Integrate spicy-ldap test suite

src/spicy/spicy-ldap/tests/baseline/analyzer.log_policy/output

@@ -1,2 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.

src/spicy/spicy-ldap/tests/baseline/analyzer.search_filter_extended/ldap_search.log

@@ -1,12 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	ldap_search
-#open XXXX-XX-XX-XX-XX-XX
-#fields	uid	filter	base_object
-#types	string	string	vector[string]
-#close XXXX-XX-XX-XX-XX-XX
-CHhAvVGS1DHFjwGM9	(departmentNumber:2.16.840.1.113730.3.3.2.46.1:=>=N4709)	DC=matrix\x2cDC=local

src/spicy/spicy-ldap/tests/btest.cfg

@@ -1,34 +0,0 @@
-[btest]
-MinVersion  = 0.66
-
-TestDirs    = analyzer
-TmpDir      = %(testbase)s/.tmp
-BaselineDir = %(testbase)s/baseline
-IgnoreDirs  = .svn CVS .tmp Baseline Failing traces Traces
-IgnoreFiles = .DS_Store *.pcap data.* *.dat *.wmv *.der *.tmp *.swp .*.swp #* CMakeLists.txt
-
-[environment]
-DIST=%(testbase)s/..
-PATH=%(testbase)s/../tests/scripts:`spicyz --print-plugin-path`/tests/scripts:%(default_path)s
-SCRIPTS=`spicyz --print-plugin-path`/tests/Scripts
-ZEEK_SPICY_MODULE_PATH=%(testbase)s/../build/spicy-modules
-TEST_DIFF_CANONIFIER=`spicyz --print-plugin-path`/tests/Scripts/canonify-zeek-log-sorted
-TRACES=%(testbase)s/traces
-ZEEKPATH=%(testbase)s/..:`zeek-config --zeekpath`
-ZEEK_SEED_FILE=`spicyz --print-plugin-path`/tests/random.seed
-
-# Set variables to well-defined state.
-LANG=C
-LC_ALL=C
-TZ=UTC
-CC=
-CXX=
-CFLAGS=
-CPPFLAGS=
-CXXFLAGS=
-LDFLAGS=
-DYLDFLAGS=
-
-[environment-installation]
-ZEEK_SPICY_MODULE_PATH=
-ZEEKPATH=`%(testbase)s/scripts/zeek-path-install`

src/spicy/spicy-ldap/tests/scripts/zeek-path-install

@@ -1,5 +0,0 @@
-#! /bin/sh
-#
-# Assembles the Zeek path for testing the installed version (can't do that in btest.cfg directly).
-
-echo $(spicyz --print-scripts-path):$(zkg config script_dir):$(zeek-config --zeekpath)

src/spicy/spicy-ldap/tests/traces/README

@@ -1,15 +0,0 @@
-The test suite comes with a set of traces collected from a variety of
-places that we document below. While these traces are all coming from
-public sources, please note that they may carry their own licenses.
-We collect them here for convenience only.
-
-- [ldap-simpleauth.pcap](https://github.com/arkime/arkime/blob/main/tests/pcap/ldap-simpleauth.pcap)
-- ldap-simpleauth-diff-port.pcap: made with
-  `tcprewrite -r 3268:32681 -i ldap-simpleauth.pcap -o ldap-simpleauth-diff-port.pcap`
-- ldap-krb5-sign-seal-01.pcap: trace is derived from
-  <https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/ldap-krb5-sign-seal-01.cap>
-  - the LDAP flow selected (filtered out the Kerberos packets)
-  - truncated to 10 packets (where packet 10 contains the SASL encrypted LDAP message)
-  - one `\x30` byte in the ciphertext changed to `\x00`
-- ldap-issue-32.pcapng: Provided by GH user martinvanhensbergen,
-  <https://github.com/zeek/spicy-ldap/issues/23>

