From ceb798b42a919741de789e8055c050de7b42f788 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 16 Apr 2025 09:34:09 +0200 Subject: [PATCH 1/2] Merge remote-tracking branch 'origin/topic/awelzel/4275-ldap-gss-spnego-auth-miss' * origin/topic/awelzel/4275-ldap-gss-spnego-auth-miss: ldap: Clean up from code review ldap: Add Sicily Authentication constants ldap: Only switch into MS_KRB5 mode if responseToken exists (cherry picked from commit a2a535d0c91da67c7389a4aedec6a0c8a6da6613) --- scripts/base/protocols/ldap/consts.zeek | 2 + scripts/base/protocols/ldap/main.zeek | 16 +++++- src/analyzer/protocol/ldap/ldap.spicy | 52 +++++++++++++----- .../krb.ldap.log | 11 ++++ .../krb.ldap_search.log | 11 ++++ .../ntlm.ldap.log | 12 ++++ .../ntlm.ldap_search.log | 11 ++++ testing/btest/Traces/README | 3 + testing/btest/Traces/ldap/aduser1-ntlm.pcap | Bin 0 -> 3159 bytes testing/btest/Traces/ldap/aduser1.pcap | Bin 0 -> 13575 bytes .../scripts/base/protocols/ldap/aduser1.zeek | 11 ++++ 11 files changed, 113 insertions(+), 16 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap_search.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap_search.log create mode 100644 testing/btest/Traces/ldap/aduser1-ntlm.pcap create mode 100644 testing/btest/Traces/ldap/aduser1.pcap create mode 100644 testing/btest/scripts/base/protocols/ldap/aduser1.zeek diff --git a/scripts/base/protocols/ldap/consts.zeek b/scripts/base/protocols/ldap/consts.zeek index 5b29fd22e4..9eeb9f89af 100644 --- a/scripts/base/protocols/ldap/consts.zeek +++ b/scripts/base/protocols/ldap/consts.zeek @@ -26,6 +26,8 @@ export { const BIND_SIMPLE = "bind simple"; const BIND_SASL = "bind SASL"; + const BIND_SICILY_NEGOTIATE = "sicily_negotiate"; + const BIND_SICILY_RESPONSE= "sicily_response"; const RESULT_CODES = { [ LDAP::ResultCode_SUCCESS ] = "success", [ LDAP::ResultCode_OPERATIONS_ERROR ] = "operations error", [ diff --git a/scripts/base/protocols/ldap/main.zeek b/scripts/base/protocols/ldap/main.zeek index da4a21871c..edf77a4aac 100644 --- a/scripts/base/protocols/ldap/main.zeek +++ b/scripts/base/protocols/ldap/main.zeek @@ -372,13 +372,23 @@ event LDAP::bind_request(c: connection, if ( m?$opcode ) Reporter::conn_weird("LDAP_bind_opcode_already_set", c, m$opcode, "LDAP"); - if (authType == LDAP::BindAuthType_BIND_AUTH_SIMPLE) { + switch ( authType ) { + case LDAP::BindAuthType_BIND_AUTH_SIMPLE: m$opcode = BIND_SIMPLE; - } else if (authType == LDAP::BindAuthType_BIND_AUTH_SASL) { + break; + case LDAP::BindAuthType_BIND_AUTH_SASL: m$opcode = BIND_SASL; - } else { + break; + case LDAP::BindAuthType_SICILY_NEGOTIATE: + m$opcode = BIND_SICILY_NEGOTIATE; + break; + case LDAP::BindAuthType_SICILY_RESPONSE: + m$opcode = BIND_SICILY_RESPONSE; + break; + default: