8.52. LDAP Keywords

8.52.1. LDAP Request and Response operations

Operation values for ldap.request.operation and ldap.responses.operation keywords

Code

Operation

0

bind_request

1

bind_response

2

unbind_request

3

search_request

4

search_result_entry

5

search_result_done

6

modify_request

7

modify_response

8

add_request

9

add_response

10

del_request

11

del_response

12

mod_dn_request

13

mod_dn_response

14

compare_request

15

compare_response

16

abandon_request

19

search_result_reference

23

extended_request

24

extended_response

25

intermediate_response

The keywords ldap.request.operation and ldap.responses.operation accept both the operation code and the operation name as arguments.

8.52.2. ldap.request.operation

Suricata has a ldap.request.operation keyword that can be used in signatures to identify and filter network packets based on Lightweight Directory Access Protocol request operations.

Syntax:

ldap.request.operation: operation;

ldap.request.operation uses unsigned 8-bit integer.

This keyword maps to the eve field ldap.request.operation

8.52.2.1. Examples

Example of a signatures that would alert if the packet has an LDAP bind request operation:

alert tcp any any -> any any (msg:"Test LDAP bind request"; ldap.request.operation:0; sid:1;)

alert tcp any any -> any any (msg:"Test LDAP bind request"; ldap.request.operation:bind_request; sid:1;)

8.52.3. ldap.responses.operation

Suricata has a ldap.responses.operation keyword that can be used in signatures to identify and filter network packets based on Lightweight Directory Access Protocol response operations.

Syntax:

ldap.responses.operation: operation[,index];

ldap.responses.operation uses unsigned 8-bit integer.

This keyword maps to the eve field ldap.responses[].operation

An LDAP request operation can receive multiple responses. By default, the ldap.responses.operation keyword matches all indices, but it is possible to specify a particular index for matching and also use flags such as all and any.

Index values for ldap.responses.operation keyword

Value

Description

[default]

Match with any index

all

Match only if all indexes match

any

Match with any index

0>=

Match specific index

0<

Match specific index with back to front indexing

8.52.3.1. Examples

Example of a signatures that would alert if the packet has an LDAP bind response operation:

alert tcp any any -> any any (msg:"Test LDAP bind response"; ldap.responses.operation:1; sid:1;)

alert tcp any any -> any any (msg:"Test LDAP bind response"; ldap.responses.operation:bind_response; sid:1;)

Example of a signature that would alert if the packet has an LDAP search_result_done response operation at index 1:

alert tcp any any -> any any (msg:"Test LDAP search response"; ldap.responses.operation:search_result_done,1; sid:1;)

Example of a signature that would alert if all the responses are of type search_result_entry:

alert tcp any any -> any any (msg:"Test LDAP search response"; ldap.responses.operation:search_result_entry,all; sid:1;)

The keyword ldap.responses.operation supports back to front indexing with negative numbers, this means that -1 will represent the last index, -2 the second to last index, and so on. This is an example of a signature that would alert if a search_result_entry response is found at the last index:

alert tcp any any -> any any (msg:"Test LDAP search response"; ldap.responses.operation:search_result_entry,-1; sid:1;)

8.52.4. ldap.responses.count

Matches based on the number of responses.

Syntax:

ldap.responses.count: [op]number;

It can be matched exactly, or compared using the op setting:

ldap.responses.count:3    # exactly 3 responses
ldap.responses.count:<3   # less than 3 responses
ldap.responses.count:>=2  # more or equal to 2 responses

ldap.responses.count uses unsigned 32-bit integer.

This keyword maps to the eve field len(ldap.responses[])

8.52.4.1. Examples

Example of a signature that would alert if a packet has 0 LDAP responses:

alert ip any any -> any any (msg:"Packet has 0 LDAP responses"; ldap.responses.count:0; sid:1;)

Example of a signature that would alert if a packet has more than 2 LDAP responses:

alert ip any any -> any any (msg:"Packet has more than 2 LDAP responses"; ldap.responses.count:>2; sid:1;)