Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/awelzel/3504-ldap-logs-scalars'

Browse source 
* origin/topic/awelzel/3504-ldap-logs-scalars:
  Update external baselines
  ldap: Use scalar values in logs where appropriate
  ldap: Rename LDAP::search_result to LDAP::search_result_entry
This commit is contained in:
Arne Welzel 2024-01-03 12:29:23 +01:00
commit 4ebd81fb23
18 changed files with 220 additions and 128 deletions
Download patch file Download diff file Expand all files Collapse all files

22
CHANGES
View file

@ -1,3 +1,25 @@
6.2.0-dev.311 | 2024-01-03 12:29:23 +0100
* Update external baselines (Arne Welzel, Corelight)
* ldap: Use scalar values in logs where appropriate (Arne Welzel, Corelight)
Skimming through the RFC, the previous approach of having containers for most
fields seems unfounded for normal protocol operation. The new weirds could just
as well be considered protocol violations. Outside of duplicated or missed data
they just shouldn't happen for well-behaved client/server behavior.
Additionally, with non-conformant traffic it would be trivial to cause
unbounded state growth and immense log record sizes.
Unfortunately, things have become a bit clunky now.
Closes #3504
* ldap: Rename LDAP::search_result to LDAP::search_result_entry (Arne Welzel, Corelight)
To avoid confusion potential confusion between SearchResultEntry
and SearchResultDone.
6.2.0-dev.307 | 2024-01-03 12:25:03 +0100
* segment_profiling: Remove SegmentProfiler and load_sample event (Arne Welzel, Corelight)

25
NEWS
View file

@ -26,6 +26,31 @@ Breaking Changes
- The "segment_profiling" functionality and ``load_sample`` event have been removed
without deprecation. This functionality was unmaintained and not known to be used.
- Certain ``ldap.log`` and ``ldap_search.log`` fields have been renamed from
plural to singular and their types changed to scalars. This maps better onto
the expected request-response protocol used between client and server. Additionally,
it removes the burden of working with non-scalar columns from downstream systems.
Specifically, for ``ldap.log``:
* ``arguments: vector of string`` is now ``argument: string``
* ``diagnostic_messages: vector of string`` is now ``diagnostic_message: string``
* ``objects: vector of string`` is now ``object: string``
* ``opcodes: set[string]`` is now ``opcode: string``
* ``results: set[string]`` is now ``result: string``
For ``ldap_search.log``, the following fields were changed:
* ``base_objects: vector of string`` is now ``base_object: string``
* ``derefs: set[string]`` is now ``deref_aliases: string``
* ``diagnostic_messages: vector of string`` is now ``diagnostic_message: string``
* ``results: set[string]`` is now ``result: string``
* ``scopes: set[string]`` is now ``scope: string``
In the unlikely scenario that a request-response pair with the same message
identifier is observed, containing different values for certain fields, new
weirds are raised and will appear in ``weird.log``, including the old and new
values as well as the LDAP message identifier. The value within the LDAP logs
will be the most recently observed one.
New Functionality
-----------------

