From 724c08f2862dfe9ad5497e9808a821b4f3b9e97d Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 18 Jul 2024 15:45:31 +0200 Subject: [PATCH] ldap: Fix assuming GSS-SPNEGO for all bindResponses In retrospect that's an obvious bug. --- src/analyzer/protocol/ldap/ldap.spicy | 65 +++++++++--------- .../conn.log | 11 +++ .../ldap.log | 13 ++++ .../ldap_search.log | 11 +++ .../conn.log | 11 +++ .../ldap.log | 13 ++++ .../ldap_search.log | 11 +++ testing/btest/Traces/ldap/sasl-ntlm.pcap | Bin 0 -> 4052 bytes .../btest/Traces/ldap/sasl-scram-sha-512.pcap | Bin 0 -> 4297 bytes .../base/protocols/ldap/sasl-ntlm.zeek | 12 ++++ .../protocols/ldap/sasl-scram-sha-512.zeek | 12 ++++ 11 files changed, 125 insertions(+), 34 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/conn.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap_search.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/conn.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap_search.log create mode 100644 testing/btest/Traces/ldap/sasl-ntlm.pcap create mode 100644 testing/btest/Traces/ldap/sasl-scram-sha-512.pcap create mode 100644 testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek create mode 100644 testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek diff --git a/src/analyzer/protocol/ldap/ldap.spicy b/src/analyzer/protocol/ldap/ldap.spicy index 75bbb23783..c8102c49c9 100644 --- a/src/analyzer/protocol/ldap/ldap.spicy +++ b/src/analyzer/protocol/ldap/ldap.spicy @@ -137,6 +137,7 @@ type MessageMode = enum { type Ctx = struct { messageMode: MessageMode; # Message dispatching mode + saslMechanism: string; # The SASL mechanism selected by the client. startTlsRequested: bool; # Did the client use the StartTLS extended request? }; @@ -255,7 +256,7 @@ public type Message = unit(ctx: Ctx&) { } switch ( self.opcode ) { - ProtocolOpcode::BIND_REQUEST -> BIND_REQUEST: BindRequest(self); + ProtocolOpcode::BIND_REQUEST -> BIND_REQUEST: BindRequest(self, ctx); ProtocolOpcode::BIND_RESPONSE -> BIND_RESPONSE: BindResponse(self, ctx); ProtocolOpcode::UNBIND_REQUEST -> UNBIND_REQUEST: UnbindRequest(self); ProtocolOpcode::SEARCH_REQUEST -> SEARCH_REQUEST: SearchRequest(self); @@ -307,7 +308,7 @@ type GSS_SPNEGO_negTokenInit = unit { }; # Peak into GSS-SPNEGO payload and ensure it is indeed GSS-SPNEGO. -type GSS_SPNEGO = unit { +type GSS_SPNEGO_Init = unit { # This is the optional octet string in SaslCredentials. credentialsHeader: ASN1::ASN1Header &requires=($$.tag.type_ == ASN1::ASN1Type::OctetString); @@ -333,12 +334,19 @@ type SaslCredentials = unit() { # Peak into GSS-SPNEGO payload if we have any. switch ( self.mechanism ) { - "GSS-SPNEGO" -> gss_spnego: GSS_SPNEGO; + "GSS-SPNEGO" -> gss_spnego: GSS_SPNEGO_Init; * -> : skip bytes &eod; }; }; -type NegTokenResp = unit { +type GSS_SPNEGO_Subsequent = unit { + token: ASN1::ASN1Header &requires=($$.tag.class == ASN1::ASN1Class::ContextSpecific); + switch ( self.token.tag.type_ ) { + ASN1::ASN1Type(1) -> negTokenResp: GSS_SPNEGO_negTokenResp; + }; +}; + +type GSS_SPNEGO_negTokenResp = unit { var accepted: bool; var supportedMech: ASN1::ASN1Message; @@ -366,34 +374,13 @@ type NegTokenResp = unit { } &parse-from=self.supportedMech.application_data; }; -type ServerSaslCreds = unit { - serverSaslCreds: ASN1::ASN1Header &requires=($$.tag.class == ASN1::ASN1Class::ContextSpecific && $$.tag.type_ == ASN1::ASN1Type(7)); - - # The PCAP missing_ldap_logs.pcapng