testing/btest/Baseline/coverage.record-fields/out.default

@@ -360,6 +360,39 @@ connection {
         * ts: time, log=T, optional=F
         * uid: string, log=T, optional=F
        }
+  * ldap_messages: table[int] of record LDAP::Message, log=F, optional=T
+      LDAP::Message {
+        * argument: vector of string, log=T, optional=T
+        * diagnostic_message: vector of string, log=T, optional=T
+        * id: record conn_id, log=T, optional=F
+            conn_id { ... }
+        * message_id: int, log=T, optional=T
+        * object: vector of string, log=T, optional=T
+        * opcode: set[string], log=T, optional=T
+        * proto: string, log=T, optional=T
+        * result: set[string], log=T, optional=T
+        * ts: time, log=T, optional=F
+        * uid: string, log=T, optional=F
+        * version: int, log=T, optional=T
+       }
+  * ldap_proto: string, log=F, optional=T
+  * ldap_searches: table[int] of record LDAP::Search, log=F, optional=T
+      LDAP::Search {
+        * attributes: vector of string, log=T, optional=T
+        * base_object: vector of string, log=T, optional=T
+        * deref: set[string], log=T, optional=T
+        * diagnostic_message: vector of string, log=T, optional=T
+        * filter: string, log=T, optional=T
+        * id: record conn_id, log=T, optional=F
+            conn_id { ... }
+        * message_id: int, log=T, optional=T
+        * proto: string, log=T, optional=T
+        * result: set[string], log=T, optional=T
+        * result_count: count, log=T, optional=T
+        * scope: set[string], log=T, optional=T
+        * ts: time, log=T, optional=F
+        * uid: string, log=T, optional=F
+       }
   * modbus: record Modbus::Info, log=F, optional=T
       Modbus::Info {
         * exception: string, log=T, optional=T

testing/btest/Baseline/scripts.base.protocols.ldap.attributes/conn.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	ldap_tcp	181.520479	258	188	RSTO	0	ShADdR	8	590	4	360	-
 #close XXXX-XX-XX-XX-XX-XX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	spicy_ldap_tcp	181.520479	258	188	RSTO	0	ShADdR	8	590	4	360	-

testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,6 +7,6 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	message_id	version	opcode	result	diagnostic_message	object	argument
 #types	time	string	addr	port	addr	port	string	int	int	set[string]	set[string]	vector[string]	vector[string]	vector[string]
-#close XXXX-XX-XX-XX-XX-XX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	1	3	bind simple	success	-	xxxxxxxxxxx@xx.xxx.xxxxx.net	REDACTED
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	3	3	bind simple	success	-	CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net	REDACTED
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ldap.attributes/ldap_search.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	message_id	scope	deref	base_object	result_count	result	diagnostic_message	filter	attributes
 #types	time	string	addr	port	addr	port	string	int	set[string]	set[string]	vector[string]	count	set[string]	vector[string]	string	vector[string]
-#close XXXX-XX-XX-XX-XX-XX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	2	tree	always	DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net	1	success	-	(&(objectclass=*)(sAMAccountName=xxxxxxxx))	sAMAccountName
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ldap.basic/conn.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	ldap_tcp	181.520479	258	188	RSTO	0	ShADdR	8	590	4	360	-
 #close XXXX-XX-XX-XX-XX-XX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	spicy_ldap_tcp	181.520479	258	188	RSTO	0	ShADdR	8	590	4	360	-

testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,6 +7,6 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	message_id	version	opcode	result	diagnostic_message	object	argument
 #types	time	string	addr	port	addr	port	string	int	int	set[string]	set[string]	vector[string]	vector[string]	vector[string]
-#close XXXX-XX-XX-XX-XX-XX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	1	3	bind simple	success	-	xxxxxxxxxxx@xx.xxx.xxxxx.net	REDACTED
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	3	3	bind simple	success	-	CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net	REDACTED
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ldap.basic/ldap_search.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	message_id	scope	deref	base_object	result_count	result	diagnostic_message	filter	attributes
 #types	time	string	addr	port	addr	port	string	int	set[string]	set[string]	vector[string]	count	set[string]	vector[string]	string	vector[string]
-#close XXXX-XX-XX-XX-XX-XX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	2	tree	always	DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net	1	success	-	(&(objectclass=*)(sAMAccountName=xxxxxxxx))	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ldap.basic/output

