detect: add test for ldap.request.operation - draft v2

tests/detect-ldap-operation/README.md

@@ -0,0 +1,3 @@
+Test ldap.request.operation and ldap.response.operation keywords.
+
+PCAP from ../ldap-search/ldap.pcap

tests/detect-ldap-operation/eve.json

@@ -0,0 +1,7 @@
+{"timestamp":"2024-05-28T09:39:37.034492+0000","flow_id":420580139985346,"pcap_cnt":7,"event_type":"alert","src_ip":"1.1.1.1","src_port":5555,"dest_ip":"2.2.2.2","dest_port":389,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":1,"rev":0,"signature":"Test LDAP search request number argument","category":"","severity":3},"ldap":{"request":{"message_id":2,"operation":"search_request","search_request":{"base_object":"dc=example,dc=com","scope":2,"deref_alias":0,"size_limit":1000,"time_limit":30,"types_only":false,"attributes":["*","+"]}},"responses":[{"operation":"search_result_entry","search_result_entry":{"base_object":"dc=example,dc=com","attributes":[{"type":"objectClass","values":["top","domain"]},{"type":"dc","values":["example"]}]}}]},"app_proto":"ldap","direction":"to_server","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":304,"bytes_toclient":237,"start":"2024-05-28T09:39:37.032387+0000","src_ip":"1.1.1.1","dest_ip":"2.2.2.2","src_port":5555,"dest_port":389}}
+{"timestamp":"2024-05-28T09:39:37.034492+0000","flow_id":420580139985346,"pcap_cnt":7,"event_type":"alert","src_ip":"1.1.1.1","src_port":5555,"dest_ip":"2.2.2.2","dest_port":389,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2,"rev":0,"signature":"Test LDAP search request str argument","category":"","severity":3},"ldap":{"request":{"message_id":2,"operation":"search_request","search_request":{"base_object":"dc=example,dc=com","scope":2,"deref_alias":0,"size_limit":1000,"time_limit":30,"types_only":false,"attributes":["*","+"]}},"responses":[{"operation":"search_result_entry","search_result_entry":{"base_object":"dc=example,dc=com","attributes":[{"type":"objectClass","values":["top","domain"]},{"type":"dc","values":["example"]}]}}]},"app_proto":"ldap","direction":"to_server","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":304,"bytes_toclient":237,"start":"2024-05-28T09:39:37.032387+0000","src_ip":"1.1.1.1","dest_ip":"2.2.2.2","src_port":5555,"dest_port":389}}
+{"timestamp":"2024-05-28T09:39:37.034670+0000","flow_id":420580139985346,"pcap_cnt":8,"event_type":"alert","src_ip":"2.2.2.2","src_port":389,"dest_ip":"1.1.1.1","dest_port":5555,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":3,"rev":0,"signature":"Test LDAP search result entry","category":"","severity":3},"ldap":{"request":{"message_id":2,"operation":"search_request","search_request":{"base_object":"dc=example,dc=com","scope":2,"deref_alias":0,"size_limit":1000,"time_limit":30,"types_only":false,"attributes":["*","+"]}},"responses":[{"operation":"search_result_entry","search_result_entry":{"base_object":"dc=example,dc=com","attributes":[{"type":"objectClass","values":["top","domain"]},{"type":"dc","values":["example"]}]}}]},"app_proto":"ldap","direction":"to_client","flow":{"pkts_toserver":4,"pkts_toclient":4,"bytes_toserver":304,"bytes_toclient":305,"start":"2024-05-28T09:39:37.032387+0000","src_ip":"1.1.1.1","dest_ip":"2.2.2.2","src_port":5555,"dest_port":389}}
+{"timestamp":"2024-05-28T09:39:37.034870+0000","flow_id":420580139985346,"pcap_cnt":9,"event_type":"ldap","src_ip":"1.1.1.1","src_port":5555,"dest_ip":"2.2.2.2","dest_port":389,"proto":"TCP","pkt_src":"wire/pcap","ldap":{"request":{"message_id":2,"operation":"search_request","search_request":{"base_object":"dc=example,dc=com","scope":2,"deref_alias":0,"size_limit":1000,"time_limit":30,"types_only":false,"attributes":["*","+"]}},"responses":[{"operation":"search_result_entry","search_result_entry":{"base_object":"dc=example,dc=com","attributes":[{"type":"objectClass","values":["top","domain"]},{"type":"dc","values":["example"]}]}},{"operation":"search_result_done","search_result_done":{"result_code":"success","matched_dn":"","message":""}}]}}
