aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7d28758a54'
${ noResults }
suricata/doc/userguide/rules/ldap-keywords.rst

538 lines
19 KiB
ReStructuredText
Raw Normal View History Unescape Escape

detect: add ldap.request.operation ldap.request.operation matches on Lightweight Directory Access Protocol request operations This keyword maps to the eve field ldap.request.operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453
7 months ago
LDAP Keywords
=============
.. role:: example-rule-action
.. role:: example-rule-header
.. role:: example-rule-options
.. role:: example-rule-emphasis
LDAP Request and Response operations
------------------------------------
.. table:: **Operation values for ldap.request.operation and ldap.responses.operation keywords**
==== ================================================
Code Operation
==== ================================================
0 bind_request
1 bind_response
2 unbind_request
3 search_request
4 search_result_entry
5 search_result_done
6 modify_request
7 modify_response
8 add_request
9 add_response
10 del_request
11 del_response
12 mod_dn_request
13 mod_dn_response
14 compare_request
15 compare_response
16 abandon_request
19 search_result_reference
23 extended_request
24 extended_response
25 intermediate_response
==== ================================================
The keywords ldap.request.operation and ldap.responses.operation
accept both the operation code and the operation name as arguments.
ldap.request.operation
----------------------
Suricata has a ``ldap.request.operation`` keyword that can be used in signatures to identify
and filter network packets based on Lightweight Directory Access Protocol request operations.
Syntax::
ldap.request.operation: operation;
ldap.request.operation uses :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
doc: replace 'eve' with 'EVE' in the LDAP keywords documentation
6 months ago
This keyword maps to the EVE field ``ldap.request.operation``
detect: add ldap.request.operation ldap.request.operation matches on Lightweight Directory Access Protocol request operations This keyword maps to the eve field ldap.request.operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453
7 months ago
Examples
^^^^^^^^
Example of a signatures that would alert if the packet has an LDAP bind request operation:
.. container:: example-rule
doc: use the ldap protocol in rule examples in the LDAP keywords documentation
6 months ago
alert ldap any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:0;` sid:1;)
detect: add ldap.request.operation ldap.request.operation matches on Lightweight Directory Access Protocol request operations This keyword maps to the eve field ldap.request.operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453
7 months ago
.. container:: example-rule
doc: use the ldap protocol in rule examples in the LDAP keywords documentation
6 months ago
alert ldap any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:`ldap.request.operation:bind_request;` sid:1;)
detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453
7 months ago
ldap.responses.operation
------------------------
Suricata has a ``ldap.responses.operation`` keyword that can be used in signatures to identify
and filter network packets based on Lightweight Directory Access Protocol response operations.
Syntax::
ldap.responses.operation: operation[,index];
ldap.responses.operation uses :ref:`unsigned 8-bit integer <rules-integer-keywords>`.
doc: replace 'eve' with 'EVE' in the LDAP keywords documentation
6 months ago
This keyword maps to the EVE field ``ldap.responses[].operation``
detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453
7 months ago
An LDAP request operation can receive multiple responses. By default, the ldap.responses.operation
keyword matches all indices, but it is possible to specify a particular index for matching
and also use flags such as ``all`` and ``any``.
.. table:: **Index values for ldap.responses.operation keyword**
========= ================================================
Value Description
========= ================================================
[default] Match with any index
all Match only if all indexes match
any Match with any index
0>= Match specific index
0< Match specific index with back to front indexing
========= ================================================
Examples
^^^^^^^^
Example of a signatures that would alert if the packet has an LDAP bind response operation:
.. container:: example-rule
doc: use the ldap protocol in rule examples in the LDAP keywords documentation
6 months ago
alert ldap any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:1;` sid:1;)
detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453
7 months ago
.. container:: example-rule
doc: use the ldap protocol in rule examples in the LDAP keywords documentation
6 months ago
alert ldap any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:`ldap.responses.operation:bind_response;` sid:1;)
detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453
7 months ago
Example of a signature that would alert if the packet has an LDAP search_result_done response operation at index 1:
.. container:: example-rule
doc: use the ldap protocol in rule examples in the LDAP keywords documentation
6 months ago
alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_done,1;` sid:1;)
detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453
7 months ago
Example of a signature that would alert if all the responses are of type search_result_entry:
.. container:: example-rule
doc: use the ldap protocol in rule examples in the LDAP keywords documentation
6 months ago
alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,all;` sid:1;)
detect: add ldap.responses.operation ldap.responses.operation matches on Lightweight Directory Access Protocol response operations This keyword maps to the eve field ldap.responses[].operation It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: #7453
7 months ago
The keyword ldap.responses.operation supports back to front indexing with negative numbers,
this means that -1 will represent the last index, -2 the second to last index, and so on.
