doc/userguide/rules/ldap-keywords.rst
.. role:: example-rule-action .. role:: example-rule-header .. role:: example-rule-options .. role:: example-rule-emphasis
.. table:: Operation values for ldap.request.operation and ldap.responses.operation keywords
==== ================================================
Code Operation
==== ================================================
0 bind_request
1 bind_response
2 unbind_request
3 search_request
4 search_result_entry
5 search_result_done
6 modify_request
7 modify_response
8 add_request
9 add_response
10 del_request
11 del_response
12 mod_dn_request
13 mod_dn_response
14 compare_request
15 compare_response
16 abandon_request
19 search_result_reference
23 extended_request
24 extended_response
25 intermediate_response
==== ================================================
The keywords ldap.request.operation and ldap.responses.operation accept both the operation code and the operation name as arguments.
Suricata has a ldap.request.operation keyword that can be used in signatures to identify
and filter network packets based on Lightweight Directory Access Protocol request operations.
Syntax::
ldap.request.operation: operation;
ldap.request.operation uses :ref:unsigned 8-bit integer <rules-integer-keywords>.
This keyword maps to the EVE field ldap.request.operation
Examples ^^^^^^^^
Example of a signatures that would alert if the packet has an LDAP bind request operation:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:ldap.request.operation:0; sid:1;)
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP bind request"; :example-rule-emphasis:ldap.request.operation:bind_request; sid:1;)
Suricata has a ldap.responses.operation keyword that can be used in signatures to identify
and filter network packets based on Lightweight Directory Access Protocol response operations.
Syntax::
ldap.responses.operation: operation[,index];
ldap.responses.operation uses :ref:unsigned 8-bit integer <rules-integer-keywords>.
ldap.responses.operation is also a :ref:multi-integer <multi-integers>.
This keyword maps to the EVE field ldap.responses[].operation
An LDAP request operation can receive multiple responses. By default, the ldap.responses.operation
keyword matches all indices, but it is possible to specify a particular index for matching
and also use flags such as all and any.
.. table:: Index values for ldap.responses.operation keyword
========= ================================================
Value Description
========= ================================================
[default] Match with any index
all Match only if all indexes match
any Match with any index
0>= Match specific index
0< Match specific index with back to front indexing
========= ================================================
Examples ^^^^^^^^
Example of a signatures that would alert if the packet has an LDAP bind response operation:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:ldap.responses.operation:1; sid:1;)
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP bind response"; :example-rule-emphasis:ldap.responses.operation:bind_response; sid:1;)
Example of a signature that would alert if the packet has an LDAP search_result_done response operation at index 1:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:ldap.responses.operation:search_result_done,1; sid:1;)
Example of a signature that would alert if all the responses are of type search_result_entry:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:ldap.responses.operation:search_result_entry,all; sid:1;)
The keyword ldap.responses.operation supports back to front indexing with negative numbers, this means that -1 will represent the last index, -2 the second to last index, and so on. This is an example of a signature that would alert if a search_result_entry response is found at the last index:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP search response"; :example-rule-emphasis:ldap.responses.operation:search_result_entry,-1; sid:1;)
Matches based on the number of responses.
Syntax::
ldap.responses.count: [op]number;
It can be matched exactly, or compared using the op setting::
ldap.responses.count:3 # exactly 3 responses ldap.responses.count:<3 # less than 3 responses ldap.responses.count:>=2 # more or equal to 2 responses
ldap.responses.count uses :ref:unsigned 32-bit integer <rules-integer-keywords>.
This keyword maps to the EVE field len(ldap.responses[])
Examples ^^^^^^^^
Example of a signature that would alert if a packet has 0 LDAP responses:
.. container:: example-rule
alert ldap any any -> any any (msg:"Packet has 0 LDAP responses"; :example-rule-emphasis:ldap.responses.count:0; sid:1;)
Example of a signature that would alert if a packet has more than 2 LDAP responses:
.. container:: example-rule
alert ldap any any -> any any (msg:"Packet has more than 2 LDAP responses"; :example-rule-emphasis:ldap.responses.count:>2; sid:1;)
Matches on LDAP distinguished names from request operations.
Comparison is case-sensitive.
Syntax::
ldap.request.dn; content:"<content to match against>";
ldap.request.dn is a 'sticky buffer' and can be used as a fast_pattern.
This keyword maps to the EVE fields:
ldap.request.bind_request.nameldap.request.add_request.entryldap.request.search_request.base_objectldap.request.modify_request.objectldap.request.del_request.dnldap.request.mod_dn_request.entryldap.request.compare_request.entryExample ^^^^^^^
Example of a signature that would alert if a packet has the LDAP distinguished name uid=jdoe,ou=People,dc=example,dc=com:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAPDN"; :example-rule-emphasis:ldap.request.dn; content:"uid=jdoe,ou=People,dc=example,dc=com"; sid:1;)
It is possible to use the keyword ldap.request.operation in the same rule to
specify the operation to match.