@@ -1,4 +1 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-LDAP::Messages {
-  payload: test string
-}

testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/conn.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	32681	tcp	ldap_tcp	181.520479	258	188	RSTO	0	ShADdR	8	590	4	360	-
 #close XXXX-XX-XX-XX-XX-XX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	spicy_ldap_tcp	181.520479	258	188	RSTO	0	ShADdR	8	590	4	360	-

testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,6 +7,6 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	message_id	version	opcode	result	diagnostic_message	object	argument
 #types	time	string	addr	port	addr	port	string	int	int	set[string]	set[string]	vector[string]	vector[string]	vector[string]
-#close XXXX-XX-XX-XX-XX-XX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	32681	tcp	1	3	bind simple	success	-	xxxxxxxxxxx@xx.xxx.xxxxx.net	REDACTED
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	32681	tcp	3	3	bind simple	success	-	CN=xxxxxxxx\x2cOU=Users\x2cOU=Accounts\x2cDC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net	REDACTED
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ldap.diff_port/ldap_search.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	message_id	scope	deref	base_object	result_count	result	diagnostic_message	filter	attributes
 #types	time	string	addr	port	addr	port	string	int	set[string]	set[string]	vector[string]	count	set[string]	vector[string]	string	vector[string]
-#close XXXX-XX-XX-XX-XX-XX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	32681	tcp	2	tree	always	DC=xx\x2cDC=xxx\x2cDC=xxxxx\x2cDC=net	1	success	-	(&(objectclass=*)(sAMAccountName=xxxxxxxx))	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ldap.log_policy/conn.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	3268	tcp	ldap_tcp	181.520479	258	188	RSTO	0	ShADdR	8	590	4	360	-
 #close XXXX-XX-XX-XX-XX-XX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	25936	10.0.0.2	32681	tcp	spicy_ldap_tcp	181.520479	258	188	RSTO	0	ShADdR	8	590	4	360	-

testing/btest/Baseline/scripts.base.protocols.ldap.log_policy/output

@@ -1,2 +1 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.

testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/conn.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.31.1.104	3116	172.31.1.101	389	tcp	ldap_tcp	0.813275	1814	2391	S1	0	ShADd	6	2062	4	2559	-
 #close XXXX-XX-XX-XX-XX-XX
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.31.1.104	3116	172.31.1.101	389	tcp	spicy_ldap_tcp	0.813275	1814	2391	S1	0	ShADd	6	2062	4	2559	-

testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	message_id	version	opcode	result	diagnostic_message	object	argument
 #types	time	string	addr	port	addr	port	string	int	int	set[string]	set[string]	vector[string]	vector[string]	vector[string]
-#close XXXX-XX-XX-XX-XX-XX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.31.1.104	3116	172.31.1.101	389	tcp	215	3	bind SASL	success	-	-	GSS-SPNEGO
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ldap.sasl-encrypted/ldap_search.log

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-### NOTE: This file has been sorted with diff-sort.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
@@ -8,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	message_id	scope	deref	base_object	result_count	result	diagnostic_message	filter	attributes
 #types	time	string	addr	port	addr	port	string	int	set[string]	set[string]	vector[string]	count	set[string]	vector[string]	string	vector[string]
-#close XXXX-XX-XX-XX-XX-XX
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.31.1.104	3116	172.31.1.101	389	tcp	213	base	never	-	1	success	-	(objectclass=*)	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Traces/README