This is an example of a signature that would alert if a search_result_entry response is found at the last index:
.. container:: example-rule
doc: use the ldap protocol in rule examples in the LDAP keywords documentation
6 months ago
alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,-1;` sid:1;)
detect: add ldap.responses.count ldap.responses.count matches on the number of LDAP responses This keyword maps to the eve field len(ldap.responses[]) It is an unsigned 32-bit integer Doesn't support prefiltering Ticket: #7453
7 months ago
ldap.responses.count
--------------------
Matches based on the number of responses.
Syntax::
ldap.responses.count: [op]number;
It can be matched exactly, or compared using the ``op`` setting::
ldap.responses.count:3 # exactly 3 responses
ldap.responses.count:<3 # less than 3 responses
ldap.responses.count:>=2 # more or equal to 2 responses
ldap.responses.count uses :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
doc: replace 'eve' with 'EVE' in the LDAP keywords documentation
6 months ago
This keyword maps to the EVE field ``len(ldap.responses[])``
detect: add ldap.responses.count ldap.responses.count matches on the number of LDAP responses This keyword maps to the eve field len(ldap.responses[]) It is an unsigned 32-bit integer Doesn't support prefiltering Ticket: #7453
7 months ago
Examples
^^^^^^^^
Example of a signature that would alert if a packet has 0 LDAP responses:
.. container:: example-rule
doc: use the ldap protocol in rule examples in the LDAP keywords documentation
6 months ago
alert ldap any any -> any any (msg:"Packet has 0 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:0;` sid:1;)
detect: add ldap.responses.count ldap.responses.count matches on the number of LDAP responses This keyword maps to the eve field len(ldap.responses[]) It is an unsigned 32-bit integer Doesn't support prefiltering Ticket: #7453
7 months ago
Example of a signature that would alert if a packet has more than 2 LDAP responses:
.. container:: example-rule
doc: use the ldap protocol in rule examples in the LDAP keywords documentation
6 months ago
alert ldap any any -> any any (msg:"Packet has more than 2 LDAP responses"; :example-rule-emphasis:`ldap.responses.count:>2;` sid:1;)
detect: add ldap.request.dn ldap.request.dn matches on LDAPDN from request operations This keyword maps the following eve fields: ldap.request.bind_request.name ldap.request.add_request.entry ldap.request.search_request.base_object ldap.request.modify_request.object ldap.request.del_request.dn ldap.request.mod_dn_request.entry ldap.request.compare_request.entry It is a sticky buffer Supports prefiltering Ticket: #7471
6 months ago
ldap.request.dn
---------------
Matches on LDAP distinguished names from request operations.
Comparison is case-sensitive.