2
VERSION
View file

@ -1 +1 @@
6.2.0-dev.307
6.2.0-dev.311

217
scripts/base/protocols/ldap/main.zeek
View file

@ -1,5 +1,6 @@
# Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
@load base/frameworks/reporter
@load base/protocols/conn/removal-hooks
@load ./consts
@ -49,20 +50,20 @@ export {
# LDAP version
version: int &log &optional;
# normalized operations (e.g., bind_request and bind_response to "bind")
opcodes: set[string] &log &optional;
# Normalized operation (e.g., bind_request and bind_response to "bind")
opcode: string &log &optional;
# Result code(s)
results: set[string] &log &optional;
# Result code
result: string &log &optional;
# result diagnostic message(s)
diagnostic_messages: vector of string &log &optional;
# Result diagnostic message
diagnostic_message: string &log &optional;
# object(s)
objects: vector of string &log &optional;
# Object
object: string &log &optional;
# argument(s)
arguments: vector of string &log &optional;
# Argument
argument: string &log &optional;
};
#############################################################################
@ -82,25 +83,25 @@ export {
message_id: int &log &optional;
# sets of search scope and deref alias
scopes: set[string] &log &optional;
derefs: set[string] &log &optional;
scope: string &log &optional;
deref_aliases: string &log &optional;
# base search objects
base_objects: vector of string &log &optional;
# Base search objects
base_object: string &log &optional;
# number of results returned
# Number of results returned
result_count: count &log &optional;
# Result code (s)
results: set[string] &log &optional;
# Result code of search operation
result: string &log &optional;
# result diagnostic message(s)
diagnostic_messages: vector of string &log &optional;
# Result diagnostic message
diagnostic_message: string &log &optional;
# a string representation of the search filter used in the query
# A string representation of the search filter used in the query
filter: string &log &optional;
# a list of attributes that were returned in the search
# A list of attributes that were returned in the search
attributes: vector of string &log &optional;
};
@ -189,72 +190,93 @@ event LDAP::message(c: connection,
if (opcode == LDAP::ProtocolOpcode_SEARCH_RESULT_DONE) {
set_session(c, message_id, opcode);
local searches = c$ldap$searches[message_id];
local sm = c$ldap$searches[message_id];
if ( result != LDAP::ResultCode_Undef ) {
if ( ! searches?$results )
searches$results = set();
add searches$results[RESULT_CODES[result]];
local sresult_str = RESULT_CODES[result];
if ( sm?$result && sm$result != sresult_str ) {
Reporter::conn_weird("LDAP_search_result_change", c,
fmt("%s: %s -> %s", message_id, sm$result, sresult_str), "LDAP");
}
sm$result = sresult_str;
}
if ( diagnostic_message != "" ) {
if ( ! searches?$diagnostic_messages )
searches$diagnostic_messages = vector();
searches$diagnostic_messages += diagnostic_message;
if ( ! sm?$diagnostic_message && sm$diagnostic_message != diagnostic_message ) {
Reporter::conn_weird("LDAP_search_diagnostic_message_change", c,
fmt("%s: %s -> %s", message_id, sm$diagnostic_message, diagnostic_message), "LDAP");
}
sm$diagnostic_message = diagnostic_message;
}
Log::write(LDAP::LDAP_SEARCH_LOG, searches);
Log::write(LDAP::LDAP_SEARCH_LOG, sm);
delete c$ldap$searches[message_id];
} else if (opcode !in OPCODES_SEARCH) {
} else if (opcode !in OPCODES_SEARCH) { # search is handled via LDAP::search_request()
set_session(c, message_id, opcode);
local messages = c$ldap$messages[message_id];
local m = c$ldap$messages[message_id];
if ( ! messages?$opcodes )
messages$opcodes = set();
add messages$opcodes[PROTOCOL_OPCODES[opcode]];
local opcode_str = PROTOCOL_OPCODES[opcode];
# bind request is explicitly handled via LDAP::bind_request() and
# can assume we have a more specific m$opcode set.
if ( opcode_str != "bind" ) {
if ( m?$opcode && opcode_str != m$opcode ) {
Reporter::conn_weird("LDAP_message_opcode_change", c,
fmt("%s: %s -> %s", message_id, m$opcode, opcode_str), "LDAP");
}
m$opcode = opcode_str;
}
if ( result != LDAP::ResultCode_Undef ) {
if ( ! messages?$results )
messages$results = set();
add messages$results[RESULT_CODES[result]];
local result_str = RESULT_CODES[result];
if ( m?$result && m$result != result_str ) {
Reporter::conn_weird("LDAP_message_result_change", c,
fmt("%s: %s -> %s", message_id, m$result, result_str), "LDAP");
}
m$result = result_str;
}
if ( diagnostic_message != "" ) {
if ( ! messages?$diagnostic_messages )
messages$diagnostic_messages = vector();
messages$diagnostic_messages += diagnostic_message;
if ( m?$diagnostic_message && diagnostic_message != m$diagnostic_message ) {
Reporter::conn_weird("LDAP_message_diagnostic_message_change", c,
fmt("%s: %s -> %s", message_id, m$diagnostic_message, diagnostic_message), "LDAP");
}
m$diagnostic_message = diagnostic_message;
}
if ( object != "" ) {
if ( ! messages?$objects )
messages$objects = vector();
