Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Name LDAP::Message and LDAP::Search *Info

Browse source
This commit is contained in:
Benjamin Bannier 2023-10-10 12:32:45 +02:00
parent 9b02b93889
commit c43bc52e18
3 changed files with 14 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

18
scripts/base/protocols/ldap/main.zeek
View file

@ -29,8 +29,7 @@ export {
############################################################################# #############################################################################
# This is the format of ldap.log (ldap operations minus search-related) # This is the format of ldap.log (ldap operations minus search-related)
# Each line represents a unique connection+message_id (requests/responses) # Each line represents a unique connection+message_id (requests/responses)
type Message: record { type MessageInfo: record {
# Timestamp for when the event happened. # Timestamp for when the event happened.
ts: time &log; ts: time &log;
@ -68,8 +67,7 @@ export {
############################################################################# #############################################################################
# This is the format of ldap_search.log (search-related messages only) # This is the format of ldap_search.log (search-related messages only)
# Each line represents a unique connection+message_id (requests/responses) # Each line represents a unique connection+message_id (requests/responses)
type Search: record { type SearchInfo: record {
# Timestamp for when the event happened. # Timestamp for when the event happened.
ts: time &log; ts: time &log;
@ -110,8 +108,8 @@ export {
# Event that can be handled to access the ldap record as it is sent on # Event that can be handled to access the ldap record as it is sent on
# to the logging framework. # to the logging framework.
global log_ldap: event(rec: LDAP::Message); global log_ldap: event(rec: LDAP::MessageInfo);
global log_ldap_search: event(rec: LDAP::Search); global log_ldap_search: event(rec: LDAP::SearchInfo);
# Event called for each LDAP message (either direction) # Event called for each LDAP message (either direction)
global LDAP::message: event(c: connection, global LDAP::message: event(c: connection,
@ -262,8 +260,8 @@ global OPCODES_SEARCH: set[LDAP::ProtocolOpcode] = { LDAP::ProtocolOpcode_SEARCH
############################################################################# #############################################################################
redef record connection += { redef record connection += {
ldap_proto: string &optional; ldap_proto: string &optional;
ldap_messages: table[int] of Message &optional; ldap_messages: table[int] of MessageInfo &optional;
ldap_searches: table[int] of Search &optional; ldap_searches: table[int] of SearchInfo &optional;
}; };
############################################################################# #############################################################################
@ -271,8 +269,8 @@ event zeek_init() &priority=5 {
Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_TCP, LDAP::ports_tcp); Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_TCP, LDAP::ports_tcp);
Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_UDP, LDAP::ports_udp); Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_UDP, LDAP::ports_udp);
Log::create_stream(LDAP::LDAP_LOG, [$columns=Message, $ev=log_ldap, $path="ldap", $policy=log_policy]); Log::create_stream(LDAP::LDAP_LOG, [$columns=MessageInfo, $ev=log_ldap, $path="ldap", $policy=log_policy]);
Log::create_stream(LDAP::LDAP_SEARCH_LOG, [$columns=Search, $ev=log_ldap_search, $path="ldap_search", $policy=log_policy_search]); Log::create_stream(LDAP::LDAP_SEARCH_LOG, [$columns=SearchInfo, $ev=log_ldap_search, $path="ldap_search", $policy=log_policy_search]);
} }
############################################################################# #############################################################################

8
testing/btest/Baseline/coverage.record-fields/out.default
View file

@ -360,8 +360,8 @@ connection {
* ts: time, log=T, optional=F * ts: time, log=T, optional=F
* uid: string, log=T, optional=F * uid: string, log=T, optional=F
} }
* ldap_messages: table[int] of record LDAP::Message, log=F, optional=T * ldap_messages: table[int] of record LDAP::MessageInfo, log=F, optional=T
LDAP::Message { LDAP::MessageInfo {
* argument: vector of string, log=T, optional=T * argument: vector of string, log=T, optional=T
* diagnostic_message: vector of string, log=T, optional=T * diagnostic_message: vector of string, log=T, optional=T
* id: record conn_id, log=T, optional=F * id: record conn_id, log=T, optional=F
@ -376,8 +376,8 @@ connection {
* version: int, log=T, optional=T * version: int, log=T, optional=T
} }
* ldap_proto: string, log=F, optional=T * ldap_proto: string, log=F, optional=T
* ldap_searches: table[int] of record LDAP::Search, log=F, optional=T * ldap_searches: table[int] of record LDAP::SearchInfo, log=F, optional=T
LDAP::Search { LDAP::SearchInfo {
* attributes: vector of string, log=T, optional=T * attributes: vector of string, log=T, optional=T
* base_object: vector of string, log=T, optional=T * base_object: vector of string, log=T, optional=T
* deref: set[string], log=T, optional=T * deref: set[string], log=T, optional=T

4
testing/btest/scripts/base/protocols/ldap/log_policy.zeek
View file

@ -10,12 +10,12 @@
# #
# @TEST-DOC: Test LDAP analyzer with small trace using logging policies. # @TEST-DOC: Test LDAP analyzer with small trace using logging policies.
hook LDAP::log_policy(rec: LDAP::Message, id: Log::ID, filter: Log::Filter) hook LDAP::log_policy(rec: LDAP::MessageInfo, id: Log::ID, filter: Log::Filter)
{ {
break; break;
} }
hook LDAP::log_policy_search(rec: LDAP::Search, id: Log::ID, hook LDAP::log_policy_search(rec: LDAP::SearchInfo, id: Log::ID,
filter: Log::Filter) filter: Log::Filter)
{ {
break; break;