Support for LDAP.
LDAP is widely used and present in many networks.
As defined in - http://tools.ietf.org/html/rfc4516
Updated by Pierre Chifflier 6 months ago
Bringing back this 6-years ticket!
I have a test implementation (currently standalone parser, not a suricata applayer) for LDAP version 3, that more or less works (I still need to work on reliability / testing every possible corner case). LDAP being based on BER, it is based on the same BER/DER decoder than kerberos and x509 parsers embedded in suricata. It currently uses nom 6 and recent versions of everything, so I would primarily target suricata 7.0 (unless there is a great interest for 6.x).
One difficulty though is that to be fully interesting, more protocols have to be decoded: LDAP can use SASL, and can embed GSS-API and/or GSS-SPNEGO layers (this is a common case for Windows networks, where you often encounter integrity-only transport of data).
Call for help: there are many variants of implementations, and I can't have them all here. If you have pcaps to share (especially of LDAP in Active Directory environments), please tell me!
Updated by Pierre Chifflier 5 months ago
Yes, I have a working LDAP parser for suricata, based on the ldap-parser crate I published to crates.io.
It supports LDAPv3 protocol, as well as the cleartext variants of SASL and GSSAPI (for ex. integrity-only encapsulation).
Before submitting the PR, the code still needs some polishing. It currently parse the protocol and log metadata (LDAP operation, bind DN, password if cleartext, etc.), but do not have detect keywords (TBD).