T + * results: set[string], log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F * version: int, log=T, optional=T @@ -379,17 +379,17 @@ connection { * ldap_searches: table[int] of record LDAP::SearchInfo, log=F, optional=T LDAP::SearchInfo { * attributes: vector of string, log=T, optional=T - * base_object: vector of string, log=T, optional=T - * deref: set[string], log=T, optional=T - * diagnostic_message: vector of string, log=T, optional=T + * base_objects: vector of string, log=T, optional=T + * derefs: set[string], log=T, optional=T + * diagnostic_messages: vector of string, log=T, optional=T * filter: string, log=T, optional=T * id: record conn_id, log=T, optional=F conn_id { ... } * message_id: int, log=T, optional=T * proto: string, log=T, optional=T - * result: set[string], log=T, optional=T * result_count: count, log=T, optional=T - * scope: set[string], log=T, optional=T + * results: set[string], log=T, optional=T + * scopes: set[string], log=T, optional=T * ts: time, log=T, optional=F * uid: string, log=T, optional=F } diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log index 8f50988763..035015d428 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log @@ -5,7 +5,7 @@ #unset_field - #path ldap #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcode result diagnostic_message object argument +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcodes results diagnostic_messages objects arguments #types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string] XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log index ad4567a0a2..7ddae0eedc 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log @@ -5,7 +5,7 @@ #unset_field - #path ldap_search #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scope deref base_object result_count result diagnostic_message filter attributes +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes #types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string] XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) sAMAccountName #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log index 8f50988763..035015d428 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log @@ -5,7 +5,7 @@ #unset_field - #path ldap #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcode result diagnostic_message object argument +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcodes results diagnostic_messages objects arguments #types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string] XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log index 1497e67a58..0950708786 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log @@ -5,7 +5,7 @@ #unset_field - #path ldap_search #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scope deref base_object result_count result diagnostic_message filter attributes +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes #types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string] XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log index 5c2ec47c69..b0986d5cb3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log @@ -5,7 +5,7 @@ #unset_field - #path ldap #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcode result diagnostic_message object argument +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcodes results diagnostic_messages objects arguments #types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string] XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log index 5113c76d90..ce8ef1ccab 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log @@ -5,7 +5,7 @@ #unset_field - #path ldap_search #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scope deref base_object result_count result diagnostic_message filter attributes +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes #types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string] XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log index a1f0e5f0b8..3f3e88269b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log @@ -5,7 +5,7 @@ #unset_field - #path ldap #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcode result diagnostic_message object argument +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcodes results diagnostic_messages objects arguments #types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string] XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 tcp 215 3 bind SASL success - - GSS-SPNEGO #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log index 0436cc9f1c..f1d2a151c9 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log @@ -5,7 +5,7 @@ #unset_field - #path ldap_search #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scope deref base_object result_count result diagnostic_message filter attributes +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes #types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string] XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 tcp 213 base never - 1 success - (objectclass=*) - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.search_filter_extended/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.search_filter_extended/ldap_search.log index c63d2dea35..e208fdd3c8 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ldap.search_filter_extended/ldap_search.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.search_filter_extended/ldap_search.log @@ -5,7 +5,7 @@ #unset_field - #path ldap_search #open XXXX-XX-XX-XX-XX-XX -#fields uid filter base_object +#fields uid filter base_objects #types string string vector[string] CHhAvVGS1DHFjwGM9 (departmentNumber:2.16.840.1.113730.3.3.2.46.1:=>=N4709) DC=matrix\x2cDC=local #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/scripts/base/protocols/ldap/search_filter_extended.zeek b/testing/btest/scripts/base/protocols/ldap/search_filter_extended.zeek index 924e1ab09a..f5c1e82378 100644 --- a/testing/btest/scripts/base/protocols/ldap/search_filter_extended.zeek +++ b/testing/btest/scripts/base/protocols/ldap/search_filter_extended.zeek @@ -4,7 +4,7 @@ # # @TEST-REQUIRES: have-spicy # @TEST-EXEC: zeek -C -r ${TRACES}/ldap/issue-32.pcapng %INPUT -# @TEST-EXEC: cat ldap_search.log | zeek-cut -C uid filter base_object > ldap_search.log2 && mv ldap_search.log2 ldap_search.log +# @TEST-EXEC: cat ldap_search.log | zeek-cut -C uid filter base_objects > ldap_search.log2 && mv ldap_search.log2 ldap_search.log # @TEST-EXEC: btest-diff ldap_search.log # # @TEST-DOC: Test LDAP analyzer with small trace.