has a1 81 b6 here for the GSS-SPNEGO response. - # - # This is context-specific ID 1, constructed, and a length of 182 as - # specified by in 4.2 of RFC4178. - # - # https://www.rfc-editor.org/rfc/rfc4178#section-4.2 - # - # TODO: This is only valid for a GSS-SPNEGO negTokenResp. - # If you want to support something else, remove the requires - # and add more to the switch below. - choice: ASN1::ASN1Header &requires=($$.tag.class == ASN1::ASN1Class::ContextSpecific); - - switch ( self.choice.tag.type_ ) { - ASN1::ASN1Type(1) -> negTokenResp: NegTokenResp; - # ... - } &size=self.choice.len.len; -}; - # TODO(fox-ds): A helper unit for requests for which no handling has been implemented. # Eventually all uses of this unit should be replaced with actual parsers so this unit can be removed. type NotImplemented = unit(inout message: Message) { : skip bytes &eod; }; -type BindRequest = unit(inout message: Message) { +type BindRequest = unit(inout message: Message, ctx: Ctx&) { version: ASN1::ASN1Message(True) &convert=$$.body.num_value; name: ASN1::ASN1Message(True) &convert=$$.body.str_value { message.obj = self.name; @@ -417,9 +404,15 @@ type BindRequest = unit(inout message: Message) { saslCreds: SaslCredentials() &parse-from=self.authData if ((self.authType == BindAuthType::BIND_AUTH_SASL) && (|self.authData| > 0)) { message.arg = self.saslCreds.mechanism; + ctx.saslMechanism = self.saslCreds.mechanism; } } &requires=(self?.authType && (self.authType != BindAuthType::Undef)); +type ServerSaslCreds = unit { + serverSaslCreds: ASN1::ASN1Header &requires=($$.tag.class == ASN1::ASN1Class::ContextSpecific && $$.tag.type_ == ASN1::ASN1Type(7)); + payload: bytes &size=self.serverSaslCreds.len.len; +}; + type BindResponse = unit(inout message: Message, ctx: Ctx&) { : Result { message.result_ = $$; @@ -432,14 +425,18 @@ type BindResponse = unit(inout message: Message, ctx: Ctx&) { # if the serverSaslCreds field exists or not. But, not sure we can # check if there's any bytes left at this point outside of passing # in the length and playing with offset(). - serverSaslCreds: ServerSaslCreds[] &eod { - if ( |self.serverSaslCreds| > 0 ) { - if ( self.serverSaslCreds[0]?.negTokenResp ) { - local token = self.serverSaslCreds[0].negTokenResp; - if ( token.accepted && token?.supportedMechOid ) { - if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 ) { - ctx.messageMode = MessageMode::MS_KRB5; - } + serverSaslCreds: ServerSaslCreds[] &eod; + + # If the client requested GSS-SPNEGO, try to parse the server's response + # to switch message mode. + gss_spnego: GSS_SPNEGO_Subsequent &parse-from=self.serverSaslCreds[0].payload + if (ctx.saslMechanism == "GSS-SPNEGO" && |self.serverSaslCreds| > 0) { + + if ( $$?.negTokenResp ) { + local token = $$.negTokenResp; + if ( token.accepted && token?.supportedMechOid ) { + if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 ) { + ctx.messageMode = MessageMode::MS_KRB5; } } } diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/conn.log new file mode 100644 index 0000000000..27c56bc33b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60126 127.0.1.1 389 tcp ldap_tcp 2.290081 289 1509 SF 0 ShADadFf 12 921 15 2297 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap.log new file mode 100644 index 0000000000..cd94c49d5b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60126 127.0.1.1 389 1 3 bind SASL SASL bind in progress SASL(0): successful result: - NTLM +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60126 127.0.1.1 389 2 3 bind SASL success - - NTLM +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60126 127.0.1.1 389 4 - unbind - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap_search.log new file mode 100644 index 0000000000..3ff2f3b1a6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-ntlm/ldap_search.