Feature #7536: detect/ldap: add keywords for LDAP BindRequest - Suricata - Open Information Security Foundation

Actions

Feature #7536

open

detect/ldap: add keywords for LDAP BindRequest

Added by Alice da Silva Akaki about 1 month ago. Updated 6 days ago.

Status:

New

Priority:

High

Assignee:

Alice da Silva Akaki

Target version:

Effort:

Difficulty:

Label:

Description

ldap.bind_request.version, an integer between 1 and 127
ldap.bind_request.authentication, enum + an octet string

Eve fields to match:
ldap.request.bind_request.version

ldap.request.bind_request.sasl.mechanism
ldap.request.bind_request.sasl.credentials

Related issues 2 (2 open — 0 closed)

Actions

#1

Updated by Philippe Antoine about 1 month ago

Blocks Task #7452: ldap: add keywords to match output added

Actions

#2

Updated by Philippe Antoine about 1 month ago

ldap.bind_request.authentication is an enum + an octet string...

Actions

#3

Updated by Alice da Silva Akaki about 1 month ago

Description updated (diff)

Actions

#4

Updated by Alice da Silva Akaki 15 days ago

Subject changed from detect: add keywords for BindRequest to detect/ldap: add keywords for LDAP BindRequest

Actions

#5

Updated by Philippe Antoine 13 days ago

Priority changed from Normal to High

The authentication is especially interesting according to https://suricon.net/wp-content/uploads/2024/12/SuriCon2024-Pierre-Chifflier_Adding-LDAP-to-Suricata.pdf

Actions

#6

Updated by Philippe Antoine 6 days ago

Idea for ldap.request.bind.auth keyword : have it a sticky buffer but with required option, like ldap.request.bind.auth: sasl; content: "toto"; and the parser only accepts the 4 different auth mechanisms defined in ldap asn1

Actions

#7

Updated by Philippe Antoine 6 days ago

Related to Feature #7470: detect/ldap: add ldap.bind.version keyword added

Actions

Also available in: Atom PDF