+{"timestamp":"2024-05-28T09:39:37.032387+0000","flow_id":420580139985346,"event_type":"alert","src_ip":"2.2.2.2","src_port":389,"dest_ip":"1.1.1.1","dest_port":5555,"proto":"TCP","pkt_src":"stream (flow timeout)","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":4,"rev":0,"signature":"Test LDAP search result done","category":"","severity":3},"ldap":{"request":{"message_id":2,"operation":"search_request","search_request":{"base_object":"dc=example,dc=com","scope":2,"deref_alias":0,"size_limit":1000,"time_limit":30,"types_only":false,"attributes":["*","+"]}},"responses":[{"operation":"search_result_entry","search_result_entry":{"base_object":"dc=example,dc=com","attributes":[{"type":"objectClass","values":["top","domain"]},{"type":"dc","values":["example"]}]}},{"operation":"search_result_done","search_result_done":{"result_code":"success","matched_dn":"","message":""}}]},"app_proto":"ldap","direction":"to_client","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":358,"bytes_toclient":305,"start":"2024-05-28T09:39:37.032387+0000","src_ip":"1.1.1.1","dest_ip":"2.2.2.2","src_port":5555,"dest_port":389}}
+{"timestamp":"2024-05-28T09:39:37.032387+0000","flow_id":420580139985346,"event_type":"flow","src_ip":"1.1.1.1","src_port":5555,"dest_ip":"2.2.2.2","dest_port":389,"proto":"TCP","app_proto":"ldap","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":358,"bytes_toclient":305,"start":"2024-05-28T09:39:37.032387+0000","end":"2024-05-28T09:39:37.034870+0000","age":0,"state":"established","reason":"shutdown","alerted":true},"tcp":{"tcp_flags":"1a","tcp_flags_ts":"1a","tcp_flags_tc":"1a","syn":true,"psh":true,"ack":true,"state":"established","ts_max_regions":1,"tc_max_regions":1}}
+{"timestamp":"2025-01-02T22:07:23.813491+0000","event_type":"stats","stats":{"uptime":0,"decoder":{"pkts":9,"bytes":663,"invalid":0,"ipv4":9,"ipv6":0,"ethernet":9,"arp":0,"unknown_ethertype":0,"chdlc":0,"raw":0,"null":0,"sll":0,"tcp":9,"udp":0,"sctp":0,"esp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"geneve":0,"gre":0,"vlan":0,"vlan_qinq":0,"vlan_qinqinq":0,"vxlan":0,"vntag":0,"ieee8021ah":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":73,"max_pkt_size":142,"max_mac_addrs_src":0,"max_mac_addrs_dst":0,"erspan":0,"nsh":0,"event":{"ipv4":{"pkt_too_small":0,"hlen_too_small":0,"iplen_smaller_than_hlen":0,"trunc_pkt":0,"opt_invalid":0,"opt_invalid_len":0,"opt_malformed":0,"opt_pad_required":0,"opt_eol_required":0,"opt_duplicate":0,"opt_unknown":0,"wrong_ip_version":0,"icmpv6":0,"frag_pkt_too_large":0,"frag_overlap":0,"frag_ignored":0},"icmpv4":{"pkt_too_small":0,"unknown_type":0,"unknown_code":0,"ipv4_trunc_pkt":0,"ipv4_unknown_ver":0},"icmpv6":{"unknown_type":0,"unknown_code":0,"pkt_too_small":0,"ipv6_unknown_version":0,"ipv6_trunc_pkt":0,"mld_message_with_invalid_hl":0,"unassigned_type":0,"experimentation_type":0},"ipv6":{"pkt_too_small":0,"trunc_pkt":0,"trunc_exthdr":0,"exthdr_dupl_fh":0,"exthdr_useless_fh":0,"exthdr_dupl_rh":0,"exthdr_dupl_hh":0,"exthdr_dupl_dh":0,"exthdr_dupl_ah":0,"exthdr_dupl_eh":0,"exthdr_invalid_optlen":0,"wrong_ip_version":0,"exthdr_ah_res_not_null":0,"hopopts_unknown_opt":0,"hopopts_only_padding":0,"dstopts_unknown_opt":0,"dstopts_only_padding":0,"rh_type_0":0,"zero_len_padn":0,"fh_non_zero_reserved_field":0,"data_after_none_header":0,"unknown_next_header":0,"icmpv4":0,"frag_pkt_too_large":0,"frag_overlap":0,"frag_invalid_length":0,"frag_ignored":0,"ipv4_in_ipv6_too_small":0,"ipv4_in_ipv6_wrong_version":0,"ipv6_in_ipv6_too_small":0,"ipv6_in_ipv6_wrong_version":0},"tcp":{"pkt_too_small":0