Here is an example of a signature that would alert if a packet has an LDAP
search request operation and contains the LDAP distinguished name
dc=example,dc=com.
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:ldap.request.operation:search_request; ldap.request.dn; content:"dc=example,dc=com"; sid:1;)
Matches on LDAP distinguished names from response operations.
Comparison is case-sensitive.
Syntax::
ldap.responses.dn; content:"<content to match against>";
ldap.responses.dn is a 'sticky buffer' and can be used as a fast_pattern.
ldap.responses.dn supports multiple buffer matching, see :doc:multi-buffer-matching.
This keyword maps to the EVE fields:
ldap.responses[].search_result_entry.base_objectldap.responses[].bind_response.matched_dnldap.responses[].search_result_done.matched_dnldap.responses[].modify_response.matched_dnldap.responses[].add_response.matched_dnldap.responses[].del_response.matched_dnldap.responses[].mod_dn_response.matched_dnldap.responses[].compare_response.matched_dnldap.responses[].extended_response.matched_dn.. note::
If a response within the array does not contain the
distinguished name field, this field will be interpreted
as an empty buffer.
Example ^^^^^^^
Example of a signature that would alert if a packet has the LDAP distinguished name dc=example,dc=com:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAPDN"; :example-rule-emphasis:ldap.responses.dn; content:"dc=example,dc=com"; sid:1;)
It is possible to use the keyword ldap.responses.operation in the same rule to
specify the operation to match.
Here is an example of a signature that would alert if a packet has an LDAP
search result entry operation at index 1 on the responses array,
and contains the LDAP distinguished name dc=example,dc=com.
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAPDN and operation"; :example-rule-emphasis:ldap.responses.operation:search_result_entry,1; ldap.responses.dn; content:"dc=example,dc=com"; sid:1;)
Suricata has a ldap.responses.result_code keyword that can be used in signatures to identify
and filter network packets based on their LDAP result code.
Syntax::
ldap.responses.result_code: code[,index];
ldap.responses.result_code uses :ref:unsigned 32-bit integer <rules-integer-keywords>.
ldap.responses.result_code is also a :ref:multi-integer <multi-integers>.
This keyword maps to the following eve fields:
ldap.responses[].bind_response.result_codeldap.responses[].search_result_done.result_codeldap.responses[].modify_response.result_codeldap.responses[].add_response.result_codeldap.responses[].del_response.result_codeldap.responses[].mod_dn_response.result_codeldap.responses[].compare_response.result_codeldap.responses[].extended_response.result_code.. table:: Result code values for ldap.responses.result_code
========= ================================================
Code Name
========= ================================================
0 success
1 operations_error
2 protocol_error
3 time_limit_exceeded
4 size_limit_exceeded
5 compare_false
6 compare_true
7 auth_method_not_supported
8 stronger_auth_required
10 referral
11 admin_limit_exceeded
12 unavailable_critical_extension
13 confidentiality_required
14 sasl_bind_in_progress
16 no_such_attribute
17 undefined_attribute_type
18 inappropriate_matching
19 constraint_violation
20 attribute_or_value_exists
21 invalid_attribute_syntax
32 no_such_object
33 alias_problem
34 invalid_dns_syntax
35 is_leaf
36 alias_dereferencing_problem
48 inappropriate_authentication
49 invalid_credentials
50 insufficient_access_rights
51 busy
52 unavailable
53 unwilling_to_perform
54 loop_detect
60 sort_control_missing
61 offset_range_error
64 naming_violation
65 object_class_violation
66 not_allowed_on_non_leaf
67 not_allowed_on_rdn
68 entry_already_exists
69 object_class_mods_prohibited
70 results_too_large
71 affects_multiple_dsas
76 control_error
80 other
81 server_down
82 local_error
83 encoding_error
84 decoding_error
85 timeout
86 auth_unknown
87 filter_error
88 user_canceled
89 param_error
90 no_memory
91 connect_error
92 not_supported
93 control_not_found
94 no_results_returned
95 more_results_to_return
96 client_loop
97 referral_limit_exceeded
100 invalid_response
101 ambiguous_response
112 tls_not_supported
113 intermediate_response
114 unknown_type
118 canceled
119 no_such_operation
120 too_late
121 cannot_cancel
122 assertion_failed
123 authorization_denied
4096 e_sync_refresh_required
16654 no_operation
========= ================================================
More information about LDAP result code values can be found here: https://ldap.com/ldap-result-code-reference/
An LDAP request operation can receive multiple responses. By default, the ldap.responses.result_code
keyword matches with any indices, but it is possible to specify a particular index for matching
and also use flags such as all and any.
