Project

General

Profile

Actions

Feature #1199

open

protocol: LDAP support

Added by Peter Manev almost 10 years ago. Updated about 1 month ago.

Status:
In Review
Priority:
High
Target version:
Effort:
medium
Difficulty:
medium
Label:
Protocol

Description

Support for LDAP.
LDAP is widely used and present in many networks.

example -

ldap://host:port/DN?attributes?scope?filter?extensions

As defined in - http://tools.ietf.org/html/rfc4516


Related issues 5 (5 open0 closed)

Related to Suricata - Task #4097: Suricon 2020 brainstormAssignedVictor JulienActions
Related to Suricata - Task #4151: Research: New protocol supportNewCommunity TicketActions
Related to Suricata - Task #5488: Suricon 2022 brainstormAssignedVictor JulienActions
Related to Suricata - Task #5685: tracking: active directory protocols supportNewVictor JulienActions
Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Actions #1

Updated by Victor Julien almost 10 years ago

  • Assignee set to Anonymous
  • Target version set to TBD

I think this would be a great feature for members of the community to either develop or fund.

Actions #2

Updated by Jason Ish almost 6 years ago

  • Effort set to medium
  • Difficulty set to medium
Actions #3

Updated by Andreas Herz about 5 years ago

  • Assignee set to Community Ticket
Actions #4

Updated by Victor Julien over 4 years ago

Implementation should be in Rust.

Actions #5

Updated by Victor Julien over 4 years ago

  • Label Protocol added
Actions #6

Updated by Jason Ish over 3 years ago

  • Related to Task #4097: Suricon 2020 brainstorm added
Actions #7

Updated by Jason Ish over 3 years ago

Lots of interest at the 2020 Brainstorm.

Actions #8

Updated by Pierre Chifflier over 3 years ago

Bringing back this 6-years ticket!

update:

I have a test implementation (currently standalone parser, not a suricata applayer) for LDAP version 3, that more or less works (I still need to work on reliability / testing every possible corner case). LDAP being based on BER, it is based on the same BER/DER decoder than kerberos and x509 parsers embedded in suricata. It currently uses nom 6 and recent versions of everything, so I would primarily target suricata 7.0 (unless there is a great interest for 6.x).

One difficulty though is that to be fully interesting, more protocols have to be decoded: LDAP can use SASL, and can embed GSS-API and/or GSS-SPNEGO layers (this is a common case for Windows networks, where you often encounter integrity-only transport of data).

Call for help: there are many variants of implementations, and I can't have them all here. If you have pcaps to share (especially of LDAP in Active Directory environments), please tell me!

Actions #9

Updated by Victor Julien over 3 years ago

  • Related to Task #4151: Research: New protocol support added
Actions #10

Updated by Victor Julien over 3 years ago

  • Status changed from New to In Progress
  • Assignee changed from Community Ticket to Pierre Chifflier
  • Target version changed from TBD to 7.0.0-beta1

Hi Pierre, did I understand correctly that you've made further progress on this?

Actions #11

Updated by Pierre Chifflier over 3 years ago

Hi Victor,
Yes, I have a working LDAP parser for suricata, based on the ldap-parser crate I published to crates.io.
It supports LDAPv3 protocol, as well as the cleartext variants of SASL and GSSAPI (for ex. integrity-only encapsulation).

Before submitting the PR, the code still needs some polishing. It currently parse the protocol and log metadata (LDAP operation, bind DN, password if cleartext, etc.), but do not have detect keywords (TBD).

Actions #12

Updated by Victor Julien almost 2 years ago

  • Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Actions #13

Updated by Philippe Antoine over 1 year ago

  • Related to Task #5488: Suricon 2022 brainstorm added
Actions #14

Updated by Philippe Antoine over 1 year ago

And Active Directory support ?..

Actions #15

Updated by Philippe Antoine over 1 year ago

  • Priority changed from Normal to High
Actions #16

Updated by Victor Julien over 1 year ago

  • Subject changed from LDAP support to protocol: LDAP
Actions #17

Updated by Victor Julien over 1 year ago

  • Subject changed from protocol: LDAP to protocol: LDAP support
Actions #18

Updated by Victor Julien over 1 year ago

  • Related to Task #5685: tracking: active directory protocols support added
Actions #19

Updated by Peter Manev over 1 year ago

Among other good reasons to have it - here is also a point for detection
https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
(LDAP Host Discovery)

Actions #20

Updated by Philippe Antoine 6 months ago

  • Related to Task #6443: Suricon 2023 brainstorm added
Actions #21

Updated by Giuseppe Longo 6 months ago

I'd like to pick it up if nobody is currently working on it.

Actions #22

Updated by Victor Julien 6 months ago

  • Assignee changed from Pierre Chifflier to Giuseppe Longo
Actions #23

Updated by Victor Julien about 1 month ago

  • Status changed from In Progress to In Review
Actions

Also available in: Atom PDF