Reporter::conn_weird("LDAP_unknown_auth_type", c, cat(authType), "LDAP"); m$opcode = cat(authType); + break; } } diff --git a/src/analyzer/protocol/ldap/ldap.spicy b/src/analyzer/protocol/ldap/ldap.spicy index 0816e6afe9..74f388a60f 100644 --- a/src/analyzer/protocol/ldap/ldap.spicy +++ b/src/analyzer/protocol/ldap/ldap.spicy @@ -365,6 +365,12 @@ public type Message = unit(ctx: Ctx&) { public type BindAuthType = enum { BIND_AUTH_SIMPLE = 0, BIND_AUTH_SASL = 3, + + # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8b9dbfb2-5b6a-497a-a533-7e709cb9a982 + # 5.1.1.1.3 Sicily Authentication + SICILY_PACKAGE_DISCOVERY = 9, + SICILY_NEGOTIATE = 10, + SICILY_RESPONSE = 11, }; type GSS_SPNEGO_negTokenInit = unit { @@ -410,6 +416,13 @@ type SaslCredentials = unit() { }; }; +type SicilyMessage = unit() { + # Just ensure the signature matches. We could do more, + # but it'd be better to forward to an NTLM analyzer. + signature: skip b"NTLMSSP"; + var signature_decoded: string = "NTLMSSP"; +}; + type GSS_SPNEGO_Subsequent = unit { switch { -> spnegoChoiceByte: uint8(0xa1); @@ -423,6 +436,7 @@ type GSS_SPNEGO_Subsequent = unit { type GSS_SPNEGO_negTokenResp = unit { var accepted: bool; var supportedMech: ASN1::ASN1Message; + var responseToken: optional; # Parse the contained Sequence. seq: ASN1::ASN1Message(True) { @@ -433,7 +447,7 @@ type GSS_SPNEGO_negTokenResp = unit { } else if ( msg.application_id == 1 ) { self.supportedMech = msg; } else if ( msg.application_id == 2 ) { - # ignore responseToken + self.responseToken = msg.application_data; } else if ( msg.application_id == 3 ) { # ignore mechListMec } else { @@ -468,18 +482,30 @@ type BindRequest = unit(inout message: Message, ctx: Ctx&) { self.authType = cast(cast($$.application_id)); self.authData = $$.application_data; } - if ((self.authType == BindAuthType::BIND_AUTH_SIMPLE) && (|self.authData| > 0)) { - self.simpleCreds = self.authData.decode(); - if (|self.simpleCreds| > 0) { - message.arg = self.simpleCreds; - } - } - } - saslCreds: SaslCredentials() &parse-from=self.authData if ((self.authType == BindAuthType::BIND_AUTH_SASL) && - (|self.authData| > 0)) { - message.arg = self.saslCreds.mechanism; - ctx.saslMechanism = self.saslCreds.mechanism; } + + if ( |self.authData| > 0 ) { + switch ( self.authType ) { + BindAuthType::BIND_AUTH_SIMPLE -> + : void { + self.simpleCreds = self.authData.decode(); + message.arg = self.simpleCreds; + } + + BindAuthType::BIND_AUTH_SASL -> + saslCreds: SaslCredentials { + message.arg = self.saslCreds.mechanism; + ctx.saslMechanism = self.saslCreds.mechanism; + } + + BindAuthType::SICILY_NEGOTIATE, BindAuthType::SICILY_RESPONSE -> + sicilyMessage: SicilyMessage { + message.arg = self.sicilyMessage.signature_decoded; + } + + * -> : void; + } &parse-from=self.authData; + }; } &requires=(self?.authType && (self.authType != BindAuthType::Undef)); type ServerSaslCreds = unit { @@ -523,7 +549,7 @@ type BindResponse = unit(inout message: Message, ctx: Ctx&) { if ( $$?.negTokenResp ) { local token = $$.negTokenResp; if ( token.accepted && token?.supportedMechOid ) { - if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 ) { + if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 && token.responseToken ) { ctx.messageMode = MessageMode::MS_KRB5; } } diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap.log new file mode 100644 index 0000000000..740ca715e6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.226.131 54544 192.168.226.136 389 1440128865 3 bind SASL success - User1 GSS-SPNEGO +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap_search.log new file mode 100644 index 0000000000..76424d5afc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap_search.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap_search +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes +#types time string addr port addr port int string string string count string string string vector[string] +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.226.131 54544 192.168.226.136 389 1319382063 tree never dc=ADHACKING,dc=LOCAL 3 success - (&(&(sAMAccountName=*)(mail=*))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log new file mode 100644 index 0000000000..a1caacd709 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 173945320 3 sicily_negotiate success - User1 NTLMSSP +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 1489001992 3 sicily_response success - User1 NTLMSSP +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap_search.log new file mode 100644 index 0000000000..a02df616d7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap_search.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap_search +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes +#types time string addr port addr port int string string string count string string string vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 1673297393 tree never dc=ADHACKING,dc=LOCAL 3 success - (&(&(sAMAccountName=*)(mail=*))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index dd8d0350fe..e4209961ea 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -32,3 +32,6 @@ Trace Index/Sources: - quic/merlinc2_Zeek_example.pcapng Provided by Faan Rossouw on #4198 https://github.com/zeek/zeek/issues/4198 +- ldap/adduser1.pcap ldap/adduser1-ntlm.pcap + Provided by Mohan-Dhawan on #4275 + https://github.com/zeek/zeek/issues/4275 diff --git a/testing/btest/Traces/ldap/aduser1-ntlm.pcap b/testing/btest/Traces/ldap/aduser1-ntlm.pcap new file mode 100644 index 0000000000000000000000000000000000000000..3498d7a3cba5402cdf3fa5743d5c85057ee2e7b7 GIT binary patch literal 3159 zcmds3Z){Ul6hHU%b}NM_`vY4vgOLR{adhwX?;CEi+VN*ww~^q`ScNrR8O74#+KE9R zWr(0cB8w!