Project

General

Profile

Actions

Feature #1199

open

LDAP support

Added by Peter Manev over 7 years ago. Updated 9 months ago.

Status:
In Progress
Priority:
Normal
Target version:
Effort:
medium
Difficulty:
medium
Label:
Protocol

Description

Support for LDAP.
LDAP is widely used and present in many networks.

example -

ldap://host:port/DN?attributes?scope?filter?extensions

As defined in - http://tools.ietf.org/html/rfc4516


Related issues

Related to Task #4097: Suricon 2020 brainstormNewVictor JulienActions
Related to Task #4151: Research: New protocol supportNewCommunity TicketActions
Actions #1

Updated by Victor Julien over 7 years ago

  • Assignee set to Anonymous
  • Target version set to TBD

I think this would be a great feature for members of the community to either develop or fund.

Actions #2

Updated by Jason Ish over 3 years ago

  • Effort set to medium
  • Difficulty set to medium
Actions #3

Updated by Andreas Herz over 2 years ago

  • Assignee set to Community Ticket
Actions #4

Updated by Victor Julien almost 2 years ago

Implementation should be in Rust.

Actions #5

Updated by Victor Julien over 1 year ago

  • Label Protocol added
Actions #6

Updated by Jason Ish 10 months ago

  • Related to Task #4097: Suricon 2020 brainstorm added
Actions #7

Updated by Jason Ish 10 months ago

Lots of interest at the 2020 Brainstorm.

Actions #8

Updated by Pierre Chifflier 10 months ago

Bringing back this 6-years ticket!

update:

I have a test implementation (currently standalone parser, not a suricata applayer) for LDAP version 3, that more or less works (I still need to work on reliability / testing every possible corner case). LDAP being based on BER, it is based on the same BER/DER decoder than kerberos and x509 parsers embedded in suricata. It currently uses nom 6 and recent versions of everything, so I would primarily target suricata 7.0 (unless there is a great interest for 6.x).

One difficulty though is that to be fully interesting, more protocols have to be decoded: LDAP can use SASL, and can embed GSS-API and/or GSS-SPNEGO layers (this is a common case for Windows networks, where you often encounter integrity-only transport of data).

Call for help: there are many variants of implementations, and I can't have them all here. If you have pcaps to share (especially of LDAP in Active Directory environments), please tell me!

Actions #9

Updated by Victor Julien 10 months ago

  • Related to Task #4151: Research: New protocol support added
Actions #10

Updated by Victor Julien 9 months ago

  • Status changed from New to In Progress
  • Assignee changed from Community Ticket to Pierre Chifflier
  • Target version changed from TBD to 7.0rc1

Hi Pierre, did I understand correctly that you've made further progress on this?

Actions #11

Updated by Pierre Chifflier 9 months ago

Hi Victor,
Yes, I have a working LDAP parser for suricata, based on the ldap-parser crate I published to crates.io.
It supports LDAPv3 protocol, as well as the cleartext variants of SASL and GSSAPI (for ex. integrity-only encapsulation).

Before submitting the PR, the code still needs some polishing. It currently parse the protocol and log metadata (LDAP operation, bind DN, password if cleartext, etc.), but do not have detect keywords (TBD).

Actions

Also available in: Atom PDF