,"hlen_too_small":0,"invalid_optlen":0,"opt_invalid_len":0,"opt_duplicate":0},"udp":{"pkt_too_small":0,"hlen_too_small":0,"hlen_invalid":0,"len_invalid":0},"sll":{"pkt_too_small":0},"ethernet":{"pkt_too_small":0},"ppp":{"pkt_too_small":0,"vju_pkt_too_small":0,"ip4_pkt_too_small":0,"ip6_pkt_too_small":0,"wrong_type":0,"unsup_proto":0},"pppoe":{"pkt_too_small":0,"wrong_code":0,"malformed_tags":0},"gre":{"pkt_too_small":0,"wrong_version":0,"version0_recur":0,"version0_flags":0,"version0_hdr_too_big":0,"version0_malformed_sre_hdr":0,"version1_chksum":0,"version1_route":0,"version1_ssr":0,"version1_recur":0,"version1_flags":0,"version1_no_key":0,"version1_wrong_protocol":0,"version1_malformed_sre_hdr":0,"version1_hdr_too_big":0},"vlan":{"header_too_small":0,"unknown_type":0,"too_many_layers":0},"ieee8021ah":{"header_too_small":0},"vntag":{"header_too_small":0,"unknown_type":0},"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"sctp":{"pkt_too_small":0},"esp":{"pkt_too_small":0},"mpls":{"header_too_small":0,"pkt_too_small":0,"bad_label_router_alert":0,"bad_label_implicit_null":0,"bad_label_reserved":0,"unknown_payload_type":0},"vxlan":{"unknown_payload_type":0},"geneve":{"unknown_payload_type":0},"erspan":{"header_too_small":0,"unsupported_version":0,"too_many_vlan_layers":0},"dce":{"pkt_too_small":0},"chdlc":{"pkt_too_small":0},"nsh":{"header_too_small":0,"unsupported_version":0,"bad_header_length":0,"reserved_type":0,"unsupported_type":0,"unknown_payload":0}},"too_many_layers":0},"tcp":{"syn":1,"synack":1,"rst":0,"urg":0,"active_sessions":0,"sessions":1,"ssn_memcap_drop":0,"ssn_from_cache":0,"ssn_from_pool":1,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"midstream_pickups":0,"pkt_on_wrong_thread":0,"ack_unseen_data":0,"segment_memcap_drop":0,"segment_from_cache":1,"segment_from_pool":2,"stream_depth_reached":0,"reassembly_gap":0,"overlap":0,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"urgent_oob_data":0,"memuse":9961472,"reassembly_memuse":1835008},"flow":{"memcap":0,"total":1,"active":0,"tcp":1,"udp":0,"icmpv4":0,"icmpv6":0,"tcp_reuse":0,"get_used":0,"get_used_eval":0,"get_used_eval_reject":0,"get_used_eval_busy":0,"get_used_failed":0,"wrk":{"spare_sync_avg":100,"spare_sync":1,"spare_sync_incomplete":0,"spare_sync_empty":0,"flows_evicted_needs_work":1,"flows_evicted_pkt_inject":2,"flows_evicted":0,"flows_injected":1,"flows_injected_max":0},"end":{"state":{"new":0,"established":1,"closed":0,"local_bypassed":0,"capture_bypassed":0},"tcp_state":{"none":0,"syn_sent":0,"syn_recv":0,"established":1,"fin_wait1":0,"fin_wait2":0,"time_wait":0,"last_ack":0,"close_wait":0,"closing":0,"closed":0},"tcp_liberal":0},"mgr":{"full_hash_pass":0,"rows_per_sec":9175,"rows_maxlen":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_evicted":0,"flows_evicted_needs_work":0},"spare":9900,"emerg_mode_entered":0,"emerg_mode_over":0,"recycler":{"recycled":0,"queue_avg":0,"queue_max":0},"memuse":7154304},"defrag":{"ipv4":{"fragments":0,"reassembled":0},"ipv6":{"fragments":0,"reassembled":0},"max_trackers_reached":0,"max_frags_reached":0,"tracker_soft_reuse":0,"tracker_hard_reuse":0,"wrk":{"tracker_timeout":0},"mgr":{"tracker_timeout":0},"memuse":33554432},"flow_bypassed":{"local_pkts":0,"local_bytes":0,"local_capture_pkts":0,"local_capture_bytes":0,"closed":0,"pkts":0,"bytes":0},"detect":{"engines":[{"id":0,"last_reload":"2025-01-02T22:07:23.724260+0000","rules_loaded":4,"rules_failed":0,"rules_skipped":0}],"alert":4,"alert_queue_overflow":0,"alerts_suppressed":0,"lua":{"errors":0,"blocked_function_errors":0,"instruction_limit_errors":0,"memory_limit_errors":0}},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ntp":0,"ftp-data":0,"tftp":0,"ike":0,"krb5_tcp":0,"quic":0,"dhcp":0,"snmp":0,"sip_tcp":0,"rfb":0,"mqtt":0,"telnet":0,"websocket":0,"ldap_tcp":1,"doh2":0,"rdp":0,"http2":0,"bittorrent-dht":0,"pop3":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"nfs_udp":0,"krb5_udp":0,"sip_udp":0,"ldap_udp":0,"failed_udp":0},"tx":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"nfs_tcp":0,"ntp":0,"ftp-data":0,"tftp":0,"ike":0,"krb5_tcp":0,"quic":0,"dhcp":0,"snmp":0,"sip_tcp":0,"rfb":0,"mqtt":0,"telnet":0,"websocket":0,"ldap_tcp":1,"doh2":0,"rdp":0,"http2":0,"bittorrent-dht":0,"pop3":0,"dcerpc_udp":0,"dns_udp":0,"nfs_udp":0,"krb5_udp":0,"sip_udp":0,"ldap_udp":0},"error":{"http":{"gap":0,"alloc":0,"parser":0,"internal":0},"ftp":{"gap":0,"alloc":0,"parser":0,"internal":0},"smtp":{"gap":0,"alloc":0,"parser":0,"internal":0},"tls":{"gap":0,"alloc":0,"parser":0,"internal":0},"ssh":{"gap":0,"alloc":0,"parser":0,"internal":0},"imap":{"gap":0,"alloc":0,"parser":0,"internal":0},"smb":{"gap":0,"alloc":0,"parser":0,"internal":0},"dcerpc_tcp":{"gap":0,"alloc":0,"parser":0,"internal":0},"dns_tcp":{"gap":0,"alloc":0,"parser":0,"internal":0},"nfs_tcp":{"gap":0,"alloc":0,"parser":0,"internal":0},"ntp":{"gap":0,"alloc":0,"parser":0,"internal":0},"ftp-data":{"gap":0,"alloc":0,"parser":0,"internal":0},"tftp":{"gap":0,"alloc":0,"parser":0,"internal":0},"ike":{"gap":0,"alloc":0,"parser":0,"internal":0},"krb5_tcp":{"gap":0,"alloc":0,"parser":0,"internal":0},"quic":{"gap":0,"alloc":0,"parser":0,"internal":0},"dhcp":{"gap":0,"alloc":0,"parser":0,"internal":0},"snmp":{"gap":0,"alloc":0,"parser":0,"internal":0},"sip_tcp":{"gap":0,"alloc":0,"parser":0,"internal":0},"rfb":{"gap":0,"alloc":0,"parser":0,"internal":0},"mqtt":{"gap":0,"alloc":0,"parser":0,"internal":0},"telnet":{"gap":0,"alloc":0,"parser":0,"internal":0},"websocket":{"gap":0,"alloc":0,"parser":0,"internal":0},"ldap_tcp":{"gap":0,"alloc":0,"parser":0,"internal":0},"doh2":{"gap":0,"alloc":0,"parser":0,"internal":0},"rdp":{"gap":0,"alloc":0,"parser":0,"internal":0},"http2":{"gap":0,"alloc":0,"parser":0,"internal":0},"bittorrent-dht":{"gap":0,"alloc":0,"parser":0,"internal":0},"pop3":{"gap":0,"alloc":0,"parser":0,"internal":0},"failed_tcp":{"gap":0},"dcerpc_udp":{"alloc":0,"parser":0,"internal":0},"dns_udp":{"alloc":0,"parser":0,"internal":0},"nfs_udp":{"alloc":0,"parser":0,"internal":0},"krb5_udp":{"alloc":0,"parser":0,"internal":0},"sip_udp":{"alloc":0,"parser":0,"internal":0},"ldap_udp":{"alloc":0,"parser":0,"internal":0}},"expectations":0},"memcap":{"pressure":14,"pressure_max":14},"http":{"memuse":0,"memcap":0,"byterange":{"memuse":168384,"memcap":104857600}},"ftp":{"memuse":0,"memcap":0},"ippair":{"memuse":398144,"memcap":398144},"host":{"memuse":382144,"memcap":33554432},"file_store":{"open_files":0}}}

tests/detect-ldap-operation/test.rules

@@ -0,0 +1,4 @@
+alert tcp any any -> any any (msg:"Test LDAP search request number argument"; ldap.request.operation:3; sid:1;)
+alert tcp any any -> any any (msg:"Test LDAP search request str argument"; ldap.request.operation:search_request; sid:2;)
+alert tcp any any -> any any (msg:"Test LDAP search result entry"; ldap.responses.operation:search_result_entry; sid:3;)
+alert tcp any any -> any any (msg:"Test LDAP search result done"; ldap.responses.operation:search_result_done; sid:4;)

tests/detect-ldap-operation/test.yaml

@@ -0,0 +1,36 @@
+requires:
+  min-version: 8
+
+pcap: ../ldap-search/ldap.pcap
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 7
+        ldap.request.operation: search_request
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 7
+        ldap.request.operation: search_request
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 8
+        ldap.responses[0].operation: search_result_entry
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ldap.responses[1].operation: search_result_done
+        alert.signature_id: 4