8.53. LDAP Keywords

8.53.1. LDAP Request and Response operations

Operation values for ldap.request.operation and ldap.responses.operation keywords

Code

Operation

0

bind_request

1

bind_response

2

unbind_request

3

search_request

4

search_result_entry

5

search_result_done

6

modify_request

7

modify_response

8

add_request

9

add_response

10

del_request

11

del_response

12

mod_dn_request

13

mod_dn_response

14

compare_request

15

compare_response

16

abandon_request

19

search_result_reference

23

extended_request

24

extended_response

25

intermediate_response

The keywords ldap.request.operation and ldap.responses.operation accept both the operation code and the operation name as arguments.

8.53.2. ldap.request.operation

Suricata has a ldap.request.operation keyword that can be used in signatures to identify and filter network packets based on Lightweight Directory Access Protocol request operations.

Syntax:

ldap.request.operation: operation;

ldap.request.operation uses unsigned 8-bit integer.

This keyword maps to the EVE field ldap.request.operation

8.53.2.1. Examples

Example of a signatures that would alert if the packet has an LDAP bind request operation:

alert ldap any any -> any any (msg:"Test LDAP bind request"; ldap.request.operation:0; sid:1;)

alert ldap any any -> any any (msg:"Test LDAP bind request"; ldap.request.operation:bind_request; sid:1;)

8.53.3. ldap.responses.operation

Suricata has a ldap.responses.operation keyword that can be used in signatures to identify and filter network packets based on Lightweight Directory Access Protocol response operations.

Syntax:

ldap.responses.operation: operation[,index];

ldap.responses.operation uses unsigned 8-bit integer.

This keyword maps to the EVE field ldap.responses[].operation

An LDAP request operation can receive multiple responses. By default, the ldap.responses.operation keyword matches all indices, but it is possible to specify a particular index for matching and also use flags such as all and any.

Index values for ldap.responses.operation keyword

Value

Description

[default]

Match with any index

all

Match only if all indexes match

any

Match with any index

0>=

Match specific index

0<

Match specific index with back to front indexing

8.53.3.1. Examples

Example of a signatures that would alert if the packet has an LDAP bind response operation:

alert ldap any any -> any any (msg:"Test LDAP bind response"; ldap.responses.operation:1; sid:1;)

alert ldap any any -> any any (msg:"Test LDAP bind response"; ldap.responses.operation:bind_response; sid:1;)

Example of a signature that would alert if the packet has an LDAP search_result_done response operation at index 1:

alert ldap any any -> any any (msg:"Test LDAP search response"; ldap.responses.operation:search_result_done,1; sid:1;)

Example of a signature that would alert if all the responses are of type search_result_entry:

alert ldap any any -> any any (msg:"Test LDAP search response"; ldap.responses.operation:search_result_entry,all; sid:1;)

The keyword ldap.responses.operation supports back to front indexing with negative numbers, this means that -1 will represent the last index, -2 the second to last index, and so on. This is an example of a signature that would alert if a search_result_entry response is found at the last index:

alert ldap any any -> any any (msg:"Test LDAP search response"; ldap.responses.operation:search_result_entry,-1; sid:1;)

8.53.4. ldap.responses.count

Matches based on the number of responses.

Syntax:

ldap.responses.count: [op]number;

It can be matched exactly, or compared using the op setting:

ldap.responses.count:3    # exactly 3 responses
ldap.responses.count:<3   # less than 3 responses
ldap.responses.count:>=2  # more or equal to 2 responses

ldap.responses.count uses unsigned 32-bit integer.

This keyword maps to the EVE field len(ldap.responses[])

8.53.4.1. Examples

Example of a signature that would alert if a packet has 0 LDAP responses:

alert ldap any any -> any any (msg:"Packet has 0 LDAP responses"; ldap.responses.count:0; sid:1;)

Example of a signature that would alert if a packet has more than 2 LDAP responses:

alert ldap any any -> any any (msg:"Packet has more than 2 LDAP responses"; ldap.responses.count:>2; sid:1;)

8.53.5. ldap.request.dn

Matches on LDAP distinguished names from request operations.

Comparison is case-sensitive.

Syntax:

ldap.request.dn; content:"<content to match against>";

ldap.request.dn is a 'sticky buffer' and can be used as a fast_pattern.

This keyword maps to the EVE fields:

  • ldap.request.bind_request.name

  • ldap.request.add_request.entry

  • ldap.request.search_request.base_object

  • ldap.request.modify_request.object

  • ldap.request.del_request.dn

  • ldap.request.mod_dn_request.entry

  • ldap.request.compare_request.entry

8.53.5.1. Example

Example of a signature that would alert if a packet has the LDAP distinguished name uid=jdoe,ou=People,dc=example,dc=com:

alert ldap any any -> any any (msg:"Test LDAPDN"; ldap.request.dn; content:"uid=jdoe,ou=People,dc=example,dc=com"; sid:1;)

It is possible to use the keyword ldap.request.operation in the same rule to specify the operation to match.

