suricata/doc/userguide/rules/ldap-keywords.rst

LDAP Keywords
=============

.. role:: example-rule-action
.. role:: example-rule-header
.. role:: example-rule-options
.. role:: example-rule-emphasis

LDAP Request and Response operations
------------------------------------

.. table:: **Operation values for ldap.request.operation and ldap.responses.operation keywords**

    ====  ================================================
    Code  Operation
    ====  ================================================
    0     bind_request
    1     bind_response
    2     unbind_request
    3     search_request
    4     search_result_entry
    5     search_result_done
    6     modify_request
    7     modify_response
    8     add_request
    9     add_response
    10    del_request
    11    del_response
    12    mod_dn_request
    13    mod_dn_response
    14    compare_request
    15    compare_response
    16    abandon_request
    19    search_result_reference
    23    extended_request
    24    extended_response
    25    intermediate_response
    ====  ================================================

The keywords ldap.request.operation and ldap.responses.operation
accept both the operation code and the operation name as arguments.

ldap.request.operation
----------------------

Suricata has a ``ldap.request.operation`` keyword that can be used in signatures to identify
and filter network packets based on Lightweight Directory Access Protocol request operations.

Syntax::

 ldap.request.operation: operation;

ldap.request.operation uses :ref:`unsigned 8-bit integer <rules-integer-keywords>`.

This keyword maps to the EVE field  ``ldap.request.operation``

Examples
^^^^^^^^

Example of a signatures that would alert if the packet has an LDAP bind request operation:

.. container:: example-rule

  alert ldap any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:0;` sid:1;)

.. container:: example-rule

  alert ldap any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:bind_request;` sid:1;)

ldap.responses.operation
------------------------

Suricata has a ``ldap.responses.operation`` keyword that can be used in signatures to identify
and filter network packets based on Lightweight Directory Access Protocol response operations.

Syntax::

 ldap.responses.operation: operation[,index];

ldap.responses.operation uses :ref:`unsigned 8-bit integer <rules-integer-keywords>`.

This keyword maps to the EVE field ``ldap.responses[].operation``

An LDAP request operation can receive multiple responses. By default, the ldap.responses.operation
keyword matches all indices, but it is possible to specify a particular index for matching
and also use flags such as ``all`` and ``any``.

.. table:: **Index values for ldap.responses.operation keyword**

    =========  ================================================
    Value      Description
    =========  ================================================
    [default]  Match with any index
    all        Match only if all indexes match
    any        Match with any index
    0>=        Match specific index
    0<         Match specific index with back to front indexing
    =========  ================================================

Examples
^^^^^^^^

Example of a signatures that would alert if the packet has an LDAP bind response operation:

.. container:: example-rule

  alert ldap any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:1;` sid:1;)

.. container:: example-rule

  alert ldap any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:bind_response;` sid:1;)

Example of a signature that would alert if the packet has an LDAP search_result_done response operation at index 1:

.. container:: example-rule

  alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_done,1;` sid:1;)

Example of a signature that would alert if all the responses are of type search_result_entry:

.. container:: example-rule

  alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,all;` sid:1;)

The keyword ldap.responses.operation supports back to front indexing with negative numbers,
this means that -1 will represent the last index, -2 the second to last index, and so on.
This is an example of a signature that would alert if a search_result_entry response is found at the last index:

.. container:: example-rule

  alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,-1;` sid:1;)

ldap.responses.count
--------------------

Matches based on the number of responses.

Syntax::

 ldap.responses.count: [op]number;

It can be matched exactly, or compared using the ``op`` setting::

 ldap.responses.count:3    # exactly 3 responses
 ldap.responses.count:<3   # less than 3 responses
 ldap.responses.count:>=2  # more or equal to 2 responses

ldap.responses.count uses :ref:`unsigned 32-bit integer <rules-integer-keywords>`.

This keyword maps to the EVE field ``len(ldap.responses[])``

Examples
^^^^^^^^

Example of a signature that would alert if a packet has 0 LDAP responses:

.. container:: example-rule

  alert ldap any any -> any any (msg:"Packet has 0 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:0;` sid:1;)

Example of a signature that would alert if a packet has more than 2 LDAP responses:

.. container:: example-rule

  alert ldap any any -> any any (msg:"Packet has more than 2 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:>2;` sid:1;)

ldap.request.dn
---------------

Matches on LDAP distinguished names from request operations.

Comparison is case-sensitive.

Syntax::

 ldap.request.dn; content:dc=example,dc=com;

``ldap.request.dn`` is a 'sticky buffer' and can be used as a ``fast_pattern``.

