Project

General

Profile

Feature #1199

LDAP support

Added by Peter Manev almost 7 years ago. Updated 5 months ago.

Status:
In Progress
Priority:
Normal
Target version:
Effort:
medium
Difficulty:
medium
Label:
Protocol

Description

Support for LDAP.
LDAP is widely used and present in many networks.

example -

ldap://host:port/DN?attributes?scope?filter?extensions

As defined in - http://tools.ietf.org/html/rfc4516


Related issues

Related to Task #4097: Suricon 2020 brainstormNewVictor JulienActions
Related to Task #4151: Research: New protocol supportNewCommunity TicketActions
#1

Updated by Victor Julien almost 7 years ago

  • Assignee set to Anonymous
  • Target version set to TBD

I think this would be a great feature for members of the community to either develop or fund.

#2

Updated by Jason Ish almost 3 years ago

  • Effort set to medium
  • Difficulty set to medium
#3

Updated by Andreas Herz about 2 years ago

  • Assignee set to Community Ticket
#4

Updated by Victor Julien over 1 year ago

Implementation should be in Rust.

#5

Updated by Victor Julien over 1 year ago

  • Label Protocol added
#6

Updated by Jason Ish 6 months ago

  • Related to Task #4097: Suricon 2020 brainstorm added
#7

Updated by Jason Ish 6 months ago

Lots of interest at the 2020 Brainstorm.

#8

Updated by Pierre Chifflier 6 months ago

Bringing back this 6-years ticket!

update:

I have a test implementation (currently standalone parser, not a suricata applayer) for LDAP version 3, that more or less works (I still need to work on reliability / testing every possible corner case). LDAP being based on BER, it is based on the same BER/DER decoder than kerberos and x509 parsers embedded in suricata. It currently uses nom 6 and recent versions of everything, so I would primarily target suricata 7.0 (unless there is a great interest for 6.x).

One difficulty though is that to be fully interesting, more protocols have to be decoded: LDAP can use SASL, and can embed GSS-API and/or GSS-SPNEGO layers (this is a common case for Windows networks, where you often encounter integrity-only transport of data).

Call for help: there are many variants of implementations, and I can't have them all here. If you have pcaps to share (especially of LDAP in Active Directory environments), please tell me!

#9

Updated by Victor Julien 6 months ago

  • Related to Task #4151: Research: New protocol support added
#10

Updated by Victor Julien 5 months ago

  • Status changed from New to In Progress
  • Assignee changed from Community Ticket to Pierre Chifflier
  • Target version changed from TBD to 7.0beta1

Hi Pierre, did I understand correctly that you've made further progress on this?

#11

Updated by Pierre Chifflier 5 months ago

Hi Victor,
Yes, I have a working LDAP parser for suricata, based on the ldap-parser crate I published to crates.io.
It supports LDAPv3 protocol, as well as the cleartext variants of SASL and GSSAPI (for ex. integrity-only encapsulation).

Before submitting the PR, the code still needs some polishing. It currently parse the protocol and log metadata (LDAP operation, bind DN, password if cleartext, etc.), but do not have detect keywords (TBD).

Also available in: Atom PDF