messages$objects += object;
if ( m?$object && m$object != object ) {
Reporter::conn_weird("LDAP_message_object_change", c,
fmt("%s: %s -> %s", message_id, m$object, object), "LDAP");
}
m$object = object;
}
if ( argument != "" ) {
if ( ! messages?$arguments )
messages$arguments = vector();
if ("bind simple" in messages$opcodes && !default_capture_password)
messages$arguments += "REDACTED";
else
messages$arguments += argument;
if ( m$opcode == BIND_SIMPLE && ! default_capture_password )
argument = "REDACTED";
if ( m?$argument && m$argument != argument ) {
Reporter::conn_weird("LDAP_message_argument_change", c,
fmt("%s: %s -> %s", message_id, m$argument, argument), "LDAP");
}
m$argument = argument;
}
if (opcode in OPCODES_FINISHED) {
if ((BIND_SIMPLE in messages$opcodes) ||
(BIND_SASL in messages$opcodes)) {
# don't have both "bind" and "bind <method>" in the operations list
delete messages$opcodes[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]];
}
Log::write(LDAP::LDAP_LOG, messages);
Log::write(LDAP::LDAP_LOG, m);
delete c$ldap$messages[message_id];
}
}
}
#############################################################################
@ -271,34 +293,57 @@ event LDAP::search_request(c: connection,
set_session(c, message_id, LDAP::ProtocolOpcode_SEARCH_REQUEST);
local sm = c$ldap$searches[message_id];
if ( scope != LDAP::SearchScope_Undef ) {
if ( ! c$ldap$searches[message_id]?$scopes )
c$ldap$searches[message_id]$scopes = set();
add c$ldap$searches[message_id]$scopes[SEARCH_SCOPES[scope]];
local scope_str = SEARCH_SCOPES[scope];
if ( sm?$scope && sm$scope != scope_str ) {
Reporter::conn_weird("LDAP_search_scope_change", c,
fmt("%s: %s -> %s", message_id, sm$scope, scope_str), "LDAP");
}
sm$scope = scope_str;
}
if ( deref != LDAP::SearchDerefAlias_Undef ) {
if ( ! c$ldap$searches[message_id]?$derefs )
c$ldap$searches[message_id]$derefs = set();
add c$ldap$searches[message_id]$derefs[SEARCH_DEREF_ALIASES[deref]];
local deref_aliases_str = SEARCH_DEREF_ALIASES[deref];
if ( sm?$deref_aliases && sm$deref_aliases != deref_aliases_str ) {
Reporter::conn_weird("LDAP_search_deref_aliases_change", c,
fmt("%s: %s -> %s", message_id, sm$deref_aliases, deref_aliases_str), "LDAP");
}
sm$deref_aliases = deref_aliases_str;
}
if ( base_object != "" ) {
if ( ! c$ldap$searches[message_id]?$base_objects )
c$ldap$searches[message_id]$base_objects = vector();
c$ldap$searches[message_id]$base_objects += base_object;
if ( sm?$base_object && sm$base_object != base_object ) {
Reporter::conn_weird("LDAP_search_base_object_change", c,
fmt("%s: %s -> %s", message_id, sm$base_object, base_object), "LDAP");
}
sm$base_object = base_object;
}
c$ldap$searches[message_id]$filter = filter;
if ( sm?$filter && sm$filter != filter )
Reporter::conn_weird("LDAP_search_filter_change", c,
fmt("%s: %s -> %s", message_id, sm$filter, filter), "LDAP");
sm$filter = filter;
if ( default_log_search_attributes ) {
c$ldap$searches[message_id]$attributes = attributes;
if ( sm?$attributes && cat(sm$attributes) != cat(attributes) ) {
Reporter::conn_weird("LDAP_search_attributes_change", c,
fmt("%s: %s -> %s", message_id, sm$attributes, attributes), "LDAP");
}
sm$attributes = attributes;
}
}
#############################################################################
event LDAP::search_result(c: connection,
message_id: int,
object_name: string) {
event LDAP::search_result_entry(c: connection,
message_id: int,
object_name: string) {
set_session(c, message_id, LDAP::ProtocolOpcode_SEARCH_RESULT_ENTRY);
@ -314,16 +359,23 @@ event LDAP::bind_request(c: connection,
authInfo: string) {
set_session(c, message_id, LDAP::ProtocolOpcode_BIND_REQUEST);
if ( ! c$ldap$messages[message_id]?$version )
c$ldap$messages[message_id]$version = version;
local m = c$ldap$messages[message_id];
if ( ! c$ldap$messages[message_id]?$opcodes )
c$ldap$messages[message_id]$opcodes = set();
if ( ! m?$version )
m$version = version;
# Getting herre, we don't expect the LDAP opcode to be set at all
# and it'll be overwritten below.
if ( m?$opcode )
Reporter::conn_weird("LDAP_bind_opcode_already_set", c, m$opcode, "LDAP");
if (authType == LDAP::BindAuthType_BIND_AUTH_SIMPLE) {
add c$ldap$messages[message_id]$opcodes[BIND_SIMPLE];
m$opcode = BIND_SIMPLE;
} else if (authType == LDAP::BindAuthType_BIND_AUTH_SASL) {
add c$ldap$messages[message_id]$opcodes[BIND_SASL];
m$opcode = BIND_SASL;
} else {
Reporter::conn_weird("LDAP_unknown_auth_type", c, cat(authType), "LDAP");
m$opcode = cat(authType);
}
}
@ -333,15 +385,8 @@ hook finalize_ldap(c: connection) {
if ( c$ldap?$messages && (|c$ldap$messages| > 0) ) {
for ( [mid], m in c$ldap$messages ) {
if (mid > 0) {
if ((BIND_SIMPLE in m$opcodes) || (BIND_SASL in m$opcodes)) {
# don't have both "bind" and "bind <method>" in the operations list
delete m$opcodes[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]];
}
if (mid > 0)
Log::write(LDAP::LDAP_LOG, m);
}
}
delete c$ldap$messages;
}

