Merge remote-tracking branch 'origin/topic/awelzel/3504-ldap-logs-scalars'

* origin/topic/awelzel/3504-ldap-logs-scalars: Update external baselines ldap: Use scalar values in logs where appropriate ldap: Rename LDAP::search_result to LDAP::search_result_entry
2025-10-02 14:48:21 +00:00 · 2024-01-03 12:29:23 +01:00 · 2024-01-03 12:29:23 +01:00 · 4ebd81fb23
commit 4ebd81fb23
parent d01b0bafdb 48a92a58f3
18 changed files with 220 additions and 128 deletions
--- a/22
+++ b/22
@ -1,3 +1,25 @@
 6.2.0-dev.311 | 2024-01-03 12:29:23 +0100
  * Update external baselines (Arne Welzel, Corelight)
  * ldap: Use scalar values in logs where appropriate (Arne Welzel, Corelight)
    Skimming through the RFC, the previous approach of having containers for most
    fields seems unfounded for normal protocol operation. The new weirds could just
    as well be considered protocol violations. Outside of duplicated or missed data
    they just shouldn't happen for well-behaved client/server behavior.
    Additionally, with non-conformant traffic it would be trivial to cause
    unbounded state growth and immense log record sizes.
    Unfortunately, things have become a bit clunky now.
    Closes #3504
  * ldap: Rename LDAP::search_result to LDAP::search_result_entry (Arne Welzel, Corelight)
    To avoid confusion potential confusion between SearchResultEntry
    and SearchResultDone.
 6.2.0-dev.307 | 2024-01-03 12:25:03 +0100
  * segment_profiling: Remove SegmentProfiler and load_sample event (Arne Welzel, Corelight)
--- a/25
+++ b/25
@ -26,6 +26,31 @@ Breaking Changes
 - The "segment_profiling" functionality and ``load_sample`` event have been removed
  without deprecation. This functionality was unmaintained and not known to be used.
 - Certain ``ldap.log`` and ``ldap_search.log`` fields have been renamed from
  plural to singular and their types changed to scalars. This maps better onto
  the expected request-response protocol used between client and server. Additionally,
  it removes the burden of working with non-scalar columns from downstream systems.
  Specifically, for ``ldap.log``:
    * ``arguments: vector of string`` is now ``argument: string``
    * ``diagnostic_messages: vector of string`` is now ``diagnostic_message: string``
    * ``objects: vector of string`` is now ``object: string``
    * ``opcodes: set[string]`` is now ``opcode: string``
    * ``results: set[string]`` is now ``result: string``
  For ``ldap_search.log``, the following fields were changed:
    * ``base_objects: vector of string`` is now ``base_object: string``
    * ``derefs: set[string]`` is now ``deref_aliases: string``
    * ``diagnostic_messages: vector of string`` is now ``diagnostic_message: string``
    * ``results: set[string]`` is now ``result: string``
    * ``scopes: set[string]`` is now ``scope: string``
  In the unlikely scenario that a request-response pair with the same message
  identifier is observed, containing different values for certain fields, new
  weirds are raised and will appear in ``weird.log``, including the old and new
  values as well as the LDAP message identifier. The value within the LDAP logs
  will be the most recently observed one.