.. table:: Index values for ldap.responses.result_code keyword
========= ================================================
Value Description
========= ================================================
[default] Match with any index
all Match only if all indexes match
any Match with any index
0>= Match specific index
0< Match specific index with back to front indexing
========= ================================================
Examples ^^^^^^^^
Example of signatures that would alert if the packet has a success LDAP result code at any index:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP result code"; :example-rule-emphasis:ldap.responses.result_code:0; sid:1;)
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP result code"; :example-rule-emphasis:ldap.responses.result_code:success,any; sid:1;)
Example of a signature that would alert if the packet has an unavailable LDAP result code at index 1:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP result code at index 1"; :example-rule-emphasis:ldap.responses.result_code:unavailable,1; sid:1;)
Example of a signature that would alert if all the responses have a success LDAP result code:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test all LDAP responses have success result code"; :example-rule-emphasis:ldap.responses.result_code:success,all; sid:1;)
The keyword ldap.responses.result_code supports back to front indexing with negative numbers,
this means that -1 will represent the last index, -2 the second to last index, and so on.
This is an example of a signature that would alert if a success result code is found at the last index:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP success at last index"; :example-rule-emphasis:ldap.responses.result_code:success,-1; sid:1;)
Matches on LDAP error messages from response operations.
Comparison is case-sensitive.
Syntax::
ldap.responses.message; content:"<content to match against>";
ldap.responses.message is a 'sticky buffer' and can be used as a fast_pattern.
ldap.responses.message supports multiple buffer matching, see :doc:multi-buffer-matching.
This keyword maps to the EVE fields:
ldap.responses[].bind_response.messageldap.responses[].search_result_done.messageldap.responses[].modify_response.messageldap.responses[].add_response.messageldap.responses[].del_response.messageldap.responses[].mod_dn_response.messageldap.responses[].compare_response.messageldap.responses[].extended_response.message.. note::
If a response within the array does not contain the
error message field, this field will be interpreted
as an empty buffer.
Example ^^^^^^^
Example of a signature that would alert if a packet has the LDAP error message Size limit exceeded:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test LDAP error message"; ldap.responses.message; content:"Size limit exceeded"; sid:1;)
Matches on LDAP attribute type from request operations.
Comparison is case-sensitive.
Syntax::
ldap.request.attribute_type; content:"<content to match against>";
ldap.request.attribute_type is a 'sticky buffer' and can be used as a fast_pattern.
ldap.request.attribute_type supports multiple buffer matching, see :doc:multi-buffer-matching.
This keyword maps to the EVE fields:
ldap.request.search_request.attributes[]ldap.request.modify_request.changes[].modification.attribute_typeldap.request.add_request.attributes[].nameldap.request.compare_request.attribute_value_assertion.descriptionExample ^^^^^^^
Example of a signature that would alert if a packet has the LDAP attribute type objectClass:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test attribute type"; :example-rule-emphasis:ldap.request.attribute_type; content:"objectClass"; sid:1;)
It is possible to use the keyword ldap.request.operation in the same rule to
specify the operation to match.
Here is an example of a signature that would alert if a packet has an LDAP
add request operation and contains the LDAP attribute type
objectClass.
.. container:: example-rule
alert ldap any any -> any any (msg:"Test attribute type and operation"; :example-rule-emphasis:ldap.request.operation:add_request; ldap.request.attribute_type; content:"objectClass"; sid:1;)
Matches on LDAP attribute type from response operations.
Comparison is case-sensitive.
Syntax::
ldap.responses.attribute_type; content:"<content to match against>";
ldap.responses.attribute_type is a 'sticky buffer' and can be used as a fast_pattern.
ldap.responses.attribute_type supports multiple buffer matching, see :doc:multi-buffer-matching.
This keyword maps to the EVE field ldap.responses[].search_result_entry.attributes[].type
Example ^^^^^^^
Example of a signature that would alert if a packet has the LDAP attribute type dc:
.. container:: example-rule
alert ldap any any -> any any (msg:"Test responses attribute type"; :example-rule-emphasis:ldap.responses.attribute_type; content:"dc"; sid:1;)
It is possible to use the keyword ldap.responses.operation in the same rule to
specify the operation to match.
Here is an example of a signature that would alert if a packet has an LDAP
search result entry operation at index 1 on the responses array,
and contains the LDAP attribute type dc.
.. container:: example-rule
alert ldap any any -> any any (msg:"Test attribute type and operation"; :example-rule-emphasis:ldap.responses.operation:search_result_entry,1; ldap.responses.attribute_type; content:"dc"; sid:1;)