Added by Alice da Silva Akaki 11 months ago. Updated 13 days ago.
Description
ldap.bind_request.version, an integer between 1 and 127
ldap.bind_request.authentication, enum + an octet string
Eve fields to match:
ldap.request.bind_request.version
ldap.request.bind_request.sasl.mechanism
ldap.request.bind_request.sasl.credentials
ldap.bind_request.authentication is an enum + an octet string...
The authentication is especially interesting according to https://suricon.net/wp-content/uploads/2024/12/SuriCon2024-Pierre-Chifflier_Adding-LDAP-to-Suricata.pdf
Idea for ldap.request.bind.auth keyword : have it a sticky buffer but with required option, like ldap.request.bind.auth: sasl; content: "toto"; and the parser only accepts the 4 different auth mechanisms defined in ldap asn1
Hi there, considering our stale tickets policy, I'm unclaiming this ticket. Feel free to ask to work on this or another again, if you have time in the future :)