 New Functionality
 -----------------
--- a/2
+++ b/2
@ -1 +1 @@
-6.2.0-dev.307
+6.2.0-dev.311
--- a/scripts/base/protocols/ldap/main.zeek
+++ b/scripts/base/protocols/ldap/main.zeek
@ -1,5 +1,6 @@
 # Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
@load base/frameworks/reporter
@load base/protocols/conn/removal-hooks
@load ./consts
@ -49,20 +50,20 @@ export {
    # LDAP version
    version: int &log &optional;
-    # normalized operations (e.g., bind_request and bind_response to "bind")
+    # Normalized operation (e.g., bind_request and bind_response to "bind")
-    opcodes: set[string] &log &optional;
+    opcode: string &log &optional;
-    # Result code(s)
+    # Result code
-    results: set[string] &log &optional;
+    result: string &log &optional;
-    # result diagnostic message(s)
+    # Result diagnostic message
-    diagnostic_messages: vector of string &log &optional;
+    diagnostic_message: string &log &optional;
-    # object(s)
+    # Object
-    objects: vector of string &log &optional;
+    object: string &log &optional;
-    # argument(s)
+    # Argument
-    arguments: vector of string &log &optional;
+    argument: string &log &optional;
  };
  #############################################################################
@ -82,25 +83,25 @@ export {
    message_id: int &log &optional;
    # sets of search scope and deref alias
-    scopes: set[string] &log &optional;
+    scope: string &log &optional;
-    derefs: set[string] &log &optional;
+    deref_aliases: string &log &optional;
-    # base search objects
+    # Base search objects
-    base_objects: vector of string &log &optional;
+    base_object: string &log &optional;
-    # number of results returned
+    # Number of results returned
    result_count: count &log &optional;
-    # Result code (s)
+    # Result code of search operation
-    results: set[string] &log &optional;
+    result: string &log &optional;
-    # result diagnostic message(s)
+    # Result diagnostic message
-    diagnostic_messages: vector of string &log &optional;
+    diagnostic_message: string &log &optional;
-    #  a string representation of the search filter used in the query
+    # A string representation of the search filter used in the query
    filter: string &log &optional;
-    # a list of attributes that were returned in the search
+    # A list of attributes that were returned in the search
    attributes: vector of string &log &optional;
  };
@ -189,72 +190,93 @@ event LDAP::message(c: connection,
  if (opcode == LDAP::ProtocolOpcode_SEARCH_RESULT_DONE) {
    set_session(c, message_id, opcode);
-    local searches = c$ldap$searches[message_id];
+    local sm = c$ldap$searches[message_id];
    if ( result != LDAP::ResultCode_Undef ) {
-      if ( ! searches?$results )
+      local sresult_str = RESULT_CODES[result];
-        searches$results = set();
+      if ( sm?$result && sm$result != sresult_str ) {
-      add searches$results[RESULT_CODES[result]];
+        Reporter::conn_weird("LDAP_search_result_change", c,
                             fmt("%s: %s -> %s", message_id, sm$result, sresult_str), "LDAP");
      }
      sm$result = sresult_str;
    }
    if ( diagnostic_message != "" ) {
-      if ( ! searches?$diagnostic_messages )
+      if ( ! sm?$diagnostic_message && sm$diagnostic_message != diagnostic_message ) {
-        searches$diagnostic_messages = vector();
+        Reporter::conn_weird("LDAP_search_diagnostic_message_change", c,
-      searches$diagnostic_messages += diagnostic_message;
+                             fmt("%s: %s -> %s", message_id, sm$diagnostic_message, diagnostic_message), "LDAP");
      }
      sm$diagnostic_message = diagnostic_message;
    }
-    Log::write(LDAP::LDAP_SEARCH_LOG, searches);
+    Log::write(LDAP::LDAP_SEARCH_LOG, sm);
    delete c$ldap$searches[message_id];
-  } else if (opcode !in OPCODES_SEARCH) {
+  } else if (opcode !in OPCODES_SEARCH) {  # search is handled via LDAP::search_request()
    set_session(c, message_id, opcode);
-    local messages = c$ldap$messages[message_id];
+    local m = c$ldap$messages[message_id];
-    if ( ! messages?$opcodes )
+    local opcode_str = PROTOCOL_OPCODES[opcode];
-      messages$opcodes = set();
+
-    add messages$opcodes[PROTOCOL_OPCODES[opcode]];
