Make ports for LDAP analyzers fully configurable

This moves the ports the LDAP analyzers should be triggered on from the EVT file to the Zeek module. This gives users full control over which ports the analyzers are registered for while previously they could only register them for additional ports (there is no Zeek script equivalent of `Manager::UnregisterAnalyzerForPort`). The analyzers could still be triggered via DPD, but this is intentional. To fully disable analyzers users can use e.g., ```zeek event zeek_init() { Analyzer::disable_analyzer(Analyzer::ANALYZER_LDAP_TCP); } ```
2025-10-02 06:38:20 +00:00 · 2023-09-21 13:13:32 +02:00 · 2023-09-21 13:13:32 +02:00 · 9b02b93889
commit 9b02b93889
parent c0daacfbd1
6 changed files with 24 additions and 15 deletions
--- a/scripts/base/protocols/ldap/main.zeek
+++ b/scripts/base/protocols/ldap/main.zeek
@ -6,6 +6,14 @@ export {
  redef enum Log::ID += { LDAP_LOG,
                          LDAP_SEARCH_LOG };

+  ## TCP ports which should be considered for analysis.
+  const ports_tcp = { 389/tcp, 3268/tcp } &redef;
+
+  ## UDP ports which should be considered for analysis.
+  const ports_udp = { 389/udp } &redef;
+
+  redef likely_server_ports += { LDAP::ports_tcp, LDAP::ports_udp };
+
  ## Whether clear text passwords are captured or not.
  option default_capture_password = F;

@ -260,6 +268,9 @@ redef record connection += {

 #############################################################################
 event zeek_init() &priority=5 {
+  Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_TCP, LDAP::ports_tcp);
+  Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_UDP, LDAP::ports_udp);
+
  Log::create_stream(LDAP::LDAP_LOG, [$columns=Message, $ev=log_ldap, $path="ldap", $policy=log_policy]);
  Log::create_stream(LDAP::LDAP_SEARCH_LOG, [$columns=Search, $ev=log_ldap_search, $path="ldap_search", $policy=log_policy_search]);
 }