Here is an example of a signature that would alert if a packet has an LDAP search request operation and contains the LDAP distinguished name dc=example,dc=com.

alert ldap any any -> any any (msg:"Test LDAPDN and operation"; ldap.request.operation:search_request; ldap.request.dn; content:"dc=example,dc=com"; sid:1;)

8.53.6. ldap.responses.dn

Matches on LDAP distinguished names from response operations.

Comparison is case-sensitive.

Syntax:

ldap.responses.dn; content:"<content to match against>";

ldap.responses.dn is a 'sticky buffer' and can be used as a fast_pattern.

ldap.responses.dn supports multiple buffer matching, see Multiple Buffer Matching.

This keyword maps to the EVE fields:

  • ldap.responses[].search_result_entry.base_object

  • ldap.responses[].bind_response.matched_dn

  • ldap.responses[].search_result_done.matched_dn

  • ldap.responses[].modify_response.matched_dn

  • ldap.responses[].add_response.matched_dn

  • ldap.responses[].del_response.matched_dn

  • ldap.responses[].mod_dn_response.matched_dn

  • ldap.responses[].compare_response.matched_dn

  • ldap.responses[].extended_response.matched_dn

Note

If a response within the array does not contain the distinguished name field, this field will be interpreted as an empty buffer.

8.53.6.1. Example

Example of a signature that would alert if a packet has the LDAP distinguished name dc=example,dc=com:

alert ldap any any -> any any (msg:"Test LDAPDN"; ldap.responses.dn; content:"dc=example,dc=com"; sid:1;)

It is possible to use the keyword ldap.responses.operation in the same rule to specify the operation to match.

Here is an example of a signature that would alert if a packet has an LDAP search result entry operation at index 1 on the responses array, and contains the LDAP distinguished name dc=example,dc=com.

alert ldap any any -> any any (msg:"Test LDAPDN and operation"; ldap.responses.operation:search_result_entry,1; ldap.responses.dn; content:"dc=example,dc=com"; sid:1;)

8.53.7. ldap.responses.result_code

Suricata has a ldap.responses.result_code keyword that can be used in signatures to identify and filter network packets based on their LDAP result code.

Syntax:

ldap.responses.result_code: code[,index];

ldap.responses.result_code uses unsigned 32-bit integer.

This keyword maps to the following eve fields:

  • ldap.responses[].bind_response.result_code

  • ldap.responses[].search_result_done.result_code

  • ldap.responses[].modify_response.result_code

  • ldap.responses[].add_response.result_code

  • ldap.responses[].del_response.result_code

  • ldap.responses[].mod_dn_response.result_code

  • ldap.responses[].compare_response.result_code

  • ldap.responses[].extended_response.result_code

Result code values for ldap.responses.result_code

Code

Name

0

success

1

operations_error

2

protocol_error

3

time_limit_exceeded

4

size_limit_exceeded

5

compare_false

6

compare_true

7

auth_method_not_supported

8

stronger_auth_required

10

referral

11

admin_limit_exceeded

12

unavailable_critical_extension

13

confidentiality_required

14

sasl_bind_in_progress

16

no_such_attribute

17

undefined_attribute_type

18

inappropriate_matching

19

constraint_violation

20

attribute_or_value_exists

21

invalid_attribute_syntax

32

no_such_object

33

alias_problem

34

invalid_dns_syntax

35

is_leaf

36

alias_dereferencing_problem

48

inappropriate_authentication

49

invalid_credentials

50

insufficient_access_rights

51

busy

52

unavailable

53

unwilling_to_perform

54

loop_detect

60

sort_control_missing

61

offset_range_error

64

naming_violation

65

object_class_violation

66

not_allowed_on_non_leaf

67

not_allowed_on_rdn

68

entry_already_exists

69

object_class_mods_prohibited

70

results_too_large

71

affects_multiple_dsas

76

control_error

80

other

81

server_down

82

local_error

83

encoding_error

84

decoding_error

85

timeout

86

auth_unknown

87

filter_error

88

user_canceled

89

param_error

90

no_memory

91

connect_error

92

not_supported

93

control_not_found

94

no_results_returned

95

more_results_to_return

96

client_loop

97

referral_limit_exceeded

100

invalid_response

101

ambiguous_response

112

tls_not_supported

113

intermediate_response

114

unknown_type

118

canceled

119

no_such_operation

120

too_late

121

cannot_cancel

122

assertion_failed

123

authorization_denied

4096

e_sync_refresh_required

16654

no_operation

More information about LDAP result code values can be found here: https://ldap.com/ldap-result-code-reference/

An LDAP request operation can receive multiple responses. By default, the ldap.responses.result_code keyword matches with any indices, but it is possible to specify a particular index for matching and also use flags such as all and any.