Syntax::
ldap: fix LDAPDN nits Change variable name 'req' to 'resp' in function ldap_tx_get_responses_dn and documentation nits Fixes: 73ae6e997f6c ("detect: add ldap.responses.dn") 16dcee46fc8a ("detect: add ldap.request.dn")
6 months ago
ldap.request.dn; content:"<content to match against>";
detect: add ldap.request.dn ldap.request.dn matches on LDAPDN from request operations This keyword maps the following eve fields: ldap.request.bind_request.name ldap.request.add_request.entry ldap.request.search_request.base_object ldap.request.modify_request.object ldap.request.del_request.dn ldap.request.mod_dn_request.entry ldap.request.compare_request.entry It is a sticky buffer Supports prefiltering Ticket: #7471
6 months ago
``ldap.request.dn`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
This keyword maps to the EVE fields:
ldap: fix LDAPDN nits Change variable name 'req' to 'resp' in function ldap_tx_get_responses_dn and documentation nits Fixes: 73ae6e997f6c ("detect: add ldap.responses.dn") 16dcee46fc8a ("detect: add ldap.request.dn")
6 months ago
- ``ldap.request.bind_request.name``
- ``ldap.request.add_request.entry``
- ``ldap.request.search_request.base_object``
- ``ldap.request.modify_request.object``
- ``ldap.request.del_request.dn``
- ``ldap.request.mod_dn_request.entry``
- ``ldap.request.compare_request.entry``
detect: add ldap.request.dn ldap.request.dn matches on LDAPDN from request operations This keyword maps the following eve fields: ldap.request.bind_request.name ldap.request.add_request.entry ldap.request.search_request.base_object ldap.request.modify_request.object ldap.request.del_request.dn ldap.request.mod_dn_request.entry ldap.request.compare_request.entry It is a sticky buffer Supports prefiltering Ticket: #7471
6 months ago
Example
^^^^^^^
Example of a signature that would alert if a packet has the LDAP distinguished name ``uid=jdoe,ou=People,dc=example,dc=com``:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAPDN"; :example-rule-emphasis:`ldap.request.dn; content:"uid=jdoe,ou=People,dc=example,dc=com";` sid:1;)
It is possible to use the keyword ``ldap.request.operation`` in the same rule to
specify the operation to match.
Here is an example of a signature that would alert if a packet has an LDAP
search request operation and contains the LDAP distinguished name
``dc=example,dc=com``.
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.request.operation:search_request; ldap.request.dn; content:"dc=example,dc=com";` sid:1;)
detect: add ldap.responses.dn ldap.responses.dn matches on LDAPDN from responses operations This keyword maps the following eve fields: ldap.responses[].search_result_entry.base_object ldap.responses[].bind_response.matched_dn ldap.responses[].search_result_done.matched_dn ldap.responses[].modify_response.matched_dn ldap.responses[].add_response.matched_dn ldap.responses[].del_response.matched_dn ldap.responses[].mod_dn_response.matched_dn ldap.responses[].compare_response.matched_dn ldap.responses[].extended_response.matched_dn It is a sticky buffer Supports prefiltering Ticket: #7471
6 months ago
ldap.responses.dn
-----------------
Matches on LDAP distinguished names from response operations.
Comparison is case-sensitive.
Syntax::
ldap: fix LDAPDN nits Change variable name 'req' to 'resp' in function ldap_tx_get_responses_dn and documentation nits Fixes: 73ae6e997f6c ("detect: add ldap.responses.dn") 16dcee46fc8a ("detect: add ldap.request.dn")
6 months ago
ldap.responses.dn; content:"<content to match against>";
detect: add ldap.responses.dn ldap.responses.dn matches on LDAPDN from responses operations This keyword maps the following eve fields: ldap.responses[].search_result_entry.base_object ldap.responses[].bind_response.matched_dn ldap.responses[].search_result_done.matched_dn ldap.responses[].modify_response.matched_dn ldap.responses[].add_response.matched_dn ldap.responses[].del_response.matched_dn ldap.responses[].mod_dn_response.matched_dn ldap.responses[].compare_response.matched_dn ldap.responses[].extended_response.matched_dn It is a sticky buffer Supports prefiltering Ticket: #7471
