diff --git a/scripts/base/protocols/ldap/main.zeek b/scripts/base/protocols/ldap/main.zeek index 1cdff64292..7c09049d1b 100644 --- a/scripts/base/protocols/ldap/main.zeek +++ b/scripts/base/protocols/ldap/main.zeek @@ -6,6 +6,14 @@ export { redef enum Log::ID += { LDAP_LOG, LDAP_SEARCH_LOG }; + ## TCP ports which should be considered for analysis. + const ports_tcp = { 389/tcp, 3268/tcp } &redef; + + ## UDP ports which should be considered for analysis. + const ports_udp = { 389/udp } &redef; + + redef likely_server_ports += { LDAP::ports_tcp, LDAP::ports_udp }; + ## Whether clear text passwords are captured or not. option default_capture_password = F; @@ -260,6 +268,9 @@ redef record connection += { ############################################################################# event zeek_init() &priority=5 { + Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_TCP, LDAP::ports_tcp); + Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_UDP, LDAP::ports_udp); + Log::create_stream(LDAP::LDAP_LOG, [$columns=Message, $ev=log_ldap, $path="ldap", $policy=log_policy]); Log::create_stream(LDAP::LDAP_SEARCH_LOG, [$columns=Search, $ev=log_ldap_search, $path="ldap_search", $policy=log_policy_search]); } diff --git a/src/analyzer/protocol/ldap/ldap.evt b/src/analyzer/protocol/ldap/ldap.evt index 6b217348b1..c0fc25cdb0 100644 --- a/src/analyzer/protocol/ldap/ldap.evt +++ b/src/analyzer/protocol/ldap/ldap.evt @@ -1,12 +1,10 @@ # Copyright (c) 2021 by the Zeek Project. See LICENSE for details. protocol analyzer LDAP_TCP over TCP: - parse with LDAP::Messages, - ports { 389/tcp, 3268/tcp}; + parse with LDAP::Messages; protocol analyzer LDAP_UDP over UDP: - parse with LDAP::Messages, - ports { 389/udp }; + parse with LDAP::Messages; import LDAP; diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2 index 939abe6f39..dcd56a5e77 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output2 +++ b/testing/btest/Baseline/core.print-bpf-filters/output2 @@ -18,9 +18,11 @@ 1 25 1 2811 1 3128 +1 3268 1 3306 2 3389 1 3544 +2 389 1 4011 2 443 1 445 @@ -60,8 +62,8 @@ 1 992 1 993 1 995 -67 and -66 or -67 port -44 tcp -23 udp +70 and +69 or +70 port +46 tcp +24 udp diff --git a/testing/btest/Baseline/spicy.port-range-one-port/out.filtered b/testing/btest/Baseline/spicy.port-range-one-port/out.filtered index 708e225624..293b1047f3 100644 --- a/testing/btest/Baseline/spicy.port-range-one-port/out.filtered +++ b/testing/btest/Baseline/spicy.port-range-one-port/out.filtered @@ -1,5 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -[zeek] Scheduling analyzer for port 389/tcp -[zeek] Scheduling analyzer for port 3268/tcp -[zeek] Scheduling analyzer for port 389/udp [zeek] Scheduling analyzer for port 31336/udp diff --git a/testing/btest/core/print-bpf-filters.zeek b/testing/btest/core/print-bpf-filters.zeek index fd86ce4f04..e755c4347f 100644 --- a/testing/btest/core/print-bpf-filters.zeek +++ b/testing/btest/core/print-bpf-filters.zeek @@ -1,3 +1,5 @@ +# @TEST-REQUIRES: have-spicy +# # @TEST-EXEC: zeek -r $TRACES/empty.trace >output # @TEST-EXEC: cat packet_filter.log >>output # @TEST-EXEC: zeek -r $TRACES/empty.trace -f "port 42" >>output @@ -6,10 +8,9 @@ # @TEST-EXEC: cat packet_filter.log >>output # @TEST-EXEC: btest-diff output # @TEST-EXEC: btest-diff conn.log -# +# # The order in the output of enable_auto_protocol_capture_filters isn't # stable, for reasons not clear. We canonify it first. # @TEST-EXEC: zeek -r $TRACES/empty.trace PacketFilter::enable_auto_protocol_capture_filters=T # @TEST-EXEC: cat packet_filter.log | zeek-cut filter | sed 's#[()]##g' | tr ' ' '\n' | sort | uniq -c | awk '{print $1, $2}' >output2 # @TEST-EXEC: btest-diff output2 - diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index a9a63fa39f..c6aa6e2c80 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -718bc67ea10606ec29acfdae05c463518319e8f2 +5ac67a3895edf0ea6a757ae3ea8626621f57db41