From 9b02b93889363ecd48afcf5ce3086ffcc10745e4 Mon Sep 17 00:00:00 2001
From: Benjamin Bannier <benjamin.bannier@corelight.com>
Date: Thu, 21 Sep 2023 13:13:32 +0200
Subject: [PATCH] Make ports for LDAP analyzers fully configurable

This moves the ports the LDAP analyzers should be triggered on from the
EVT file to the Zeek module. This gives users full control over which
ports the analyzers are registered for while previously they could only
register them for additional ports (there is no Zeek script equivalent
of `Manager::UnregisterAnalyzerForPort`).

The analyzers could still be triggered via DPD, but this is intentional.
To fully disable analyzers users can use e.g.,

```zeek
event zeek_init()
    {
    Analyzer::disable_analyzer(Analyzer::ANALYZER_LDAP_TCP);
    }
```
---
 scripts/base/protocols/ldap/main.zeek                | 11 +++++++++++
 src/analyzer/protocol/ldap/ldap.evt                  |  6 ++----
 .../btest/Baseline/core.print-bpf-filters/output2    | 12 +++++++-----
 .../Baseline/spicy.port-range-one-port/out.filtered  |  3 ---
 testing/btest/core/print-bpf-filters.zeek            |  5 +++--
 testing/external/commit-hash.zeek-testing-private    |  2 +-
 6 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/scripts/base/protocols/ldap/main.zeek b/scripts/base/protocols/ldap/main.zeek
index 1cdff64292..7c09049d1b 100644
--- a/scripts/base/protocols/ldap/main.zeek
+++ b/scripts/base/protocols/ldap/main.zeek
@@ -6,6 +6,14 @@ export {
   redef enum Log::ID += { LDAP_LOG,
                           LDAP_SEARCH_LOG };
 
+  ## TCP ports which should be considered for analysis.
+  const ports_tcp = { 389/tcp, 3268/tcp } &redef;
+
+  ## UDP ports which should be considered for analysis.
+  const ports_udp = { 389/udp } &redef;
+
+  redef likely_server_ports += { LDAP::ports_tcp, LDAP::ports_udp };
+
   ## Whether clear text passwords are captured or not.
   option default_capture_password = F;
 
@@ -260,6 +268,9 @@ redef record connection += {
 
 #############################################################################
 event zeek_init() &priority=5 {
+  Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_TCP, LDAP::ports_tcp);
+  Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_UDP, LDAP::ports_udp);
+
   Log::create_stream(LDAP::LDAP_LOG, [$columns=Message, $ev=log_ldap, $path="ldap", $policy=log_policy]);
   Log::create_stream(LDAP::LDAP_SEARCH_LOG, [$columns=Search, $ev=log_ldap_search, $path="ldap_search", $policy=log_policy_search]);
 }
diff --git a/src/analyzer/protocol/ldap/ldap.evt b/src/analyzer/protocol/ldap/ldap.evt
index 6b217348b1..c0fc25cdb0 100644
--- a/src/analyzer/protocol/ldap/ldap.evt
+++ b/src/analyzer/protocol/ldap/ldap.evt
@@ -1,12 +1,10 @@
 # Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
 
 protocol analyzer LDAP_TCP over TCP:
-    parse with LDAP::Messages,
-    ports { 389/tcp, 3268/tcp};
+    parse with LDAP::Messages;
 
 protocol analyzer LDAP_UDP over UDP:
-    parse with LDAP::Messages,
-    ports { 389/udp };
+    parse with LDAP::Messages;
 
 import LDAP;
 
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2
index 939abe6f39..dcd56a5e77 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@@ -18,9 +18,11 @@
 1 25
 1 2811
 1 3128
+1 3268
 1 3306
 2 3389
 1 3544
+2 389
 1 4011
 2 443
 1 445
@@ -60,8 +62,8 @@
 1 992
 1 993
 1 995
-67 and
-66 or
-67 port
-44 tcp
-23 udp
+70 and
+69 or
+70 port
+46 tcp
+24 udp
diff --git a/testing/btest/Baseline/spicy.port-range-one-port/out.filtered b/testing/btest/Baseline/spicy.port-range-one-port/out.filtered
index 708e225624..293b1047f3 100644
--- a/testing/btest/Baseline/spicy.port-range-one-port/out.filtered
+++ b/testing/btest/Baseline/spicy.port-range-one-port/out.filtered
@@ -1,5 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[zeek]   Scheduling analyzer for port 389/tcp
-[zeek]   Scheduling analyzer for port 3268/tcp
-[zeek]   Scheduling analyzer for port 389/udp
 [zeek]   Scheduling analyzer for port 31336/udp
diff --git a/testing/btest/core/print-bpf-filters.zeek b/testing/btest/core/print-bpf-filters.zeek
index fd86ce4f04..e755c4347f 100644
--- a/testing/btest/core/print-bpf-filters.zeek
+++ b/testing/btest/core/print-bpf-filters.zeek
@@ -1,3 +1,5 @@
+# @TEST-REQUIRES: have-spicy
+#
 # @TEST-EXEC: zeek -r $TRACES/empty.trace >output
 # @TEST-EXEC: cat packet_filter.log >>output
 # @TEST-EXEC: zeek -r $TRACES/empty.trace -f "port 42" >>output
@@ -6,10 +8,9 @@
 # @TEST-EXEC: cat packet_filter.log >>output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: btest-diff conn.log
-# 
+#
 # The order in the output of enable_auto_protocol_capture_filters isn't
 # stable, for reasons not clear. We canonify it first.
 # @TEST-EXEC: zeek -r $TRACES/empty.trace PacketFilter::enable_auto_protocol_capture_filters=T
 # @TEST-EXEC: cat packet_filter.log | zeek-cut filter | sed 's#[()]##g' | tr ' ' '\n' | sort | uniq -c | awk '{print $1, $2}' >output2
 # @TEST-EXEC: btest-diff output2
-
diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index a9a63fa39f..c6aa6e2c80 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-718bc67ea10606ec29acfdae05c463518319e8f2
+5ac67a3895edf0ea6a757ae3ea8626621f57db41