6 months ago
``ldap.responses.dn`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
``ldap.responses.dn`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
This keyword maps to the EVE fields:
ldap: fix LDAPDN nits Change variable name 'req' to 'resp' in function ldap_tx_get_responses_dn and documentation nits Fixes: 73ae6e997f6c ("detect: add ldap.responses.dn") 16dcee46fc8a ("detect: add ldap.request.dn")
6 months ago
- ``ldap.responses[].search_result_entry.base_object``
- ``ldap.responses[].bind_response.matched_dn``
- ``ldap.responses[].search_result_done.matched_dn``
- ``ldap.responses[].modify_response.matched_dn``
- ``ldap.responses[].add_response.matched_dn``
- ``ldap.responses[].del_response.matched_dn``
- ``ldap.responses[].mod_dn_response.matched_dn``
- ``ldap.responses[].compare_response.matched_dn``
- ``ldap.responses[].extended_response.matched_dn``
detect: add ldap.responses.dn ldap.responses.dn matches on LDAPDN from responses operations This keyword maps the following eve fields: ldap.responses[].search_result_entry.base_object ldap.responses[].bind_response.matched_dn ldap.responses[].search_result_done.matched_dn ldap.responses[].modify_response.matched_dn ldap.responses[].add_response.matched_dn ldap.responses[].del_response.matched_dn ldap.responses[].mod_dn_response.matched_dn ldap.responses[].compare_response.matched_dn ldap.responses[].extended_response.matched_dn It is a sticky buffer Supports prefiltering Ticket: #7471
6 months ago
ldap: return empty buffer in ldap_tx_get_responses_dn Funciton ldap_tx_get_responses_dn returns empty buffer in case the response doesn't contain the distinguished name field Fixes: 73ae6e997f6c ("detect: add ldap.responses.dn")
5 months ago
.. note::
If a response within the array does not contain the
distinguished name field, this field will be interpreted
as an empty buffer.
detect: add ldap.responses.dn ldap.responses.dn matches on LDAPDN from responses operations This keyword maps the following eve fields: ldap.responses[].search_result_entry.base_object ldap.responses[].bind_response.matched_dn ldap.responses[].search_result_done.matched_dn ldap.responses[].modify_response.matched_dn ldap.responses[].add_response.matched_dn ldap.responses[].del_response.matched_dn ldap.responses[].mod_dn_response.matched_dn ldap.responses[].compare_response.matched_dn ldap.responses[].extended_response.matched_dn It is a sticky buffer Supports prefiltering Ticket: #7471
6 months ago
Example
^^^^^^^
Example of a signature that would alert if a packet has the LDAP distinguished name ``dc=example,dc=com``:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAPDN"; :example-rule-emphasis:`ldap.responses.dn; content:"dc=example,dc=com";` sid:1;)
It is possible to use the keyword ``ldap.responses.operation`` in the same rule to
specify the operation to match.
Here is an example of a signature that would alert if a packet has an LDAP
search result entry operation at index 1 on the responses array,
and contains the LDAP distinguished name ``dc=example,dc=com``.
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,1; ldap.responses.dn; content:"dc=example,dc=com";` sid:1;)
detect: add ldap.responses.result_code ldap.responses.result_code matches on LDAP result code This keyword maps the following eve fields: ldap.responses[].bind_response.result_code ldap.responses[].search_result_done.result_code ldap.responses[].modify_response.result_code ldap.responses[].add_response.result_code ldap.responses[].del_response.result_code ldap.responses[].mod_dn_response.result_code ldap.responses[].compare_response.result_code ldap.responses[].extended_response.result_code It is an unsigned 32-bit integer Doesn't support prefiltering Ticket: #7532
6 months ago
ldap.responses.result_code
--------------------------
Suricata has a ``ldap.responses.result_code`` keyword that can be used in signatures to identify
and filter network packets based on their LDAP result code.
Syntax::
ldap.responses.result_code: code[,index];
ldap.responses.result_code uses :ref:`unsigned 32-bit integer <rules-integer-keywords>`.