(D0VYO910@fP!tA=elQL-d@&e92p<-sGBD!XRM`IE)`07!D48G}x|R4^WTS)L_Pgiw|_+e_z3611tfk>OWos zHCa`C0|&3{z_z>l2HTkvdipdij!U9ViWW?0) zHRQnCH4w|HKTD{D&USX+@MK-NhUjPFxwmhBxmQC*Gy|c7v-AjAAmrCK06dD8s7>SK(RQGOA}3pHQ7bUn|=fOoONF;^tCl8dK`yNWCPBN;GE84&atZDfN1&itNp%Q%AKC8`F?W|qybT!m9Ei1=? zyV>P*8<~XWCGkTQ#Orq56LB^=eZFvKDB9%R;NQhJcmu&+<%5dtvlWxsq*`T@qF8J; zyGb!wO{#3^%B9jd`iLtWigtv9JD6Es$Wx%WapR^ow>J`9>5p;&%cli#=nl7sL-7)M z9#3b%qEzy1Sue3RZQp-$7+?|CT52|Uc_2>NSUQ-JjjEhb>mJHRX-6U(1DK5hk&W-Q zD78^G&hk=MQ#CP?%SSIF<+ZK}p~FEi?DGc2qut^^e*zJOP;{KhV&;K~q{UP|&s8iI z)h^2xi_M{`W`|<8h_ywj0Tb)9wO5k{SE9vDOcd~0o#bYXw{4x*_e>zvZW{ON*9nw< zN>EbnhSIyjnfa-d5`H@rv)y4en^i@2WaenIsFjMWsqAo+NM138frbeT7W3*+2B|LNR>RV64{*Y_uC(|N2-MTB@75$(v0 XT57d}vOupu{2?9UihO{%=K=l!B>FKB literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/ldap/aduser1.pcap b/testing/btest/Traces/ldap/aduser1.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a1d1c5aa4a6ac259e0515ee8a23819ee90b0a135 GIT binary patch literal 13575 zcmeHtc{o&U`2U%4W^CElh=fXF8oL%-NV1y=f6%&xf;7PEJqghw88>2aai{^ZQE}S5W z8#2lTG~zINA3#)ySbvy+WB@SO#vyLfe2pRMPlzas8*(GD5g$TCfMGdGv0EGo(PVKq zVaM7=M}O`qBY6AeO15@NWRjLPf(OHuv`J(#d)LIo1XGY>838c{+JcR#nqOkXkpq7~ zF)j<{5~DB>V`qY_5|4sBlQck90ubLrfbsPQc$O*HVQx6g6j(?9r8h%(kWoB>#EM;+ zm+VDYx|e5gtM75Ci@ey)3E-F6W?bl&*pvMf(v58i$U3a|jwKT35^)3qz95(!RIrG= zfG7ZtQ5@X>k5?q}tEVibe-X#w@z`z(b5{VIW$yBf87)wxPF5?JC9fJ97VYIv4WNZm z{k>?RUd~I*b+rr(O~Zq!K2cOJ+M3X?NGeqHy*)DK&15Et9VpJ83$>{Wq& z;8;`8>|#PVyjpL%Ft@Soehtgssrz%R3v$iDqwXJ2<-5RgtlA#CHU zp-J-{w1(PtPHR|VZ=HOem;kJy{3+WSx_~u6Z?tEuHH?)Ycme;@HWfg!2D&j_CU)p; z%6<#=$+`u?jU9D1gK} zfO8^dhy{3r8DfsuAl8UIVuj$r-Q&;V5JhAKHbN6|1*04gJwzWI&j-CF7;ghOP@LdC z5)zDrA%2Jt=y?$1f59OA3j*O^pTUdpA!A=AsMyW{0`dhg3)?tDeyiDo8FC$$A-}gy zzK{tGS#~+wklz49&H@+}EX6`V9I^#=*aqHoj_scm%W25&?0X7VkX;xQ)QP1{hzHHa z^ydh(pFQh%Y%hw40_j1m1M@x;em=6rfx7yU{ycu7Y#rtu$wLGr9}Iwv+rE)B8V=gG zjVPymU&ySkuqp)hjT;JNiUEk=Phj6~0EQE{7+CiGU&X+*Z+@hZmrQ`RjU@?n!vrK9 zpu;v!Tk)Fjp|V6Yqon%za2&KF#}N+7IJ3Zb8XgniG%f+Y00Mjq1vs*YEx=qLz;^(29A!`- zaQi39QUY8b7mA6!oZc!T-YiQ}W>I$b2SM?(p8+%9VdHU`Zyw;i2TBvg5huxf ziD4McU$|(V0nnvj<~v)8t>^bZ&v_8Bm`I!?|F2&S5$E7oh`s)ZTb{boAWI6)X&h4M z9V-Q4J`QAVDWI4XJXlgd+;h8gg)~p+pG*q%o*2!1Tr>{> z^iC)RQX*RlAAl5gLB#U_@dqFtwsG%If4vt(RI`~75#;|BztTbs5n!APN<2+YtSscg z;|L7!BTytomLQ82qIf)#z~D!*mluZ{El%7{PRuCa-il=FU~Xnxq)Jw14wENOl_#!^^o?E94SzC{+ zqoqYQ)YH{9^f)yB)L|kX72m%k?+Aem9xM)};Veu<-VqS2aXURi8;t-pXL+7WbDeqW zGb$5Am3W9Q>~|Jw>;r-jUDwiy&SW~#9uiG}LJ?$;$QopIxGTX>L1&PslNI1a@j_{N zNiJ?NDHM&DLh%H`Dxst2edy?EG99g8K5YDbjQ=FPB03rdP}VZ30;J&?baXXJN8Ojd z@Zh(jDkwYmOP#1YQ_1)$so`0F==LU(rkG`>?y@b>(gvILklcFbhyrt?OvWEPA7&)9 zDI3M)js7icc~7rDmow9~<%a%2AVnClgi zp9CLU|1GQA&^T*^G-#G@KK-HK(`%~5oQ*Ta zD>#|Oh$a-Yp6PgU%#Lqc&9u0hbS+ukY4p(=%Bs3!CW-U1&SxuGFO8U`pkrFl&?nd} z+LiuMjwkm)`S;+wD=$Z$W^TX4tL^i?