This keyword maps to the EVE fields:
``ldap.request.bind_request.name``
``ldap.request.add_request.entry``
``ldap.request.search_request.base_object``
``ldap.request.modify_request.object``
``ldap.request.del_request.dn``
``ldap.request.mod_dn_request.entry``
``ldap.request.compare_request.entry``

Example
^^^^^^^

Example of a signature that would alert if a packet has the LDAP distinguished name ``uid=jdoe,ou=People,dc=example,dc=com``:

.. container:: example-rule

  alert ldap any any -> any any (msg:"Test LDAPDN"; :example-rule-emphasis:`ldap.request.dn; content:"uid=jdoe,ou=People,dc=example,dc=com";` sid:1;)

It is possible to use the keyword ``ldap.request.operation`` in the same rule to
specify the operation to match.

Here is an example of a signature that would alert if a packet has an LDAP
search request operation and contains the LDAP distinguished name
``dc=example,dc=com``.

.. container:: example-rule

  alert ldap any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.request.operation:search_request; ldap.request.dn; content:"dc=example,dc=com";` sid:1;)

ldap.responses.dn
-----------------

Matches on LDAP distinguished names from response operations.

Comparison is case-sensitive.

Syntax::

 ldap.responses.dn; content:dc=example,dc=com;

``ldap.responses.dn`` is a 'sticky buffer' and can be used as a ``fast_pattern``.

``ldap.responses.dn`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

This keyword maps to the EVE fields:
``ldap.responses[].search_result_entry.base_object``
``ldap.responses[].bind_response.matched_dn``
``ldap.responses[].search_result_done.matched_dn``
``ldap.responses[].modify_response.matched_dn``
``ldap.responses[].add_response.matched_dn``
``ldap.responses[].del_response.matched_dn``
``ldap.responses[].mod_dn_response.matched_dn``
``ldap.responses[].compare_response.matched_dn``
``ldap.responses[].extended_response.matched_dn``

Example
^^^^^^^

Example of a signature that would alert if a packet has the LDAP distinguished name ``dc=example,dc=com``:

.. container:: example-rule

  alert ldap any any -> any any (msg:"Test LDAPDN"; :example-rule-emphasis:`ldap.responses.dn; content:"dc=example,dc=com";` sid:1;)

It is possible to use the keyword ``ldap.responses.operation`` in the same rule to
specify the operation to match.

Here is an example of a signature that would alert if a packet has an LDAP
search result entry operation at index 1 on the responses array,
and contains the LDAP distinguished name ``dc=example,dc=com``.

.. container:: example-rule

  alert ldap any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,1; ldap.responses.dn; content:"dc=example,dc=com";` sid:1;)
detect: add ldap.request.operation ldap.request.operation matches on Lightweight Directory Access Protocol request operations This keyword maps to the eve field ldap.request.operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453 6 months ago			`LDAP Keywords`
			`=============`

			`.. role:: example-rule-action`
			`.. role:: example-rule-header`
			`.. role:: example-rule-options`
			`.. role:: example-rule-emphasis`

			`LDAP Request and Response operations`
			`------------------------------------`

			`.. table:: Operation values for ldap.request.operation and ldap.responses.operation keywords`

			`==== ================================================`
			`Code Operation`
			`==== ================================================`
			`0 bind_request`
			`1 bind_response`
			`2 unbind_request`
			`3 search_request`
			`4 search_result_entry`
			`5 search_result_done`
			`6 modify_request`
			`7 modify_response`
			`8 add_request`
			`9 add_response`
			`10 del_request`
			`11 del_response`
			`12 mod_dn_request`
			`13 mod_dn_response`
			`14 compare_request`
			`15 compare_response`
			`16 abandon_request`
			`19 search_result_reference`
			`23 extended_request`
			`24 extended_response`
			`25 intermediate_response`
			`==== ================================================`

			`The keywords ldap.request.operation and ldap.responses.operation`
			`accept both the operation code and the operation name as arguments.`

			`ldap.request.operation`
			`----------------------`

			Suricata has a ``ldap.request.operation`` keyword that can be used in signatures to identify
			`and filter network packets based on Lightweight Directory Access Protocol request operations.`

			`Syntax::`

			`ldap.request.operation: operation;`

			ldap.request.operation uses :ref:`unsigned 8-bit integer <rules-integer-keywords>`.

doc: replace 'eve' with 'EVE' in the LDAP keywords documentation 5 months ago			This keyword maps to the EVE field ``ldap.request.operation``
detect: add ldap.request.operation ldap.request.operation matches on Lightweight Directory Access Protocol request operations This keyword maps to the eve field ldap.request.operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453 6 months ago
			`Examples`
			`^^^^^^^^`

			`Example of a signatures that would alert if the packet has an LDAP bind request operation:`