2
scripts/base/protocols/ldap/spicy-events.zeek
View file

@ -93,7 +93,7 @@ global LDAP::search_request: event (
## message_id: The messageID element.
##
## object_name: The object name in the SearchResultEntry.
global LDAP::search_result: event (
global LDAP::search_result_entry: event (
c: connection,
message_id: int,
object_name: string

6
src/analyzer/protocol/ldap/ldap.evt
View file

@ -38,6 +38,6 @@ on LDAP::SearchRequest -> event LDAP::search_request($conn,
self.filter,
self.attributes);
on LDAP::SearchResultEntry -> event LDAP::search_result($conn,
message.messageID,
self.objectName);
on LDAP::SearchResultEntry -> event LDAP::search_result_entry($conn,
message.messageID,
self.objectName);

20
testing/btest/Baseline/coverage.record-fields/out.default
View file

@ -365,14 +365,14 @@ connection {
LDAP::State {
* messages: table[int] of record LDAP::MessageInfo, log=F, optional=T
LDAP::MessageInfo {
* arguments: vector of string, log=T, optional=T
* diagnostic_messages: vector of string, log=T, optional=T
* argument: string, log=T, optional=T
* diagnostic_message: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* message_id: int, log=T, optional=T
* objects: vector of string, log=T, optional=T
* opcodes: set[string], log=T, optional=T
* results: set[string], log=T, optional=T
* object: string, log=T, optional=T
* opcode: string, log=T, optional=T
* result: string, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* version: int, log=T, optional=T
@ -380,16 +380,16 @@ connection {
* searches: table[int] of record LDAP::SearchInfo, log=F, optional=T
LDAP::SearchInfo {
* attributes: vector of string, log=T, optional=T
* base_objects: vector of string, log=T, optional=T
* derefs: set[string], log=T, optional=T
* diagnostic_messages: vector of string, log=T, optional=T
* base_object: string, log=T, optional=T
* deref_aliases: string, log=T, optional=T
* diagnostic_message: string, log=T, optional=T
* filter: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* message_id: int, log=T, optional=T
* result: string, log=T, optional=T
* result_count: count, log=T, optional=T
* results: set[string], log=T, optional=T
* scopes: set[string], log=T, optional=T
* scope: string, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}

6
testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log
View file

@ -5,8 +5,8 @@
#unset_field -
#path ldap
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcodes results diagnostic_messages objects arguments
#types time string addr port addr port int int set[string] set[string] vector[string] vector[string] vector[string]
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument
#types time string addr port addr port int int string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 3 3 bind simple success - CN=xxxxxxxx,OU=Users,OU=Accounts,DC=xx,DC=xxx,DC=xxxxx,DC=net REDACTED
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap_search
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes
#types time string addr port addr port int set[string] set[string] vector[string] count set[string] vector[string] string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) sAMAccountName
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes
#types time string addr port addr port int string string string count string string string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 2 tree always DC=xx,DC=xxx,DC=xxxxx,DC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) sAMAccountName
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log
View file