This keyword maps to the following eve fields:
- ``ldap.responses[].bind_response.result_code``
- ``ldap.responses[].search_result_done.result_code``
- ``ldap.responses[].modify_response.result_code``
- ``ldap.responses[].add_response.result_code``
- ``ldap.responses[].del_response.result_code``
- ``ldap.responses[].mod_dn_response.result_code``
- ``ldap.responses[].compare_response.result_code``
- ``ldap.responses[].extended_response.result_code``
.. table:: **Result code values for ldap.responses.result_code**
========= ================================================
Code Name
========= ================================================
0 success
1 operations_error
2 protocol_error
3 time_limit_exceeded
4 size_limit_exceeded
5 compare_false
6 compare_true
7 auth_method_not_supported
8 stronger_auth_required
10 referral
11 admin_limit_exceeded
12 unavailable_critical_extension
13 confidentiality_required
14 sasl_bind_in_progress
16 no_such_attribute
17 undefined_attribute_type
18 inappropriate_matching
19 constraint_violation
20 attribute_or_value_exists
21 invalid_attribute_syntax
32 no_such_object
33 alias_problem
34 invalid_dns_syntax
35 is_leaf
36 alias_dereferencing_problem
48 inappropriate_authentication
49 invalid_credentials
50 insufficient_access_rights
51 busy
52 unavailable
53 unwilling_to_perform
54 loop_detect
60 sort_control_missing
61 offset_range_error
64 naming_violation
65 object_class_violation
66 not_allowed_on_non_leaf
67 not_allowed_on_rdn
68 entry_already_exists
69 object_class_mods_prohibited
70 results_too_large
71 affects_multiple_dsas
76 control_error
80 other
81 server_down
82 local_error
83 encoding_error
84 decoding_error
85 timeout
86 auth_unknown
87 filter_error
88 user_canceled
89 param_error
90 no_memory
91 connect_error
92 not_supported
93 control_not_found
94 no_results_returned
95 more_results_to_return
96 client_loop
97 referral_limit_exceeded
100 invalid_response
101 ambiguous_response
112 tls_not_supported
113 intermediate_response
114 unknown_type
118 canceled
119 no_such_operation
120 too_late
121 cannot_cancel
122 assertion_failed
123 authorization_denied
4096 e_sync_refresh_required
16654 no_operation
========= ================================================
More information about LDAP result code values can be found here:
https://ldap.com/ldap-result-code-reference/
An LDAP request operation can receive multiple responses. By default, the ldap.responses.result_code
keyword matches with any indices, but it is possible to specify a particular index for matching
and also use flags such as ``all`` and ``any``.
.. table:: **Index values for ldap.responses.result_code keyword**
========= ================================================
Value Description
========= ================================================
[default] Match with any index
all Match only if all indexes match
any Match with any index
0>= Match specific index
0< Match specific index with back to front indexing
========= ================================================
Examples
^^^^^^^^
Example of signatures that would alert if the packet has a ``success`` LDAP result code at any index:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP result code"; :example-rule-emphasis:`ldap.responses.result_code:0;` sid:1;)
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP result code"; :example-rule-emphasis:`ldap.responses.result_code:success,any;` sid:1;)
Example of a signature that would alert if the packet has an ``unavailable`` LDAP result code at index 1:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP result code at index 1"; :example-rule-emphasis:`ldap.responses.result_code:unavailable,1;` sid:1;)
Example of a signature that would alert if all the responses have a ``success`` LDAP result code:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test all LDAP responses have success result code"; :example-rule-emphasis:`ldap.responses.result_code:success,all;` sid:1;)
The keyword ldap.responses.result_code supports back to front indexing with negative numbers,
this means that -1 will represent the last index, -2 the second to last index, and so on.
This is an example of a signature that would alert if a ``success`` result code is found at the last index:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP success at last index"; :example-rule-emphasis:`ldap.responses.result_code:success,-1;` sid:1;)
detect: add ldap.responses.message ldap.responses.message matches on LDAPResult error message This keyword maps the following eve fields: ldap.responses[].bind_response.message ldap.responses[].search_result_done.message ldap.responses[].modify_response.message ldap.responses[].add_response.message ldap.responses[].del_response.message ldap.responses[].mod_dn_response.message ldap.responses[].compare_response.message ldap.responses[].extended_response.message It is a sticky buffer Supports prefiltering Ticket: #7532
6 months ago
ldap.responses.message
----------------------
Matches on LDAP error messages from response operations.