@@ -7,3 +7,14 @@ depend on them for tests.
 Trace Index/Sources:
 
 - modbus/modbus-eit.trace: Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/. The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file.
+
+- [ldap/simpleauth.pcap](https://github.com/arkime/arkime/blob/main/tests/pcap/ldap-simpleauth.pcap)
+- ldap/simpleauth-diff-port.pcap: made with
+  `tcprewrite -r 3268:32681 -i simpleauth.pcap -o simpleauth-diff-port.pcap`
+- ldap/krb5-sign-seal-01.pcap: trace is derived from
+  <https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/ldap-krb5-sign-seal-01.cap>
+  - the LDAP flow selected (filtered out the Kerberos packets)
+  - truncated to 10 packets (where packet 10 contains the SASL encrypted LDAP message)
+  - one `\x30` byte in the ciphertext changed to `\x00`
+- ldap/issue-32.pcapng: Provided by GH user martinvanhensbergen,
+  <https://github.com/zeek/spicy-ldap/issues/23>

testing/btest/scripts/base/protocols/ldap/attributes.zeek

@@ -1,6 +1,6 @@
 # Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
 
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap-simpleauth.pcap %INPUT
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/simpleauth.pcap %INPUT
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
@@ -8,6 +8,4 @@
 #
 # @TEST-DOC: Test LDAP search attributes with small trace.
 
-@load analyzer
-
 redef LDAP::default_log_search_attributes = T;

testing/btest/scripts/base/protocols/ldap/basic.zeek

@@ -1,6 +1,6 @@
 # Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
 
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap-simpleauth.pcap %INPUT >output 2>&1
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/simpleauth.pcap %INPUT >output 2>&1
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
@@ -8,5 +8,3 @@
 # @TEST-EXEC: btest-diff ldap_search.log
 #
 # @TEST-DOC: Test LDAP analyzer with small trace.
-
-@load analyzer

testing/btest/scripts/base/protocols/ldap/diff_port.zeek

@@ -1,11 +1,9 @@
 # Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
 
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap-simpleauth-diff-port.pcap %INPUT
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/simpleauth-diff-port.pcap %INPUT
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ldap_search.log
 #
 # @TEST-DOC: Test LDAP analyzer with small trace.
-
-@load analyzer

testing/btest/scripts/base/protocols/ldap/functions.spicy

@@ -1,4 +1,7 @@
-# @TEST-EXEC: spicyc -j -d -L ${DIST}/analyzer %INPUT
+# This test can only run if we have the LDAP grammar available.
+# @TEST-REQUIRES: [ -n ${DIST} ]
+#
+# @TEST-EXEC: spicyc -j -d -L ${DIST}/src/analyzer/protocol/ldap %INPUT
 #
 # @TEST-DOC: Validates helper functions in LDAP module.
 

testing/btest/scripts/base/protocols/ldap/log_policy.zeek

@@ -1,6 +1,6 @@
 # Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
 
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap-simpleauth.pcap %INPUT >output 2>&1
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/simpleauth.pcap %INPUT >output 2>&1
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
@@ -9,8 +9,6 @@
 #
 # @TEST-DOC: Test LDAP analyzer with small trace using logging policies.
 
-@load analyzer
-
 hook LDAP::log_policy(rec: LDAP::Message, id: Log::ID, filter: Log::Filter)
 	{
 	break;

testing/btest/scripts/base/protocols/ldap/sasl-encrypted.zeek

@@ -1,6 +1,6 @@
 # Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
 
-# @TEST-EXEC: zeek -C -r ${TRACES}/ldap-krb5-sign-seal-01.pcap %INPUT
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/krb5-sign-seal-01.pcap %INPUT
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
@@ -9,5 +9,3 @@
 # @TEST-EXEC: ! test -f dpd.log
 #
 # @TEST-DOC: Test LDAP analyzer with SASL encrypted payloads.
-
-@load analyzer