Index values for ldap.responses.result_code keyword

Value

Description

[default]

Match with any index

all

Match only if all indexes match

any

Match with any index

0>=

Match specific index

0<

Match specific index with back to front indexing

8.53.7.1. Examples

Example of signatures that would alert if the packet has a success LDAP result code at any index:

alert ldap any any -> any any (msg:"Test LDAP result code"; ldap.responses.result_code:0; sid:1;)

alert ldap any any -> any any (msg:"Test LDAP result code"; ldap.responses.result_code:success,any; sid:1;)

Example of a signature that would alert if the packet has an unavailable LDAP result code at index 1:

alert ldap any any -> any any (msg:"Test LDAP result code at index 1"; ldap.responses.result_code:unavailable,1; sid:1;)

Example of a signature that would alert if all the responses have a success LDAP result code:

alert ldap any any -> any any (msg:"Test all LDAP responses have success result code"; ldap.responses.result_code:success,all; sid:1;)

The keyword ldap.responses.result_code supports back to front indexing with negative numbers, this means that -1 will represent the last index, -2 the second to last index, and so on. This is an example of a signature that would alert if a success result code is found at the last index:

alert ldap any any -> any any (msg:"Test LDAP success at last index"; ldap.responses.result_code:success,-1; sid:1;)

8.53.8. ldap.responses.message

Matches on LDAP error messages from response operations.

Comparison is case-sensitive.

Syntax:

ldap.responses.message; content:"<content to match against>";

ldap.responses.message is a 'sticky buffer' and can be used as a fast_pattern.

ldap.responses.message supports multiple buffer matching, see Multiple Buffer Matching.

This keyword maps to the EVE fields:

  • ldap.responses[].bind_response.message

  • ldap.responses[].search_result_done.message

  • ldap.responses[].modify_response.message

  • ldap.responses[].add_response.message

  • ldap.responses[].del_response.message

  • ldap.responses[].mod_dn_response.message

  • ldap.responses[].compare_response.message

  • ldap.responses[].extended_response.message

Note

If a response within the array does not contain the error message field, this field will be interpreted as an empty buffer.

8.53.8.1. Example

Example of a signature that would alert if a packet has the LDAP error message Size limit exceeded:

alert ldap any any -> any any (msg:"Test LDAP error message"; ldap.responses.message; content:"Size limit exceeded"; sid:1;)

8.53.9. ldap.request.attribute_type

Matches on LDAP attribute type from request operations.

Comparison is case-sensitive.

Syntax:

ldap.request.attribute_type; content:"<content to match against>";

ldap.request.attribute_type is a 'sticky buffer' and can be used as a fast_pattern.

ldap.request.attribute_type supports multiple buffer matching, see Multiple Buffer Matching.

This keyword maps to the EVE fields:

  • ldap.request.search_request.attributes[]

  • ldap.request.modify_request.changes[].modification.attribute_type

  • ldap.request.add_request.attributes[].name

  • ldap.request.compare_request.attribute_value_assertion.description

8.53.9.1. Example

Example of a signature that would alert if a packet has the LDAP attribute type objectClass:

alert ldap any any -> any any (msg:"Test attribute type"; ldap.request.attribute_type; content:"objectClass"; sid:1;)

It is possible to use the keyword ldap.request.operation in the same rule to specify the operation to match.

Here is an example of a signature that would alert if a packet has an LDAP add request operation and contains the LDAP attribute type objectClass.

alert ldap any any -> any any (msg:"Test attribute type and operation"; ldap.request.operation:add_request; ldap.request.attribute_type; content:"objectClass"; sid:1;)

8.53.10. ldap.responses.attribute_type

Matches on LDAP attribute type from response operations.

Comparison is case-sensitive.

Syntax:

ldap.responses.attribute_type; content:"<content to match against>";

ldap.responses.attribute_type is a 'sticky buffer' and can be used as a fast_pattern.

ldap.responses.attribute_type supports multiple buffer matching, see Multiple Buffer Matching.

This keyword maps to the EVE field ldap.responses[].search_result_entry.attributes[].type

8.53.10.1. Example

Example of a signature that would alert if a packet has the LDAP attribute type dc:

alert ldap any any -> any any (msg:"Test responses attribute type"; ldap.responses.attribute_type; content:"dc"; sid:1;)

It is possible to use the keyword ldap.responses.operation in the same rule to specify the operation to match.

Here is an example of a signature that would alert if a packet has an LDAP search result entry operation at index 1 on the responses array, and contains the LDAP attribute type dc.

alert ldap any any -> any any (msg:"Test attribute type and operation"; ldap.responses.operation:search_result_entry,1; ldap.responses.attribute_type; content:"dc"; sid:1;)