Comparison is case-sensitive.
Syntax::
ldap.responses.message; content:"<content to match against>";
``ldap.responses.message`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
``ldap.responses.message`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
This keyword maps to the EVE fields:
- ``ldap.responses[].bind_response.message``
- ``ldap.responses[].search_result_done.message``
- ``ldap.responses[].modify_response.message``
- ``ldap.responses[].add_response.message``
- ``ldap.responses[].del_response.message``
- ``ldap.responses[].mod_dn_response.message``
- ``ldap.responses[].compare_response.message``
- ``ldap.responses[].extended_response.message``
.. note::
If a response within the array does not contain the
error message field, this field will be interpreted
as an empty buffer.
Example
^^^^^^^
Example of a signature that would alert if a packet has the LDAP error message ``Size limit exceeded``:
.. container:: example-rule
detect: add ldap.request.attribute_type ldap.request.attribute_type matches on LDAP attribute type/description This keyword maps the following eve fields: ldap.request.search_request.attributes[] ldap.request.modify_request.changes[].modification.attribute_type ldap.request.add_request.attributes[].name ldap.request.compare_request.attribute_value_assertion.description It is a sticky buffer Supports multiple buffer matching Supports prefiltering Ticket: #7533
6 months ago
alert ldap any any -> any any (msg:"Test LDAP error message"; ldap.responses.message; content:"Size limit exceeded"; sid:1;)
ldap.request.attribute_type
---------------------------
Matches on LDAP attribute type from request operations.
Comparison is case-sensitive.
Syntax::
ldap.request.attribute_type; content:"<content to match against>";
``ldap.request.attribute_type`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
``ldap.request.attribute_type`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
This keyword maps to the EVE fields:
- ``ldap.request.search_request.attributes[]``
- ``ldap.request.modify_request.changes[].modification.attribute_type``
- ``ldap.request.add_request.attributes[].name``
- ``ldap.request.compare_request.attribute_value_assertion.description``
Example
^^^^^^^
Example of a signature that would alert if a packet has the LDAP attribute type ``objectClass``:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test attribute type"; :example-rule-emphasis:`ldap.request.attribute_type; content:"objectClass";` sid:1;)
It is possible to use the keyword ``ldap.request.operation`` in the same rule to
specify the operation to match.
Here is an example of a signature that would alert if a packet has an LDAP
add request operation and contains the LDAP attribute type
``objectClass``.
.. container:: example-rule
alert ldap any any -> any any (msg:"Test attribute type and operation"; :example-rule-emphasis:`ldap.request.operation:add_request; ldap.request.attribute_type; content:"objectClass";` sid:1;)
detect: add ldap.responses.attribute_type ldap.responses.attribute_type matches on LDAP attribute type/description This keyword maps the eve field ldap.responses[].search_result_entry.attributes[].type It is a sticky buffer Supports multiple buffer matching Supports prefiltering Ticket: #7533
6 months ago
ldap.responses.attribute_type
-----------------------------
Matches on LDAP attribute type from response operations.
Comparison is case-sensitive.
Syntax::
ldap.responses.attribute_type; content:"<content to match against>";
``ldap.responses.attribute_type`` is a 'sticky buffer' and can be used as a ``fast_pattern``.
``ldap.responses.attribute_type`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
This keyword maps to the EVE field ``ldap.responses[].search_result_entry.attributes[].type``
Example
^^^^^^^
Example of a signature that would alert if a packet has the LDAP attribute type ``dc``:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test responses attribute type"; :example-rule-emphasis:`ldap.responses.attribute_type; content:"dc";` sid:1;)
It is possible to use the keyword ``ldap.responses.operation`` in the same rule to
specify the operation to match.
Here is an example of a signature that would alert if a packet has an LDAP
search result entry operation at index 1 on the responses array,
and contains the LDAP attribute type ``dc``.
.. container:: example-rule
alert ldap any any -> any any (msg:"Test attribute type and operation"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry,1; ldap.responses.attribute_type; content:"dc";` sid:1;)