+    # bind request is explicitly handled via LDAP::bind_request() and
    # can assume we have a more specific m$opcode set.
    if ( opcode_str != "bind" ) {
      if ( m?$opcode && opcode_str != m$opcode ) {
        Reporter::conn_weird("LDAP_message_opcode_change", c,
                             fmt("%s: %s -> %s", message_id, m$opcode, opcode_str), "LDAP");
      }
      m$opcode = opcode_str;
    }
    if ( result != LDAP::ResultCode_Undef ) {
-      if ( ! messages?$results )
+      local result_str = RESULT_CODES[result];
-        messages$results = set();
+      if ( m?$result && m$result != result_str ) {
-      add messages$results[RESULT_CODES[result]];
+        Reporter::conn_weird("LDAP_message_result_change", c,
                             fmt("%s: %s -> %s", message_id, m$result, result_str), "LDAP");
      }
      m$result = result_str;
    }
    if ( diagnostic_message != "" ) {
-      if ( ! messages?$diagnostic_messages )
+      if ( m?$diagnostic_message && diagnostic_message != m$diagnostic_message ) {
-        messages$diagnostic_messages = vector();
+        Reporter::conn_weird("LDAP_message_diagnostic_message_change", c,
-      messages$diagnostic_messages += diagnostic_message;
+                             fmt("%s: %s -> %s", message_id, m$diagnostic_message, diagnostic_message), "LDAP");
      }
      m$diagnostic_message = diagnostic_message;
    }
    if ( object != "" ) {
-      if ( ! messages?$objects )
+      if ( m?$object && m$object != object ) {
-        messages$objects = vector();
+        Reporter::conn_weird("LDAP_message_object_change", c,
-      messages$objects += object;
+                             fmt("%s: %s -> %s", message_id, m$object, object), "LDAP");
      }
      m$object = object;
    }
    if ( argument != "" ) {
-      if ( ! messages?$arguments )
+      if ( m$opcode == BIND_SIMPLE && ! default_capture_password )
-        messages$arguments = vector();
+        argument = "REDACTED";
-      if ("bind simple" in messages$opcodes && !default_capture_password)
+
-        messages$arguments += "REDACTED";
+      if ( m?$argument && m$argument != argument ) {
-      else
+        Reporter::conn_weird("LDAP_message_argument_change", c,
-        messages$arguments += argument;
+                             fmt("%s: %s -> %s", message_id, m$argument, argument), "LDAP");
      }
      m$argument = argument;
    }
    if (opcode in OPCODES_FINISHED) {
-
+      Log::write(LDAP::LDAP_LOG, m);
      if ((BIND_SIMPLE in messages$opcodes) ||
          (BIND_SASL in messages$opcodes)) {
        # don't have both "bind" and "bind <method>" in the operations list
        delete messages$opcodes[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]];
      }
      Log::write(LDAP::LDAP_LOG, messages);
      delete c$ldap$messages[message_id];
    }
  }
 }
 #############################################################################
@ -271,34 +293,57 @@ event LDAP::search_request(c: connection,
  set_session(c, message_id, LDAP::ProtocolOpcode_SEARCH_REQUEST);
  local sm = c$ldap$searches[message_id];
  if ( scope != LDAP::SearchScope_Undef ) {
-    if ( ! c$ldap$searches[message_id]?$scopes )
+    local scope_str = SEARCH_SCOPES[scope];
-      c$ldap$searches[message_id]$scopes = set();
+    if ( sm?$scope && sm$scope != scope_str ) {
-    add c$ldap$searches[message_id]$scopes[SEARCH_SCOPES[scope]];
+      Reporter::conn_weird("LDAP_search_scope_change", c,
                           fmt("%s: %s -> %s", message_id, sm$scope, scope_str), "LDAP");
    }
    sm$scope = scope_str;
  }
  if ( deref != LDAP::SearchDerefAlias_Undef ) {