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap_search +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes +#types time string addr port addr port int string string string count string string string vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 60126 127.0.1.1 389 3 tree never dc=example,dc=com 9 success - (objectclass=*) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/conn.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/conn.log new file mode 100644 index 0000000000..5fcce64ab8 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59552 127.0.1.1 389 tcp ldap_tcp 2.231680 353 1772 SF 0 ShADadFf 11 933 15 2560 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap.log new file mode 100644 index 0000000000..7c3478b262 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59552 127.0.1.1 389 1 3 bind SASL SASL bind in progress SASL(0): successful result: user: sasladmin@slapd.ldap property: slapAuthzDN not found in sasldb - SCRAM-SHA-512 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59552 127.0.1.1 389 2 3 bind SASL success - - SCRAM-SHA-512 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59552 127.0.1.1 389 4 - unbind - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap_search.log new file mode 100644 index 0000000000..edcf38ced5 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.sasl-scram-sha-512/ldap_search.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap_search +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes +#types time string addr port addr port int string string string count string string string vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59552 127.0.1.1 389 3 tree never dc=example,dc=com 9 success - (objectclass=*) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/ldap/sasl-ntlm.pcap b/testing/btest/Traces/ldap/sasl-ntlm.pcap new file mode 100644 index 0000000000000000000000000000000000000000..ef2fb91ab4e18be7df4fbe120116ef99178c1ce9 GIT binary patch literal 4052 zcmb7{e`phD7{}kczD;YJ^p{oZkJ_kotJB#_twXJ4ZJk&({ef+DbDMg(T+^$`UCbro zWKL6bGOC+Y9Tf$Cfj`Ek(+Q3t_=o;6VGIP(unifLfH>G6f-rTPd!F}_cz2Bf-}KFU zx#Yg@=lMR*``-2T^-CvsLP@$ke@+MoA1+lK?w_XeWF;J9H@8BvjF2UX!4}fukh*rj z1v?1GJ-o;5K0M5wz+WEcw{I;!PY6%*FH^p-=+1-p*W-CEFRuWV>vJj-g33)lpem|! zyC2?rTsyKD)K4C-_&EH}w=a~Pn}=qidRn;!l-pn??B>Rp8xxxt^BNoTNl|LL^*onH$*DR@JA1ty z)Q#^wJ>AUt0^XR#otg|sc<)*ql|diaa@Y%c>{@Au=&g#FbD&r}eb->KZ$LH|9@FidY=(nXe%R^lb?aMVM3nIp@9|K*M( zLM$`Aw#+0T*XLNSy_U?(x(trg{^%fo!MxbbjXCmrLPbU2nXHPC>uW30ivCsTvk*VW zbNt5mDI?qQBdK)9N7C`2`7_p5Q0~_Vev4$5=kP|`w091n5u?2qHfo?^{6C`(Z(DC)YvVyn63AYTCjc5`DSN0U{| zyH=ZbSHQcg=$-3W#=COx&MWi-iC@e@B6x+lG&TKFoZeGS^P*aq7W$N-6J`JmY9VDm?VC6UbpHvp$CWdU7%&2M^7A@qwB&`5z57 z^7vjvkAF(1YO&^SSxcE{^-~B4b=D{*8&Oo4*~MU=szikn%4;!CA$1sP!W>%cmvt$k zgfT$RG&*Ierbb0Yl_TzcE#i*pa3HJEh$8D4pbrB41nz0r%?(q-g_Bb-z`jkk0MDlb zl;_w29O4#YghQN%z8+Kj&0xB!