(&1y8f7*aJaf^4j!QMbez3H!eZ}ntOWjM@z z(|4=uMMIogz72CD8Wdrz%BvT{11Wv%`8 zmW~tJUp}d>J5sy-!PWr%?HbG46sDhEb!MGU;{e`sn)nwvpD!D(=P5m_H(RnGr1h3y zw=ey~9p6NSGvX;%qqpb` z$aoyGO_=JFW4bkD+Sx7Ep}6dbL_6`y)c$7{?<&g~v17Mnb;W`oDQ`n-sE4=e>9O^lT+D!-|V>H>*$AgGqF6%Jsj^ zr@zv>UMY7d*2L^HLidk-bg=A2!1r%uitX!hJ2di3eI5+&yw9t0o(* z!IRN=b=0_on(FRgn;!2uP?D08RCsNZ!E8^#bFZ?UG~Zk;y(M~LY80;S%<*daM#{3o zs|~I>mDn10+*4GtqFmf~c*HrVp`tvZ6BRmOFimh_vX#Y0={BWZs@sG*Wey#3>V6^LAyKf}aum7NqLFPK6@J@h_nfWri}hAWZ6$7#p1RO>ZvU`YeD>4i zbPaUoyP5mmz1AibAKNwG2>FQXu-SWZbajxVklcnYS?{g2uXEC=x{~eR(_J2>-RQir zW>_WHT4E=O5+3zt>YEGl+xE6;Y_+;{esJW#fzXuwS`Ump=9wSf>E@;;XW8IyRO|U* zfBxq)rHAM^4KQU<8|!j#a$u$+?Rjh8)%p5w#Bbc(QBrAhakcKJmT&^Uc=Y@3qItJg ztIWJ2x2bNJw`_O3g-X_!fGQ{R8c*MRDZ%q{_5D3{jeFFaOKNu?H~cY*76aUzvNXE&=I{%jrp$?cWZ7SGZRNvh3KM*a_jvXiDPKdoet zuPgd=ZA8)^ajkzj?2w2|9UWSGSNxGNe~D4iV92SX%`M{HgI5S3?x6#HkrvY&-`Sz=NeeKACILPRluxR8xF zz(Vws;y~og)^usSShnWHsrlvwK=UVI%;$GyYknVy`2$dniqb?d+eNT8&X&|@d>CTT zM2L=(2-29soIhw5bI`?^rR!?;LQc8s(^hY-ldIHW!A}1!i&In@aGDG0lDf+~NyaPl z79zIAuw@sHxb>u-UJqXgnD+~5t1DR8Xi)j29$1YI-SUd7pQZyk7<@E49UQ(Yyhm*T9VTm?~Qeeh6u`5JYrq;vJjg zamba>Ces6@(9--*i1luqhzLS>6-*~QC({Yf*g5Z%B09kvoLL2$8$63+&a=8?fRX-{Z8P1Cvd+Lxc_?zTyX?B3`^b^foQna^a=nJ&0-J%T>cdsy}Skj`CRc{3^*XrGT;q2w3J?>@q{!&mb4k53_$_J*2 zi0DM60%fuiBne+Ql`JCx>`Bt>08g&voy1rp!5Li4AZTPFCGD38t^z7JWdpk19V{p2eg?Zym1Cj zU77$EI9G86&YGUoDnFQfq-rur0-;S91WZ53)Wgm)yO?~T&qiI-+>V%i^GUvEqiOP_=h*A5j5wV;pHKVf9vNJ3 z+pyBYS?hSjx~sLuOB;U3$*Ie1JbKwBe1T`ysqe;nvMU-NnmG-R%wKF&eScGt!_I>T zkO$Xgb{G3AKS^~}unV|GnKMlK(oHYhvg-1!p38!*YlJ-geI7jhY9%0&{4rZZb>t4E z`h23Rs({y?K+Ed4gH8mVKjZG+$5T;nhO}p2v0{syXP=vNM7rYMH8vF<4OuxO5)oad zJp1m-sDED?sLFRdcNf+9u}r%xb>VppyD8rYB5M7W_L8U2ve}P2s5#$!(|Tgdr5hKd zWhH)Wxl(XmrB7vD*vUWFL`TVId$`Go3|C%qt8f)XepntlvIlkEX_;JgQ!!oXgQiP| zj7@=>~i;t10I)d%wOu(dV=V7wC7ovk+i=4YQ?x^~Rd>$<|7}nw=Xw1uxcTn5uK35>KN|_>->3H+V@>pqd zWaalAHqUGB2#%ha**Z;%Ci=2QNU$wzhP&6j^leAv`d)N|S)6!sdy#%bzv}DG()@RA zhN%*#>>6;+uL5u%gBADB>rT4u+xgJob#P?TAHsk2+_+!T9VtPObw9RHe0a{(R7{;-e=DQUg+NvwirU>5^tvW-e_a^LCQ6%T8XFY*bnEjq!1s-I7D^jY8{l<9FWM ziX-tpu^-glyKb&yO6(dX9_5?sTf*11-iw@d|3K+`V#AOAh)c?94du^1mx`F zwVs3sMHhx7%kN5RD*2pe8-4=6pyWvkMnh;(JW$PLrxx->7z8!SJ# z@LN=i*@9DtFIYMGZ;I&M;eFhoTuxP8M#yg4$LsQX zE#KYu%3ppb=1H7|$)fd^Z-$>=BEQt!yLHzUC)oj?%7t%lD?Bh0_})nPwC_$WA-(L- zNKMwctbowwMCrQeuLRC6JlVN$L7|%5qYNt-^;;%9UKtnq__f}3&6)XKOCxem|C+;# zYuBHCuIgf`d`IGoYRuOlS^4~nUzSDh&ae6^A=BSm$uP)^&{t1&B&>>)ET8Qm@+>|x z-1@F!guYxsw}o)a-IY-(J6tZF@FvHdSXdDq93`q-W}ErIYr}KJRZ6FGa}WBvC@)F; z^DmkZA3^ZGQCr)_u&B}nM3veL$3+5r10?M?og_3o8EvQatt;s|DspvMYP)Ss!)Szw zH^n`%UjgVul-%M%u;e) zfk-*S><(Ycqqv!8++RJefalKv{u{P&)6Nvy6fBm& zj|14UBkJ^%JF+js7vIMs#UHm}cC$G*b;U;}4@e zoy69RD2U0}YMvT^I7x{?7(?`*2oaVTmRd1O44rKpba81z6O&yXTXxJPa6d~7VxYtT zmV5owMgXhCaQ7JpA~&ZZ7+ot^bTOB{RjGrIp6>vsIGG_fr(%H90H|M^_DMMv#Sncb zLWG>Q3o|*r^@6=J^f-Uy@`N@;{`4FUjOBS;^4FsI#fov!N zkGixR^zo(>VnIHFGCx>>X@4LpU`3&5QXK6qt>BE`4UAaMUT;DtECu&k6bO+8$E@}O z#Q`laR1*{j=77sH*@+fMao~3<^*fdNol5;qrT(|3QrLVPOwME&{;03#kXa+~(X}@f z^J9tBl_nGl-7#nu?