Suricata

Implementation should be in Rust.

Lots of interest at the 2020 Brainstorm.

Bringing back this 6-years ticket!

update:

I have a test implementation (currently standalone parser, not a suricata applayer) for LDAP version 3, that more or less works (I still need to work on reliability / testing every possible corner case). LDAP being based on BER, it is based on the same BER/DER decoder than kerberos and x509 parsers embedded in suricata. It currently uses nom 6 and recent versions of everything, so I would primarily target suricata 7.0 (unless there is a great interest for 6.x).

One difficulty though is that to be fully interesting, more protocols have to be decoded: LDAP can use SASL, and can embed GSS-API and/or GSS-SPNEGO layers (this is a common case for Windows networks, where you often encounter integrity-only transport of data).

Call for help: there are many variants of implementations, and I can't have them all here. If you have pcaps to share (especially of LDAP in Active Directory environments), please tell me!

Hi Victor,
Yes, I have a working LDAP parser for suricata, based on the ldap-parser crate I published to crates.io.
It supports LDAPv3 protocol, as well as the cleartext variants of SASL and GSSAPI (for ex. integrity-only encapsulation).

Before submitting the PR, the code still needs some polishing. It currently parse the protocol and log metadata (LDAP operation, bind DN, password if cleartext, etc.), but do not have detect keywords (TBD).

And Active Directory support ?..

Among other good reasons to have it - here is also a point for detection
https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
(LDAP Host Discovery)

I'd like to pick it up if nobody is currently working on it.

https://github.com/OISF/suricata/pull/11525