			`.. container:: example-rule`

doc: use the ldap protocol in rule examples in the LDAP keywords documentation 5 months ago			alert ldap any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:0;` sid:1;)
detect: add ldap.request.operation ldap.request.operation matches on Lightweight Directory Access Protocol request operations This keyword maps to the eve field ldap.request.operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453 6 months ago
			`.. container:: example-rule`

doc: use the ldap protocol in rule examples in the LDAP keywords documentation 5 months ago			alert ldap any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:bind_request;` sid:1;)
detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453 6 months ago
			`ldap.responses.operation`
			`------------------------`

			Suricata has a ``ldap.responses.operation`` keyword that can be used in signatures to identify
			`and filter network packets based on Lightweight Directory Access Protocol response operations.`

			`Syntax::`

			`ldap.responses.operation: operation[,index];`

			ldap.responses.operation uses :ref:`unsigned 8-bit integer <rules-integer-keywords>`.

doc: replace 'eve' with 'EVE' in the LDAP keywords documentation 5 months ago			This keyword maps to the EVE field ``ldap.responses[].operation``
detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453 6 months ago
			`An LDAP request operation can receive multiple responses. By default, the ldap.responses.operation`
			`keyword matches all indices, but it is possible to specify a particular index for matching`
			and also use flags such as ``all`` and ``any``.

			`.. table:: Index values for ldap.responses.operation keyword`

			`========= ================================================`
			`Value Description`
			`========= ================================================`
			`[default] Match with any index`
			`all Match only if all indexes match`
			`any Match with any index`
			`0>= Match specific index`
			`0< Match specific index with back to front indexing`
			`========= ================================================`

			`Examples`
			`^^^^^^^^`

			`Example of a signatures that would alert if the packet has an LDAP bind response operation:`

			`.. container:: example-rule`

doc: use the ldap protocol in rule examples in the LDAP keywords documentation 5 months ago			alert ldap any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:1;` sid:1;)
detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453 6 months ago
			`.. container:: example-rule`

doc: use the ldap protocol in rule examples in the LDAP keywords documentation 5 months ago			alert ldap any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:bind_response;` sid:1;)
detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453 6 months ago
			`Example of a signature that would alert if the packet has an LDAP search_result_done response operation at index 1:`

			`.. container:: example-rule`

doc: use the ldap protocol in rule examples in the LDAP keywords documentation 5 months ago			alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_done,1;` sid:1;)
detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453 6 months ago
			`Example of a signature that would alert if all the responses are of type search_result_entry:`

			`.. container:: example-rule`

doc: use the ldap protocol in rule examples in the LDAP keywords documentation 5 months ago			alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,all;` sid:1;)
detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453 6 months ago
			`The keyword ldap.responses.operation supports back to front indexing with negative numbers,`
			`this means that -1 will represent the last index, -2 the second to last index, and so on.`
			`This is an example of a signature that would alert if a search_result_entry response is found at the last index:`

			`.. container:: example-rule`

doc: use the ldap protocol in rule examples in the LDAP keywords documentation 5 months ago			alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,-1;` sid:1;)
detect: add ldap.responses.count ldap.responses.count matches on the number of LDAP responses This keyword maps to the eve field len(ldap.responses[]) It is an unsigned 32-bit integer Doesn't support prefiltering Ticket: #7453 6 months ago
			`ldap.responses.count`
			`--------------------`

			`Matches based on the number of responses.`

			`Syntax::`

			`ldap.responses.count: [op]number;`

			It can be matched exactly, or compared using the ``op`` setting::

			`ldap.responses.count:3 # exactly 3 responses`
			`ldap.responses.count:<3 # less than 3 responses`
			`ldap.responses.count:>=2 # more or equal to 2 responses`

			ldap.responses.count uses :ref:`unsigned 32-bit integer <rules-integer-keywords>`.

doc: replace 'eve' with 'EVE' in the LDAP keywords documentation 5 months ago			This keyword maps to the EVE field ``len(ldap.responses[])``
detect: add ldap.responses.count ldap.responses.count matches on the number of LDAP responses This keyword maps to the eve field len(ldap.responses[]) It is an unsigned 32-bit integer Doesn't support prefiltering Ticket: #7453 6 months ago
			`Examples`
			`^^^^^^^^`

			`Example of a signature that would alert if a packet has 0 LDAP responses:`

			`.. container:: example-rule`

doc: use the ldap protocol in rule examples in the LDAP keywords documentation 5 months ago			alert ldap any any -> any any (msg:"Packet has 0 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:0;` sid:1;)
detect: add ldap.responses.count ldap.responses.count matches on the number of LDAP responses This keyword maps to the eve field len(ldap.responses[]) It is an unsigned 32-bit integer Doesn't support prefiltering Ticket: #7453 6 months ago
			`Example of a signature that would alert if a packet has more than 2 LDAP responses:`