@ -5,8 +5,8 @@
#unset_field -
#path ldap
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcodes results diagnostic_messages objects arguments
#types time string addr port addr port int int set[string] set[string] vector[string] vector[string] vector[string]
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument
#types time string addr port addr port int int string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 3 3 bind simple success - CN=xxxxxxxx,OU=Users,OU=Accounts,DC=xx,DC=xxx,DC=xxxxx,DC=net REDACTED
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap_search
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes
#types time string addr port addr port int set[string] set[string] vector[string] count set[string] vector[string] string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) -
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes
#types time string addr port addr port int string string string count string string string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 3268 2 tree always DC=xx,DC=xxx,DC=xxxxx,DC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) -
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log
View file

@ -5,8 +5,8 @@
#unset_field -
#path ldap
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcodes results diagnostic_messages objects arguments
#types time string addr port addr port int int set[string] set[string] vector[string] vector[string] vector[string]
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument
#types time string addr port addr port int int string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 1 3 bind simple success - xxxxxxxxxxx@xx.xxx.xxxxx.net REDACTED
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 3 3 bind simple success - CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net REDACTED
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 3 3 bind simple success - CN=xxxxxxxx,OU=Users,OU=Accounts,DC=xx,DC=xxx,DC=xxxxx,DC=net REDACTED
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap_search
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes
#types time string addr port addr port int set[string] set[string] vector[string] count set[string] vector[string] string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 2 tree always DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) -
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes
#types time string addr port addr port int string string string count string string string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.1 25936 10.0.0.2 32681 2 tree always DC=xx,DC=xxx,DC=xxxxx,DC=net 1 success - (&(objectclass=*)(sAMAccountName=xxxxxxxx)) -
#close XXXX-XX-XX-XX-XX-XX

4
testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcodes results diagnostic_messages objects arguments
#types time string addr port addr port int int set[string] set[string] vector[string] vector[string] vector[string]
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument
#types time string addr port addr port int int string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 215 3 bind SASL success - - GSS-SPNEGO
#close XXXX-XX-XX-XX-XX-XX

4
testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap_search
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scopes derefs base_objects result_count results diagnostic_messages filter attributes
#types time string addr port addr port int set[string] set[string] vector[string] count set[string] vector[string] string vector[string]
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes
#types time string addr port addr port int string string string count string string string vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.31.1.104 3116 172.31.1.101 389 213 base never - 1 success - (objectclass=*) -
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ldap.search_filter_extended/ldap_search.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path ldap_search
#open XXXX-XX-XX-XX-XX-XX
#fields uid filter base_objects
#types string string vector[string]
CHhAvVGS1DHFjwGM9 (departmentNumber:2.16.840.1.113730.3.3.2.46.1:=>=N4709) DC=matrix\x2cDC=local
#fields uid filter base_object
#types string string string
CHhAvVGS1DHFjwGM9 (departmentNumber:2.16.840.1.113730.3.3.2.46.1:=>=N4709) DC=matrix,DC=local
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/scripts/base/protocols/ldap/search_filter_extended.zeek
View file

@ -4,7 +4,7 @@
#
# @TEST-REQUIRES: have-spicy
# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/issue-32.pcapng %INPUT
# @TEST-EXEC: cat ldap_search.log | zeek-cut -C uid filter base_objects > ldap_search.log2 && mv ldap_search.log2 ldap_search.log
# @TEST-EXEC: cat ldap_search.log | zeek-cut -C uid filter base_object > ldap_search.log2 && mv ldap_search.log2 ldap_search.log
# @TEST-EXEC: btest-diff ldap_search.log
#
# @TEST-DOC: Test LDAP analyzer with small trace.

2
testing/external/commit-hash.zeek-testing-private vendored
View file

@ -1 +1 @@
d123eb5eadc605328030c43a6a8174c69ca59fd1
0fdc6e2b2f2930c0edf3c83c36f6aa789b0bff30