Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Pluralize container names in LDAP types

Browse source
This commit is contained in:
Benjamin Bannier 2023-10-10 12:53:29 +02:00
parent 0c126f3c6b
commit 3a60a60619
12 changed files with 71 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

102
scripts/base/protocols/ldap/main.zeek
View file

@ -53,19 +53,19 @@ export {
version: int &log &optional;
# normalized operations (e.g., bind_request and bind_response to "bind")
opcode: set[string] &log &optional;
opcodes: set[string] &log &optional;
# Result code(s)
result: set[string] &log &optional;
results: set[string] &log &optional;
# result diagnostic message(s)
diagnostic_message: vector of string &log &optional;
diagnostic_messages: vector of string &log &optional;
# object(s)
object: vector of string &log &optional;
objects: vector of string &log &optional;
# argument(s)
argument: vector of string &log &optional;
arguments: vector of string &log &optional;
};
#############################################################################
@ -88,20 +88,20 @@ export {
message_id: int &log &optional;
# sets of search scope and deref alias
scope: set[string] &log &optional;
deref: set[string] &log &optional;
scopes: set[string] &log &optional;
derefs: set[string] &log &optional;
# base search objects
base_object: vector of string &log &optional;
base_objects: vector of string &log &optional;
# number of results returned
result_count: count &log &optional;
# Result code (s)
result: set[string] &log &optional;
results: set[string] &log &optional;
# result diagnostic message(s)
diagnostic_message: vector of string &log &optional;
diagnostic_messages: vector of string &log &optional;
# a string representation of the search filter used in the query
filter: string &log &optional;
@ -217,15 +217,15 @@ event LDAP::message(c: connection,
set_session(c, message_id, opcode);
if ( result != LDAP::ResultCode_Undef ) {
if ( ! c$ldap_searches[message_id]?$result )
c$ldap_searches[message_id]$result = set();
add c$ldap_searches[message_id]$result[RESULT_CODES[result]];
if ( ! c$ldap_searches[message_id]?$results )
c$ldap_searches[message_id]$results = set();
add c$ldap_searches[message_id]$results[RESULT_CODES[result]];
}
if ( diagnostic_message != "" ) {
if ( ! c$ldap_searches[message_id]?$diagnostic_message )
c$ldap_searches[message_id]$diagnostic_message = vector();
c$ldap_searches[message_id]$diagnostic_message += diagnostic_message;
if ( ! c$ldap_searches[message_id]?$diagnostic_messages )
c$ldap_searches[message_id]$diagnostic_messages = vector();
c$ldap_searches[message_id]$diagnostic_messages += diagnostic_message;
}
if (( ! c$ldap_searches[message_id]?$proto ) && c?$ldap_proto)
@ -237,43 +237,43 @@ event LDAP::message(c: connection,
} else if (opcode !in OPCODES_SEARCH) {
set_session(c, message_id, opcode);
if ( ! c$ldap_messages[message_id]?$opcode )
c$ldap_messages[message_id]$opcode = set();
add c$ldap_messages[message_id]$opcode[PROTOCOL_OPCODES[opcode]];
if ( ! c$ldap_messages[message_id]?$opcodes )
c$ldap_messages[message_id]$opcodes = set();
add c$ldap_messages[message_id]$opcodes[PROTOCOL_OPCODES[opcode]];
if ( result != LDAP::ResultCode_Undef ) {
if ( ! c$ldap_messages[message_id]?$result )
c$ldap_messages[message_id]$result = set();
add c$ldap_messages[message_id]$result[RESULT_CODES[result]];
if ( ! c$ldap_messages[message_id]?$results )
c$ldap_messages[message_id]$results = set();
add c$ldap_messages[message_id]$results[RESULT_CODES[result]];
}
if ( diagnostic_message != "" ) {
if ( ! c$ldap_messages[message_id]?$diagnostic_message )
c$ldap_messages[message_id]$diagnostic_message = vector();
c$ldap_messages[message_id]$diagnostic_message += diagnostic_message;
if ( ! c$ldap_messages[message_id]?$diagnostic_messages )
c$ldap_messages[message_id]$diagnostic_messages = vector();
c$ldap_messages[message_id]$diagnostic_messages += diagnostic_message;
