diff --git a/src/analyzer/protocol/ldap/ldap.spicy b/src/analyzer/protocol/ldap/ldap.spicy index f448d71f0c..63379d9a83 100644 --- a/src/analyzer/protocol/ldap/ldap.spicy +++ b/src/analyzer/protocol/ldap/ldap.spicy @@ -423,6 +423,7 @@ type GSS_SPNEGO_Subsequent = unit { type GSS_SPNEGO_negTokenResp = unit { var accepted: bool; var supportedMech: ASN1::ASN1Message; + var responseToken: optional; # Parse the contained Sequence. seq: ASN1::ASN1Message(True) { @@ -433,7 +434,7 @@ type GSS_SPNEGO_negTokenResp = unit { } else if ( msg.application_id == 1 ) { self.supportedMech = msg; } else if ( msg.application_id == 2 ) { - # ignore responseToken + self.responseToken = msg.application_data; } else if ( msg.application_id == 3 ) { # ignore mechListMec } else { @@ -523,7 +524,7 @@ type BindResponse = unit(inout message: Message, ctx: Ctx&) { if ( $$?.negTokenResp ) { local token = $$.negTokenResp; if ( token.accepted && token?.supportedMechOid ) { - if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 ) { + if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 && token.responseToken ) { ctx.messageMode = MessageMode::MS_KRB5; } } diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap.log new file mode 100644 index 0000000000..740ca715e6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.226.131 54544 192.168.226.136 389 1440128865 3 bind SASL success - User1 GSS-SPNEGO +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap_search.log new file mode 100644 index 0000000000..76424d5afc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap_search.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap_search +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes +#types time string addr port addr port int string string string count string string string vector[string] +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.226.131 54544 192.168.226.136 389 1319382063 tree never dc=ADHACKING,dc=LOCAL 3 success - (&(&(sAMAccountName=*)(mail=*))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log new file mode 100644 index 0000000000..502d28b4f4 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument +#types time string addr port addr port int int string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 173945320 3 success - User1 - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 1489001992 3 success - User1 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap_search.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap_search.log new file mode 100644 index 0000000000..a02df616d7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap_search.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ldap_search +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes +#types time string addr port addr port int string string string count string string string vector[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 1673297393 tree never dc=ADHACKING,dc=LOCAL 3 success - (&(&(sAMAccountName=*)(mail=*))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index 6f9576cb71..ec244576a9 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -49,4 +49,7 @@ Trace Index/Sources: - tunnels/geneve-tagged-udp-packet.pcap Provided by Eldon Koyle Corelight for testing. - cdp-v1.pcap - From the Wireshark library of captures at https://wiki.wireshark.org/samplecaptures. \ No newline at end of file + From the Wireshark library of captures at https://wiki.wireshark.org/samplecaptures. +- ldap/adduser1.pcap ldap/adduser1-ntlm.pcap + Provided by Mohan-Dhawan on #4275 + https://github.com/zeek/zeek/issues/4275 diff --git a/testing/btest/Traces/ldap/aduser1-ntlm.pcap b/testing/btest/Traces/ldap/aduser1-ntlm.pcap new file mode 100644 index 0000000000..3498d7a3cb Binary files /dev/null and b/testing/btest/Traces/ldap/aduser1-ntlm.pcap differ diff --git a/testing/btest/Traces/ldap/aduser1.pcap b/testing/btest/Traces/ldap/aduser1.pcap new file mode 100644 index 0000000000..a1d1c5aa4a Binary files /dev/null and b/testing/btest/Traces/ldap/aduser1.pcap differ diff --git a/testing/btest/scripts/base/protocols/ldap/aduser1.zeek b/testing/btest/scripts/base/protocols/ldap/aduser1.zeek new file mode 100644 index 0000000000..fdafa692f6 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ldap/aduser1.zeek @@ -0,0 +1,11 @@ +# @TEST-REQUIRES: have-spicy +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1.pcap %INPUT +# @TEST-EXEC: mkdir krb && mv *.log krb +# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1-ntlm.pcap %INPUT +# @TEST-EXEC: mkdir ntlm && mv *.log ntlm +# @TEST-EXEC: btest-diff krb/ldap.log +# @TEST-EXEC: btest-diff krb/ldap_search.log +# @TEST-EXEC: btest-diff ntlm/ldap.log +# @TEST-EXEC: btest-diff ntlm/ldap_search.log +# +# @TEST-DOC: Check two traces using different authentication mechanisms, but the same search request.