Merge remote-tracking branch 'origin/topic/awelzel/ldap-extended-request-response-starttls'

* origin/topic/awelzel/ldap-extended-request-response-starttls: ldap: Add heuristic for wrap tokens ldap: Ignore ec/rrc for sealed wrap tokens ldap: Add LDAP sample with SASL-SRP mechanism ldap: Reintroduce encryption after SASL heuristic ldap: Fix assuming GSS-SPNEGO for all bindResponses ldap: Implement extended request/response and StartTLS support (cherry picked from commit 6a6a5c3d0d)
2025-10-02 14:48:21 +00:00 · 2024-07-23 12:38:54 +02:00 · 2024-07-23 12:38:54 +02:00 · 6f65b88f1b
commit 6f65b88f1b
parent cfe47f40a4
32 changed files with 506 additions and 56 deletions
--- a/scripts/base/protocols/ldap/consts.zeek
+++ b/scripts/base/protocols/ldap/consts.zeek
@ -120,4 +120,11 @@ export {
 	    "searching", [ LDAP::SearchDerefAlias_DEREF_FINDING_BASE ] =
 	    "finding", [ LDAP::SearchDerefAlias_DEREF_ALWAYS ] = "always",  }
 	    &default="unknown";
+
+	const EXTENDED_REQUESTS = {
+	   # StartTLS, https://datatracker.ietf.org/doc/html/rfc4511#section-4.14.1
+	   [ "1.3.6.1.4.1.1466.20037" ] = "StartTLS",
+	   # whoami, https://datatracker.ietf.org/doc/html/rfc4532#section-2
+	   [ "1.3.6.1.4.1.4203.1.11.3" ] = "whoami",
+	} &default="unknown" &redef;
 }
--- a/scripts/base/protocols/ldap/main.zeek
+++ b/scripts/base/protocols/ldap/main.zeek
@ -258,6 +258,9 @@ event LDAP::message(c: connection,
      }

      m$object = object;
+
+      if ( opcode == LDAP::ProtocolOpcode_EXTENDED_REQUEST )
+        m$object += fmt(" (%s)", EXTENDED_REQUESTS[object]);
    }

    if ( argument != "" ) {
--- a/scripts/base/protocols/ldap/spicy-events.zeek
+++ b/scripts/base/protocols/ldap/spicy-events.zeek
@ -98,3 +98,44 @@ global LDAP::search_result_entry: event (
  message_id: int,
  object_name: string
 );
+
+## Event generated for each ExtendedRequest in LDAP messages.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## request_name: The name of the extended request.
+##
+## request_value: The value of the extended request (empty if missing).
+global LDAP::extended_request: event (
+  c: connection,
+  message_id: int,
+  request_name: string,
+  request_value: string
+);
+
+## Event generated for each ExtendedResponse in LDAP messages.
+##
+## c: The connection.
+##
+## message_id: The messageID element.
+##
+## result: The result code of the response.
+##
+## response_name: The name of the extended response (empty if missing).
+##
+## response_value: The value of the extended response (empty if missing).
+global LDAP::extended_response: event (
+  c: connection,
+  message_id: int,
+  result: LDAP::ResultCode,
+  response_name: string,
+  response_value: string
+);
+
+## Event generated when a plaintext LDAP connection switched to TLS.
+##
+## c: The connection.
+##
+global LDAP::starttls: event(c: connection);