}
if ( object != "" ) {
if ( ! c$ldap_messages[message_id]?$object )
c$ldap_messages[message_id]$object = vector();
c$ldap_messages[message_id]$object += object;
if ( ! c$ldap_messages[message_id]?$objects )
c$ldap_messages[message_id]$objects = vector();
c$ldap_messages[message_id]$objects += object;
}
if ( argument != "" ) {
if ( ! c$ldap_messages[message_id]?$argument )
c$ldap_messages[message_id]$argument = vector();
if ("bind simple" in c$ldap_messages[message_id]$opcode && !default_capture_password)
c$ldap_messages[message_id]$argument += "REDACTED";
if ( ! c$ldap_messages[message_id]?$arguments )
c$ldap_messages[message_id]$arguments = vector();
if ("bind simple" in c$ldap_messages[message_id]$opcodes && !default_capture_password)
c$ldap_messages[message_id]$arguments += "REDACTED";
else
c$ldap_messages[message_id]$argument += argument;
c$ldap_messages[message_id]$arguments += argument;
}
if (opcode in OPCODES_FINISHED) {
if ((BIND_SIMPLE in c$ldap_messages[message_id]$opcode) ||
(BIND_SASL in c$ldap_messages[message_id]$opcode)) {
if ((BIND_SIMPLE in c$ldap_messages[message_id]$opcodes) ||
(BIND_SASL in c$ldap_messages[message_id]$opcodes)) {
# don't have both "bind" and "bind <method>" in the operations list
delete c$ldap_messages[message_id]$opcode[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]];
delete c$ldap_messages[message_id]$opcodes[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]];
}
if (( ! c$ldap_messages[message_id]?$proto ) && c?$ldap_proto)
@ -301,21 +301,21 @@ event LDAP::searchreq(c: connection,
set_session(c, message_id, LDAP::ProtocolOpcode_SEARCH_REQUEST);
if ( scope != LDAP::SearchScope_Undef ) {
if ( ! c$ldap_searches[message_id]?$scope )
c$ldap_searches[message_id]$scope = set();
add c$ldap_searches[message_id]$scope[SEARCH_SCOPES[scope]];
if ( ! c$ldap_searches[message_id]?$scopes )
c$ldap_searches[message_id]$scopes = set();
add c$ldap_searches[message_id]$scopes[SEARCH_SCOPES[scope]];
}
if ( deref != LDAP::SearchDerefAlias_Undef ) {
if ( ! c$ldap_searches[message_id]?$deref )
c$ldap_searches[message_id]$deref = set();
add c$ldap_searches[message_id]$deref[SEARCH_DEREF_ALIASES[deref]];
if ( ! c$ldap_searches[message_id]?$derefs )
c$ldap_searches[message_id]$derefs = set();
add c$ldap_searches[message_id]$derefs[SEARCH_DEREF_ALIASES[deref]];
}
if ( base_object != "" ) {
if ( ! c$ldap_searches[message_id]?$base_object )
c$ldap_searches[message_id]$base_object = vector();
c$ldap_searches[message_id]$base_object += base_object;
if ( ! c$ldap_searches[message_id]?$base_objects )
c$ldap_searches[message_id]$base_objects = vector();
c$ldap_searches[message_id]$base_objects += base_object;
}
c$ldap_searches[message_id]$filter = filter;
@ -347,13 +347,13 @@ event LDAP::bindreq(c: connection,
if ( ! c$ldap_messages[message_id]?$version )
c$ldap_messages[message_id]$version = version;
if ( ! c$ldap_messages[message_id]?$opcode )
c$ldap_messages[message_id]$opcode = set();
if ( ! c$ldap_messages[message_id]?$opcodes )
c$ldap_messages[message_id]$opcodes = set();
if (authType == LDAP::BindAuthType_BIND_AUTH_SIMPLE) {
add c$ldap_messages[message_id]$opcode[BIND_SIMPLE];
add c$ldap_messages[message_id]$opcodes[BIND_SIMPLE];
} else if (authType == LDAP::BindAuthType_BIND_AUTH_SASL) {
add c$ldap_messages[message_id]$opcode[BIND_SASL];
add c$ldap_messages[message_id]$opcodes[BIND_SASL];
}
}
@ -367,9 +367,9 @@ event connection_state_remove(c: connection) {
for ( [mid], m in c$ldap_messages ) {
if (mid > 0) {
if ((BIND_SIMPLE in m$opcode) || (BIND_SASL in m$opcode)) {
if ((BIND_SIMPLE in m$opcodes) || (BIND_SASL in m$opcodes)) {
# don't have both "bind" and "bind <method>" in the operations list
delete m$opcode[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]];
delete m$opcodes[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]];
}
if (( ! m?$proto ) && c?$ldap_proto)