-    if ( ! c$ldap$searches[message_id]?$derefs )
+    local deref_aliases_str = SEARCH_DEREF_ALIASES[deref];
-      c$ldap$searches[message_id]$derefs = set();
+    if ( sm?$deref_aliases && sm$deref_aliases != deref_aliases_str ) {
-    add c$ldap$searches[message_id]$derefs[SEARCH_DEREF_ALIASES[deref]];
+      Reporter::conn_weird("LDAP_search_deref_aliases_change", c,
                           fmt("%s: %s -> %s", message_id, sm$deref_aliases, deref_aliases_str), "LDAP");
    }
    sm$deref_aliases = deref_aliases_str;
  }
  if ( base_object != "" ) {
-    if ( ! c$ldap$searches[message_id]?$base_objects )
+    if ( sm?$base_object && sm$base_object != base_object ) {
-      c$ldap$searches[message_id]$base_objects = vector();
+      Reporter::conn_weird("LDAP_search_base_object_change", c,
-    c$ldap$searches[message_id]$base_objects += base_object;
+                           fmt("%s: %s -> %s", message_id, sm$base_object, base_object), "LDAP");
    }
    sm$base_object = base_object;
  }
-  c$ldap$searches[message_id]$filter = filter;
+
  if ( sm?$filter && sm$filter != filter )
      Reporter::conn_weird("LDAP_search_filter_change", c,
                           fmt("%s: %s -> %s", message_id, sm$filter, filter), "LDAP");
  sm$filter = filter;
  if ( default_log_search_attributes ) {
-    c$ldap$searches[message_id]$attributes = attributes;
+    if ( sm?$attributes && cat(sm$attributes) != cat(attributes) ) {
      Reporter::conn_weird("LDAP_search_attributes_change", c,
                           fmt("%s: %s -> %s", message_id, sm$attributes, attributes), "LDAP");
    }
    sm$attributes = attributes;
  }
 }
 #############################################################################
-event LDAP::search_result(c: connection,
+event LDAP::search_result_entry(c: connection,
-                          message_id: int,
+                                message_id: int,
-                          object_name: string) {
+                                object_name: string) {
  set_session(c, message_id, LDAP::ProtocolOpcode_SEARCH_RESULT_ENTRY);
@ -314,16 +359,23 @@ event LDAP::bind_request(c: connection,
                         authInfo: string) {
  set_session(c, message_id, LDAP::ProtocolOpcode_BIND_REQUEST);
-  if ( ! c$ldap$messages[message_id]?$version )
+  local m = c$ldap$messages[message_id];
    c$ldap$messages[message_id]$version = version;
-  if ( ! c$ldap$messages[message_id]?$opcodes )
+  if ( ! m?$version )
-    c$ldap$messages[message_id]$opcodes = set();
+    m$version = version;
  # Getting herre, we don't expect the LDAP opcode to be set at all
  # and it'll be overwritten below.
  if ( m?$opcode )
    Reporter::conn_weird("LDAP_bind_opcode_already_set", c, m$opcode, "LDAP");
  if (authType == LDAP::BindAuthType_BIND_AUTH_SIMPLE) {
-    add c$ldap$messages[message_id]$opcodes[BIND_SIMPLE];
+    m$opcode = BIND_SIMPLE;
  } else if (authType == LDAP::BindAuthType_BIND_AUTH_SASL) {
-    add c$ldap$messages[message_id]$opcodes[BIND_SASL];
+    m$opcode = BIND_SASL;
  } else {
    Reporter::conn_weird("LDAP_unknown_auth_type", c, cat(authType), "LDAP");
    m$opcode = cat(authType);
  }
 }
@ -333,15 +385,8 @@ hook finalize_ldap(c: connection) {
  if ( c$ldap?$messages && (|c$ldap$messages| > 0) ) {
    for ( [mid], m in c$ldap$messages ) {
-      if (mid > 0) {
+      if (mid > 0)
        if ((BIND_SIMPLE in m$opcodes) || (BIND_SASL in m$opcodes)) {
          # don't have both "bind" and "bind <method>" in the operations list
          delete m$opcodes[PROTOCOL_OPCODES[LDAP::ProtocolOpcode_BIND_REQUEST]];
        }
        Log::write(LDAP::LDAP_LOG, m);
      }
    }
    delete c$ldap$messages;