@gi_xC$_i~ zTfEKm?bt$VDoqTF4XW(ez+7%3)yTM8k{~<%hinEr+DL$C6G%=5P;;4n-3RVZ2WyN_ z@b`ywp(Gikh~Thrtl!4ckA9AT#}z_}5iqdy4sr&TyCq;<$`V+gR`O>DmbD-d?ofpz5F;@}l?f3+s7kM9BZfdka$+MMwJ+9~=a*Q3O8NU4v6mQVfCFqz zg#Zo@IKyNAI2=-7{fBUrnVp%RUsz0Nw7pLV^$#?}hZfAxIyx^=T8pGjGSmetx3zTi z^z=zuBwdmrS%)qTmn!_c#XKxDIx;Lc38zigM7f|)f$%tgTc4i-g**eD=m|Pn^WnM?JkB4*mR1Fg@FELP1Z&)xE~-HjhkCbSS50tCy)S8G+>3=P zck#cn3|XM}5KQk4Oey(8yfj>sB6ccL^b%*Tih90Z5?`2=IP?!VHadj zsTfG6sgHl4kKbBa=o->5y4uIE)Wl{<>%Xv6gb_27nk6PG}33$}{|KL&ke~3qYLoFRGJsmwJ-IMB3&p>y+p}wKMHd7vx>QVcj zc+{Sd$CXSyMnR);Kq%mWo)aO$8PK(I G1o?l2(4R^G literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ldap/aduser1.zeek b/testing/btest/scripts/base/protocols/ldap/aduser1.zeek new file mode 100644 index 0000000000..fdafa692f6 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/aduser1.zeek @@ -0,0 +1,11 @@ +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1.pcap %INPUT +# @TEST-EXEC: mkdir krb && mv *.log krb +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1-ntlm.pcap %INPUT +# @TEST-EXEC: mkdir ntlm && mv *.log ntlm +# @TEST-EXEC: btest-diff krb/ldap.log +# @TEST-EXEC: btest-diff krb/ldap_search.log +# @TEST-EXEC: btest-diff ntlm/ldap.log +# @TEST-EXEC: btest-diff ntlm/ldap_search.log +# +# @TEST-DOC: Check two traces using different authentication mechanisms, but the same search request. From bdcb1c8a4456ce8b84fe43f0036f7520c1963374 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Tue, 6 May 2025 09:45:25 +0200 Subject: [PATCH 2/2] ldap: Replace if with switch on bool The change from a2a535d0c91da67c7389a4aedec6a0c8a6da6613 used zeek/spicy#1841, but Zeek 7.0 does not have that functionality yet. Replace with switch ( bool ). --- src/analyzer/protocol/ldap/ldap.spicy | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/analyzer/protocol/ldap/ldap.spicy b/src/analyzer/protocol/ldap/ldap.spicy index 74f388a60f..ef3665f50d 100644 --- a/src/analyzer/protocol/ldap/ldap.spicy +++ b/src/analyzer/protocol/ldap/ldap.spicy @@ -484,8 +484,8 @@ type BindRequest = unit(inout message: Message, ctx: Ctx&) { } } - if ( |self.authData| > 0 ) { - switch ( self.authType ) { + switch ( |self.authData| > 0 ) { + True -> switch ( self.authType ) { BindAuthType::BIND_AUTH_SIMPLE -> : void { self.simpleCreds = self.authData.decode(); @@ -502,10 +502,10 @@ type BindRequest = unit(inout message: Message, ctx: Ctx&) { sicilyMessage: SicilyMessage { message.arg = self.sicilyMessage.signature_decoded; } - * -> : void; - } &parse-from=self.authData; - }; + }; + * -> : void; + } &parse-from=self.authData; } &requires=(self?.authType && (self.authType != BindAuthType::Undef)); type ServerSaslCreds = unit {