20
testing/btest/Baseline/coverage.record-fields/out.default
View file

@ -362,15 +362,15 @@ connection {
}
* ldap_messages: table[int] of record LDAP::MessageInfo, log=F, optional=T
LDAP::MessageInfo {
* argument: vector of string, log=T, optional=T
* diagnostic_message: vector of string, log=T, optional=T
* arguments: vector of string, log=T, optional=T
* diagnostic_messages: vector of string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* message_id: int, log=T, optional=T
* object: vector of string, log=T, optional=T
* opcode: set[string], log=T, optional=T
* objects: vector of string, log=T, optional=T
* opcodes: set[string], log=T, optional=T
* proto: string, log=T, optional=T
* result: set[string], log=T, optional=T
* results: set[string], log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* version: int, log=T, optional=T
@ -379,17 +379,17 @@ connection {
* ldap_searches: table[int] of record LDAP::SearchInfo, log=F, optional=T
LDAP::SearchInfo {
* attributes: vector of string, log=T, optional=T
* base_object: vector of string, log=T, optional=T
* deref: set[string], log=T, optional=T
* diagnostic_message: vector of string, log=T, optional=T
* base_objects: vector of string, log=T, optional=T
* derefs: set[string], log=T, optional=T
* diagnostic_messages: vector of string, log=T, optional=T
* filter: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* message_id: int, log=T, optional=T
* proto: string, log=T, optional=T
* result: set[string], log=T, optional=T
* result_count: count, log=T, optional=T
* scope: set[string], log=T, optional=T
* results: set[string], log=T, optional=T
* scopes: set[string], log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}

2
testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcode result diagnostic_message object argument
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcodes results diagnostic_messages objects arguments
#types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED

2
testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap_search
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scope deref base_object result_count result diagnostic_message filter attributes
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes
#types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) sAMAccountName
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcode result diagnostic_message object argument
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcodes results diagnostic_messages objects arguments
#types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED

2
testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap_search
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scope deref base_object result_count result diagnostic_message filter attributes
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes
#types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 tcp 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) -
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcode result diagnostic_message object argument
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcodes results diagnostic_messages objects arguments
#types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED

2
testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap_search
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scope deref base_object result_count result diagnostic_message filter attributes
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes
#types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 tcp 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) -
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcode result diagnostic_message object argument
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id version opcodes results diagnostic_messages objects arguments
#types time string addr port addr port string int int set[string] set[string] vector[string] vector[string] vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 tcp 215 3 bind SASL success - - GSS-SPNEGO
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap_search
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scope deref base_object result_count result diagnostic_message filter attributes
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes
#types time string addr port addr port string int set[string] set[string] vector[string] count set[string] vector[string] string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 tcp 213 base never - 1 success - (objectclass=*) -
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.protocols.ldap.search_filter_extended/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap_search
#open XXXX-XX-XX-XX-XX-XX
#fields uid filter base_object
#fields uid filter base_objects
#types string string vector[string]
CHhAvVGS1DHFjwGM9 (departmentNumber:2.16.840.1.113730.3.3.2.46.1:=>=N4709) DC=matrix\x2cDC=local
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/scripts/base/protocols/ldap/search_filter_extended.zeek
View file

@ -4,7 +4,7 @@
#
# @TEST-REQUIRES: have-spicy
# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/issue-32.pcapng %INPUT
# @TEST-EXEC: cat ldap_search.log | zeek-cut -C uid filter base_object > ldap_search.log2 && mv ldap_search.log2 ldap_search.log
# @TEST-EXEC: cat ldap_search.log | zeek-cut -C uid filter base_objects > ldap_search.log2 && mv ldap_search.log2 ldap_search.log
# @TEST-EXEC: btest-diff ldap_search.log
#
# @TEST-DOC: Test LDAP analyzer with small trace.