  }
--- a/scripts/base/protocols/ldap/spicy-events.zeek
+++ b/scripts/base/protocols/ldap/spicy-events.zeek
@ -93,7 +93,7 @@ global LDAP::search_request: event (
 ## message_id: The messageID element.
 ##
 ## object_name: The object name in the SearchResultEntry.
-global LDAP::search_result: event (
+global LDAP::search_result_entry: event (
  c: connection,
  message_id: int,
  object_name: string
--- a/src/analyzer/protocol/ldap/ldap.evt
+++ b/src/analyzer/protocol/ldap/ldap.evt
@ -38,6 +38,6 @@ on LDAP::SearchRequest -> event LDAP::search_request($conn,
                                                     self.filter,
                                                     self.attributes);
-on LDAP::SearchResultEntry -> event LDAP::search_result($conn,
+on LDAP::SearchResultEntry -> event LDAP::search_result_entry($conn,
-                                                        message.messageID,
+                                                              message.messageID,
-                                                        self.objectName);
+                                                              self.objectName);
--- a/testing/btest/Baseline/coverage.record-fields/out.default
+++ b/testing/btest/Baseline/coverage.record-fields/out.default
@ -365,14 +365,14 @@ connection {
      LDAP::State {
        * messages: table[int] of record LDAP::MessageInfo, log=F, optional=T
            LDAP::MessageInfo {
-              * arguments: vector of string, log=T, optional=T
+              * argument: string, log=T, optional=T
-              * diagnostic_messages: vector of string, log=T, optional=T
+              * diagnostic_message: string, log=T, optional=T
              * id: record conn_id, log=T, optional=F
                  conn_id { ... }
              * message_id: int, log=T, optional=T
-              * objects: vector of string, log=T, optional=T
+              * object: string, log=T, optional=T
-              * opcodes: set[string], log=T, optional=T
+              * opcode: string, log=T, optional=T
-              * results: set[string], log=T, optional=T
+              * result: string, log=T, optional=T
              * ts: time, log=T, optional=F
              * uid: string, log=T, optional=F
              * version: int, log=T, optional=T
@ -380,16 +380,16 @@ connection {
        * searches: table[int] of record LDAP::SearchInfo, log=F, optional=T
            LDAP::SearchInfo {
              * attributes: vector of string, log=T, optional=T
-              * base_objects: vector of string, log=T, optional=T
+              * base_object: string, log=T, optional=T
-              * derefs: set[string], log=T, optional=T
+              * deref_aliases: string, log=T, optional=T
-              * diagnostic_messages: vector of string, log=T, optional=T
+              * diagnostic_message: string, log=T, optional=T
              * filter: string, log=T, optional=T
              * id: record conn_id, log=T, optional=F
                  conn_id { ... }
              * message_id: int, log=T, optional=T
              * result: string, log=T, optional=T
              * result_count: count, log=T, optional=T
-              * results: set[string], log=T, optional=T
+              * scope: string, log=T, optional=T
              * scopes: set[string], log=T, optional=T
              * ts: time, log=T, optional=F
              * uid: string, log=T, optional=F
             }
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log
@ -5,8 +5,8 @@
 #unset_field	-
 #path	ldap
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	version	opcodes	results	diagnostic_messages	objects	arguments
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	version	opcode	result	diagnostic_message	object	argument
-#types	time	string	addr	port	addr	port	int	int	set[string]	set[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	int	int	string	string	string	string	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	1	3	bind simple	success	-	xxxxxxxxxxx@xx.xxx.xxxxx.net	REDACTED
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	3	3	bind simple	success	-	CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net	REDACTED
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	3	3	bind simple	success	-	CN=xxxxxxxx,OU=Users,OU=Accounts,DC=xx,DC=xxx,DC=xxxxx,DC=net	REDACTED
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	ldap_search
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	scopes	derefs	base_objects	result_count	results	diagnostic_messages	filter	attributes
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	scope	deref_aliases	base_object	result_count	result	diagnostic_message	filter	attributes
-#types	time	string	addr	port	addr	port	int	set[string]	set[string]	vector[string]	count	set[string]	vector[string]	string	vector[string]
+#types	time	string	addr	port	addr	port	int	string	string	string	count	string	string	string	vector[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	2	tree	always	DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net	1	success	-	(&(objectclass=*)(sAMAccountName=xxxxxxxx))	sAMAccountName
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	2	tree	always	DC=xx,DC=xxx,DC=xxxxx,DC=net	1	success	-	(&(objectclass=*)(sAMAccountName=xxxxxxxx))	sAMAccountName
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log
@ -5,8 +5,8 @@
 #unset_field	-
 #path	ldap
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	version	opcodes	results	diagnostic_messages	objects	arguments
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	version	opcode	result	diagnostic_message	object	argument
-#types	time	string	addr	port	addr	port	int	int	set[string]	set[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	int	int	string	string	string	string	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	1	3	bind simple	success	-	xxxxxxxxxxx@xx.xxx.xxxxx.net	REDACTED