%j(=*;SO($7jOM|Nn7`Dd!bCbQplp%VPBA3o`8F})6C)yermN`LN(Lv4r@W+kT(r1N^y%)@ z$yu~CDhK88fTqfwv5-%Wc*En0yz97NZMC-O6>81JYOR3gGcn}d0=y>y6uY@G-h;_$jCYxp_fUJ9_rIq$-u1}) z9$OsCBU&t+4S4Y@0B075p@ziUf%r6_VmCKNJesU##4R@BvuWbx4{gLgB>s?AgTo!7 zGyoNujd{r{Fqbiti)dk552<$n^%20uZf=ZvUvfI5UTLNN(wV0I6do^eD~B6{v4O5d z>eZ|+R`^3=I7?kL3bU+BvXW-oeljJ&bP)9mK)nl$*v*Zh-b~goRF@4^PNQD9Z$pib zAZvUtt(DZ~fD9XfjGM_z%R>^TTDhIHD6HwqR(1t0eOT(S^bIMY61NC{YJEdxdvKi! z)2*9mDRr@{-J&FEF*S-|9)d7)+^#ocm{Pax=6dyU?V+=9yZ(Fsej`k{opoSVQ1J{X zu7h0|ySbrpoHyx4#lFvM#yw3Nr{PpDa@-*dah2%Y5a*(`xD&td?qyp+{J!v-)w@Zw zAQduoG80=31IE}`YV5rhUtv#i&U!pkpGwkXS`^d* zirO-O3pO$nVTE+1QM zqi%eFT6-;{*ooC94W?L>F}D&HM<*(ZITaHz#^|*%-T=lK%+A6LV>bj}`9DG^6M6su literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/ldap/sasl-scram-sha-512.pcap b/testing/btest/Traces/ldap/sasl-scram-sha-512.pcap new file mode 100644 index 0000000000000000000000000000000000000000..70fd3d6b0d3659dec9bf9e97aa1d87ecce5a5af5 GIT binary patch literal 4297 zcmb7{4@?{P702()kMPI*OQBu*C!4i2BOL_JV8BUZ2?ORo1TX}LZB@?a!#--?S$Ajt zc-{D;wMbdIbXis9KXk34sp_ODTDP{_5@=Fsnc8Sm6Q)L6D=nKAG)3K{NmG|i-FrXV z^zP!)<%uWY;J){H-}iox0#!%F0iSANLe9-S9Q0G4dH7!|Y2Q zZf2Udtk%xL4YLf(-dbj#E-nAyQT)wi+qb6o|BYd6B=@JpmS4EG{_YT7XLEA$Q28gD zDl-f!KmI1FqB{HZt!1_H_^HLuv_O}js`*!;~y}KKnb!4AhT`hYwUW@Xfm?SsD=Xj_l8sg*Cs%Lbf zSDk548V<;^-d;a?V5Ca#AN0%Ja;G{t=57-aw)9G>^z7x^Uq@K3&|>U0Fm?{g|M-K( z6l{_DpR;T0*KeTWE040w*I*(rje+H}efBp{vF7ht6}K@TGmmU2zJ`k20((Cgz%Q^R zg=`67$RWSi-@A)@Y_CI02!g0-5)?jg6kz9-x#j*L#U`i6qTp-5e~ ziGhBlGd|f9j7NL>v?DzecJmSq<0N^n9H zbRo)X8poiEr{-AZ6+pl=1|>Od{{?k%$?W3EQE+hS!LdcjXKFO65TS#ygki2wxNd5+p z{|=BbjX}vT*?&pNr!3?bGvr?_u#nFmLG<}&$iqs)GaxEy6U}~dVQ!bXiU(6w+-GFx zqa(7Ub0x&4B%JwVOG=HaBKDA|391yw0-cYLhgua`=OtNGVdJTERXRjjS0z!y0^foH zVa91%3uNQ=UtxhYSIh;T>dzGTW4IHC1WtXbH4Cg8D_mfmq%t9eJYc%4iE{O3Mn%GLi#N#Qvop$~`~|!qTKD_wz9kueb1O zkXL#1Oq0>GZVJbh6PqAAi;2C34{DC|#T}$n7o%c4qR3)@A{G=?XBjEk<>K6rIT{)o zcGvHztAlCVHqHy06qBOj@Mgd5;vlvY662+)^L|pEMr=-Zz6OpFcH=U1W0TGP9Cl;X zX*sg9YUSy}xY^&|k?IBLNRy^y?ZWP+z#_0uOQhL+Qvvw9Yp;jp#B~hF^xe{uh`$Bs859$iHU8J z3U3XHI^!%MMYVXPHf`yHq%f+4CD|Vlqfw`w6x0SKxi-ja5pFBV4U2-J85*$NY&D2s z!A7V53{G#dWxtP3uX1;9*`@QiWv|~!Ic?ms>!3IQO~W(>9nlv1Wjdmke}0zEXL|RX zWa(WIbWY4mzb4{r9A03VE)d2v2GxH&d5jY8%0j$?FHlP_n2EVu8%tW~o7p)K-o%O@ zP~jSj@H1-V(#qUcu;MRfVMGmlXER0n+tiBxn#Xu)1*}-4iZ?f`xQYg&;x{){Og>K; UcUu@2fpL|#>rWeu_?mL{e?Fa+O8@`> literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek b/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek new file mode 100644 index 0000000000..0504ba7a0a --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek @@ -0,0 +1,12 @@ +# Copyright (c) 2024 by the Zeek Project. See LICENSE for details. + +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-ntlm.pcap %INPUT +# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ldap.log +# @TEST-EXEC: btest-diff ldap_search.log +# @TEST-EXEC: ! test -f dpd.log +# @TEST-EXEC: ! test -f analyzer.log +# +# @TEST-DOC: This broke after #3826 got merged diff --git a/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek b/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek new file mode 100644 index 0000000000..9db41f96bc --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek @@ -0,0 +1,12 @@ +# Copyright (c) 2024 by the Zeek Project. See LICENSE for details. + +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-scram-sha-512.pcap %INPUT +# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ldap.log +# @TEST-EXEC: btest-diff ldap_search.log +# @TEST-EXEC: ! test -f dpd.log +# @TEST-EXEC: ! test -f analyzer.log +# +# @TEST-DOC: This broke after #3826 got merged