			`.. container:: example-rule`

doc: use the ldap protocol in rule examples in the LDAP keywords documentation 5 months ago			alert ldap any any -> any any (msg:"Packet has more than 2 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:>2;` sid:1;)
detect: add ldap.request.dn ldap.request.dn matches on LDAPDN from request operations This keyword maps the following eve fields: ldap.request.bind_request.name ldap.request.add_request.entry ldap.request.search_request.base_object ldap.request.modify_request.object ldap.request.del_request.dn ldap.request.mod_dn_request.entry ldap.request.compare_request.entry It is a sticky buffer Supports prefiltering Ticket: #7471 6 months ago
			`ldap.request.dn`
			`---------------`

			`Matches on LDAP distinguished names from request operations.`

			`Comparison is case-sensitive.`

			`Syntax::`

			`ldap.request.dn; content:dc=example,dc=com;`

			``ldap.request.dn`` is a 'sticky buffer' and can be used as a ``fast_pattern``.

			`This keyword maps to the EVE fields:`
			``ldap.request.bind_request.name``
			``ldap.request.add_request.entry``
			``ldap.request.search_request.base_object``
			``ldap.request.modify_request.object``
			``ldap.request.del_request.dn``
			``ldap.request.mod_dn_request.entry``
			``ldap.request.compare_request.entry``

			`Example`
			`^^^^^^^`

			Example of a signature that would alert if a packet has the LDAP distinguished name ``uid=jdoe,ou=People,dc=example,dc=com``:

			`.. container:: example-rule`

			alert ldap any any -> any any (msg:"Test LDAPDN"; :example-rule-emphasis:`ldap.request.dn; content:"uid=jdoe,ou=People,dc=example,dc=com";` sid:1;)

			It is possible to use the keyword ``ldap.request.operation`` in the same rule to
			`specify the operation to match.`

			`Here is an example of a signature that would alert if a packet has an LDAP`
			`search request operation and contains the LDAP distinguished name`
			``dc=example,dc=com``.

			`.. container:: example-rule`

			alert ldap any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.request.operation:search_request; ldap.request.dn; content:"dc=example,dc=com";` sid:1;)
detect: add ldap.responses.dn ldap.responses.dn matches on LDAPDN from responses operations This keyword maps the following eve fields: ldap.responses[].search_result_entry.base_object ldap.responses[].bind_response.matched_dn ldap.responses[].search_result_done.matched_dn ldap.responses[].modify_response.matched_dn ldap.responses[].add_response.matched_dn ldap.responses[].del_response.matched_dn ldap.responses[].mod_dn_response.matched_dn ldap.responses[].compare_response.matched_dn ldap.responses[].extended_response.matched_dn It is a sticky buffer Supports prefiltering Ticket: #7471 6 months ago
			`ldap.responses.dn`
			`-----------------`

			`Matches on LDAP distinguished names from response operations.`

			`Comparison is case-sensitive.`

			`Syntax::`

			`ldap.responses.dn; content:dc=example,dc=com;`

			``ldap.responses.dn`` is a 'sticky buffer' and can be used as a ``fast_pattern``.

			``ldap.responses.dn`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.

			`This keyword maps to the EVE fields:`
			``ldap.responses[].search_result_entry.base_object``
			``ldap.responses[].bind_response.matched_dn``
			``ldap.responses[].search_result_done.matched_dn``
			``ldap.responses[].modify_response.matched_dn``
			``ldap.responses[].add_response.matched_dn``
			``ldap.responses[].del_response.matched_dn``
			``ldap.responses[].mod_dn_response.matched_dn``
			``ldap.responses[].compare_response.matched_dn``
			``ldap.responses[].extended_response.matched_dn``

			`Example`
			`^^^^^^^`

			Example of a signature that would alert if a packet has the LDAP distinguished name ``dc=example,dc=com``:

			`.. container:: example-rule`

			alert ldap any any -> any any (msg:"Test LDAPDN"; :example-rule-emphasis:`ldap.responses.dn; content:"dc=example,dc=com";` sid:1;)

			It is possible to use the keyword ``ldap.responses.operation`` in the same rule to
			`specify the operation to match.`

			`Here is an example of a signature that would alert if a packet has an LDAP`
			`search result entry operation at index 1 on the responses array,`
			and contains the LDAP distinguished name ``dc=example,dc=com``.

			`.. container:: example-rule`

			alert ldap any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,1; ldap.responses.dn; content:"dc=example,dc=com";` sid:1;)