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	3	3	bind simple	success	-	CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net	REDACTED
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	3	3	bind simple	success	-	CN=xxxxxxxx,OU=Users,OU=Accounts,DC=xx,DC=xxx,DC=xxxxx,DC=net	REDACTED
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	ldap_search
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	scopes	derefs	base_objects	result_count	results	diagnostic_messages	filter	attributes
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	scope	deref_aliases	base_object	result_count	result	diagnostic_message	filter	attributes
-#types	time	string	addr	port	addr	port	int	set[string]	set[string]	vector[string]	count	set[string]	vector[string]	string	vector[string]
+#types	time	string	addr	port	addr	port	int	string	string	string	count	string	string	string	vector[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	2	tree	always	DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net	1	success	-	(&(objectclass=*)(sAMAccountName=xxxxxxxx))	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	2	tree	always	DC=xx,DC=xxx,DC=xxxxx,DC=net	1	success	-	(&(objectclass=*)(sAMAccountName=xxxxxxxx))	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log
@ -5,8 +5,8 @@
 #unset_field	-
 #path	ldap
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	version	opcodes	results	diagnostic_messages	objects	arguments
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	version	opcode	result	diagnostic_message	object	argument
-#types	time	string	addr	port	addr	port	int	int	set[string]	set[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	int	int	string	string	string	string	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	32681	1	3	bind simple	success	-	xxxxxxxxxxx@xx.xxx.xxxxx.net	REDACTED
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	32681	3	3	bind simple	success	-	CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net	REDACTED
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	32681	3	3	bind simple	success	-	CN=xxxxxxxx,OU=Users,OU=Accounts,DC=xx,DC=xxx,DC=xxxxx,DC=net	REDACTED
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	ldap_search
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	scopes	derefs	base_objects	result_count	results	diagnostic_messages	filter	attributes
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	scope	deref_aliases	base_object	result_count	result	diagnostic_message	filter	attributes
-#types	time	string	addr	port	addr	port	int	set[string]	set[string]	vector[string]	count	set[string]	vector[string]	string	vector[string]
+#types	time	string	addr	port	addr	port	int	string	string	string	count	string	string	string	vector[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	32681	2	tree	always	DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net	1	success	-	(&(objectclass=*)(sAMAccountName=xxxxxxxx))	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	32681	2	tree	always	DC=xx,DC=xxx,DC=xxxxx,DC=net	1	success	-	(&(objectclass=*)(sAMAccountName=xxxxxxxx))	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	ldap
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	version	opcodes	results	diagnostic_messages	objects	arguments
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	version	opcode	result	diagnostic_message	object	argument
-#types	time	string	addr	port	addr	port	int	int	set[string]	set[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	int	int	string	string	string	string	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.31.1.104	3116	172.31.1.101	389	215	3	bind SASL	success	-	-	GSS-SPNEGO
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	ldap_search
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	scopes	derefs	base_objects	result_count	results	diagnostic_messages	filter	attributes
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	scope	deref_aliases	base_object	result_count	result	diagnostic_message	filter	attributes
-#types	time	string	addr	port	addr	port	int	set[string]	set[string]	vector[string]	count	set[string]	vector[string]	string	vector[string]
+#types	time	string	addr	port	addr	port	int	string	string	string	count	string	string	string	vector[string]
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.31.1.104	3116	172.31.1.101	389	213	base	never	-	1	success	-	(objectclass=*)	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ldap.search_filter_extended/ldap_search.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ldap.search_filter_extended/ldap_search.log
@ -5,7 +5,7 @@
 #unset_field	-
 #path	ldap_search
 #open XXXX-XX-XX-XX-XX-XX
-#fields	uid	filter	base_objects
+#fields	uid	filter	base_object
-#types	string	string	vector[string]
+#types	string	string	string
-CHhAvVGS1DHFjwGM9	(departmentNumber:2.16.840.1.113730.3.3.2.46.1:=>=N4709)	DC=matrix\x2cDC=local
+CHhAvVGS1DHFjwGM9	(departmentNumber:2.16.840.1.113730.3.3.2.46.1:=>=N4709)	DC=matrix,DC=local
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/scripts/base/protocols/ldap/search_filter_extended.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/search_filter_extended.zeek
@ -4,7 +4,7 @@
 #
 # @TEST-REQUIRES: have-spicy
 # @TEST-EXEC: zeek -C -r ${TRACES}/ldap/issue-32.pcapng %INPUT
-# @TEST-EXEC: cat ldap_search.log | zeek-cut -C uid filter base_objects > ldap_search.log2 && mv ldap_search.log2 ldap_search.log
+# @TEST-EXEC: cat ldap_search.log | zeek-cut -C uid filter base_object > ldap_search.log2 && mv ldap_search.log2 ldap_search.log
 # @TEST-EXEC: btest-diff ldap_search.log
 #
 # @TEST-DOC: Test LDAP analyzer with small trace.
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@ -1 +1 @@
-d123eb5eadc605328030c43a6a8174c69ca59fd1
+0fdc6e2b2f2930c0edf3c83c36f6aa789b0bff30
`@ -1 +1 @@`
	`d123eb5eadc605328030c43a6a8174c69ca59fd1`	`0fdc6e2b2f2930c0edf3c83c36f6aa789b0bff30`