detect: add keywords for LDAPDN - v3#12556
Conversation
ldap.request.dn matches on LDAPDN from request operations This keyword maps the following eve fields: ldap.request.bind_request.name ldap.request.add_request.entry ldap.request.search_request.base_object ldap.request.modify_request.object ldap.request.del_request.dn ldap.request.mod_dn_request.entry ldap.request.compare_request.entry It is a sticky buffer Supports prefiltering Ticket: OISF#7471
ldap.responses.dn matches on LDAPDN from responses operations This keyword maps the following eve fields: ldap.responses[].search_result_entry.base_object ldap.responses[].bind_response.matched_dn ldap.responses[].search_result_done.matched_dn ldap.responses[].modify_response.matched_dn ldap.responses[].add_response.matched_dn ldap.responses[].del_response.matched_dn ldap.responses[].mod_dn_response.matched_dn ldap.responses[].compare_response.matched_dn ldap.responses[].extended_response.matched_dn It is a sticky buffer Supports prefiltering Ticket: OISF#7471
AkakiAlice
requested review from
a team,
jasonish,
jufajardini and
victorjulien
as code owners
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12556 +/- ##
==========================================
- Coverage 80.71% 80.70% -0.02%
==========================================
Files 928 928
Lines 259007 259132 +125
==========================================
+ Hits 209063 209136 +73
- Misses 49944 49996 +52
Flags with carried forward coverage won't be shown. Click here to find out more. |
catenacyber
left a comment
catenacyber
left a comment
There was a problem hiding this comment.
Thanks for the work
CI : ✅
Code : good
Commits segmentation : ok, nice
Commit messages : good, could also specify the responses keyword is a multi-buffer
Git ID set : looks fine for me
CLA : you already contributed
Doc update : thanks
Redmine ticket : ok, updated to in review
Rustfmt : good
Tests : approved SV
|
|
||
| .. container:: example-rule | ||
|
|
||
| alert tcp any any -> any any (msg:"Test LDAPDN"; :example-rule-emphasis:`ldap.request.dn:uid=jdoe,ou=People,dc=example,dc=com;` sid:1;) |
There was a problem hiding this comment.
could be more explicit alert ldap
|
|
||
| .. container:: example-rule | ||
|
|
||
| alert tcp any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry; ldap.responses.dn:dc=example,dc=com;` sid:1;) No newline at end of file |
There was a problem hiding this comment.
Note that these may be in different response like ldap.responses[0] has operation:search_result_entry and ldap.reponses[1] has dn:dc=example,dc=com
There was a problem hiding this comment.
Should this be added as a note in this section?
|
|
||
| .. container:: example-rule | ||
|
|
||
| alert tcp any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.request.operation:search_request; ldap.request.dn:dc=example,dc=com;` sid:1;) |
There was a problem hiding this comment.
content keyword
There was a problem hiding this comment.
Same applies to the other examples, right?
catenacyber
left a comment
catenacyber
left a comment
There was a problem hiding this comment.
The example rules need to work copy pasted ;-)
jufajardini
left a comment
jufajardini
left a comment
There was a problem hiding this comment.
A few more notes for the docs section. :)
|
|
||
| ``ldap.request.dn`` is a 'sticky buffer' and can be used as a ``fast_pattern``. | ||
|
|
||
| This keyword maps to the eve fields: |
There was a problem hiding this comment.
nit:
| This keyword maps to the eve fields: | |
| This keyword maps to the EVE fields: |
| It is possible to use the keyword ``ldap.request.operation`` in the same rule to specify the operation to match. | ||
| Here is an example of a signature that would alert if a packet has an LDAP search request operation and contains the LDAP distinguished name ``dc=example,dc=com``. |
There was a problem hiding this comment.
nits to remove extra space and to conform line length to ideal character limits :P
| It is possible to use the keyword ``ldap.request.operation`` in the same rule to specify the operation to match. | |
| Here is an example of a signature that would alert if a packet has an LDAP search request operation and contains the LDAP distinguished name ``dc=example,dc=com``. | |
| It is possible to use the keyword ``ldap.request.operation`` in the same rule to | |
| specify the operation to match. | |
| Here is an example of a signature that would alert if a packet has an LDAP | |
| search request operation and contains the LDAP distinguished name | |
| ``dc=example,dc=com``. |
There was a problem hiding this comment.
Same idea applies to the other section.
|
|
||
| .. container:: example-rule | ||
|
|
||
| alert tcp any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.request.operation:search_request; ldap.request.dn:dc=example,dc=com;` sid:1;) |
There was a problem hiding this comment.
Same applies to the other examples, right?
|
|
||
| .. container:: example-rule | ||
|
|
||
| alert tcp any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:`ldap.responses.operation:search_result_entry; ldap.responses.dn:dc=example,dc=com;` sid:1;) No newline at end of file |
There was a problem hiding this comment.
Should this be added as a note in this section?
|
Replaced by: #12620 |
3 participants
Ticket: #7471
Contribution style:
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
Our Contribution agreements:
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Changes (if applicable):
(including schema descriptions)
https://redmine.openinfosecfoundation.org/projects/suricata/issues7471
Link to ticket: https://redmine.openinfosecfoundation.org/issues/7471
Description:
ldap.request.dnandldap.responses.dnChanges:
SV_BRANCH=OISF/suricata-verify#2278
Previous PR: #12545