-
Notifications
You must be signed in to change notification settings - Fork 91
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
detect: add test for ldap.request.operation
Ticket: #7453
- Loading branch information
1 parent
64e6515
commit 068193e
Showing
3 changed files
with
43 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| Test ldap.request.operation and ldap.response.operation keywords. | ||
|
|
||
| PCAP from ../ldap-search/ldap.pcap |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| alert tcp any any -> any any (msg:"Test LDAP search request number argument"; ldap.request.operation:3; sid:1;) | ||
| alert tcp any any -> any any (msg:"Test LDAP search request str argument"; ldap.request.operation:search_request; sid:2;) | ||
| alert tcp any any -> any any (msg:"Test LDAP search result entry"; ldap.responses.operation:search_result_entry; sid:3;) | ||
| alert tcp any any -> any any (msg:"Test LDAP search result done"; ldap.responses.operation:search_result_done; sid:4;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| requires: | ||
| min-version: 8 | ||
|
|
||
| pcap: ../ldap-search/ldap.pcap | ||
|
|
||
| args: | ||
| - -k none | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| pcap_cnt: 7 | ||
| ldap.request.operation: search_request | ||
| alert.signature_id: 1 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| pcap_cnt: 7 | ||
| ldap.request.operation: search_request | ||
| alert.signature_id: 2 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| pcap_cnt: 8 | ||
| ldap.responses[0].operation: search_result_entry | ||
| alert.signature_id: 3 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| ldap.responses[1].operation: search_result_done | ||
| alert.signature_id: 4 |