detect: add ldap.request.option keyword - v1 #12321
Conversation
ldap.request.operation matches on Lightweight Directory Access Protocol request operations It is an unsigned 8-bit integer Doesn't support prefiltering Ticket: OISF#7453
AkakiAlice
requested review from
jasonish,
jufajardini and
victorjulien
as code owners
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12321 +/- ##
==========================================
- Coverage 83.26% 83.24% -0.03%
==========================================
Files 912 913 +1
Lines 257643 257717 +74
==========================================
+ Hits 214521 214528 +7
- Misses 43122 43189 +67
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
|
||
| Syntax:: | ||
|
|
||
| ldap.request.operation: operation; |
There was a problem hiding this comment.
Looking good from a brief overview! Would like other opinions on the name of the keyword. This looks good to me but perhaps too long?
There was a problem hiding this comment.
For info, this name comes from json schema
|
|
|
Please put the full clickable link to redmine ticket https://redmine.openinfosecfoundation.org/issues/7453 ;-) |
|
|
||
| .. table:: **Operation values for ldap.request.operation keyword** | ||
|
|
||
| ==== ================================================ |
There was a problem hiding this comment.
When you implement ldap.response.operation, the same table should be used for both
There was a problem hiding this comment.
Following up on what was commented during today's call: I suggest that we move this table to a subsection within LDAP Keywords could be titled LDAP Request and Response operations, and then in each section we can refer to the table/ link to it.
| ProtocolOp::ModDnRequest(_) => 12, | ||
| ProtocolOp::ModDnResponse(_) => 13, | ||
| ProtocolOp::CompareRequest(_) => 14, | ||
| ProtocolOp::CompareResponse(_) => 15, |
There was a problem hiding this comment.
Do you know why is there a hole for 16, 17... ?
Maybe something that was implement in LDAP v1 and is obsolete in LDAP v3 but we should still recognize ?
There was a problem hiding this comment.
I didn't find anything about 17, 16 refers to the option AbandonRequest that is present in etc/schema.json as abandon_request but I didn't see this option in the code
There was a problem hiding this comment.
https://metacpan.org/release/GBARR/perl-ldap-0.13/view/lib/Net/LDAP/BER.pod#REQ_EXTEND says application 17 is req extend 🤔
There was a problem hiding this comment.
So, only 16 seems missing cf ldap_ProtocolOp_vals in Wireshark source code
There was a problem hiding this comment.
So, we need only to add support for 16 = AbandonRequest
That means
- Create a ticket about it
- Create a SV test with a ldap abandon request pcap (with detection support)
- upgrading ldap-parser crate to 0.4.1 in Cargo.toml.in (dedicated commit) cf https://github.com/rusticata/ldap-parser/blob/master/CHANGELOG.md#041 (recompile +
mv Cargo.lock Cargo.lock.in) - Then fix uses of abandon cf `git grep -i abandon rust/src/ldap/
- Add support for detection
There was a problem hiding this comment.
And for AbandonRequest (and other cases not handled by match &response.protocol_op { in logger.rs ) we should log something, and we can use he functionality offered by EnumStringU8
It would be nice if the switch cases were complete...
| ProtocolOp::ExtendedRequest(_) => 23, | ||
| ProtocolOp::ExtendedResponse(_) => 24, | ||
| ProtocolOp::IntermediateResponse(_) => 25, | ||
| ProtocolOp::Unknown => 255, |
There was a problem hiding this comment.
This is not ideal
There should be some documentation at least
Or even better, we should have ProtocolOp::Unknown(u) => u.opcode, but this may require big changes...
There was a problem hiding this comment.
Is there any example that I could follow to implement ProtocolOp::Unknown(u) => u.opcode,?
There was a problem hiding this comment.
No example, this requires code investigation, and maybe big changes...
There was a problem hiding this comment.
Your version should create no unknown (ProtocolOp::Unknown will no longer exist)
And you should document that we are not able to match on some unknown ldap operation like 17.
Maybe we should have a ticket + SV test for it, but let's not bother with this first...
| @@ -300,6 +300,34 @@ pub enum ProtocolOp { | |||
| Unknown, | |||
| } | |||
|
|
|||
| impl ProtocolOp { | |||
There was a problem hiding this comment.
@jasonish what do you think about this rust code that works ?
| G_LDAP_REQUEST_OPERATION_BUFFER_ID = DetectHelperBufferRegister( | ||
| b"ldap.request.operation\0".as_ptr() as *const libc::c_char, | ||
| ALPROTO_LDAP, | ||
| false, |
There was a problem hiding this comment.
Please comment meaning of these true/false values
| } | ||
| let ctx = rs_detect_u8_parse(raw) as *mut c_void; | ||
| if ctx.is_null() { | ||
| return -1; |
There was a problem hiding this comment.
You can implement a protocol_op from_str and call it there if rs_detect_u8_parse fails
Should I send ldap.response.operation and ldap.request.operation in the same PR (as they are on the same ticket)? |
|
Yes one PR for ldap |
|
Replaced by #12343 right ? |
Ticket: #7453
Contribution style:
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
Our Contribution agreements:
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Changes (if applicable):
(including schema descriptions)
https://redmine.openinfosecfoundation.org/projects/suricata/issues
Link to ticket: https://redmine.openinfosecfoundation.org/issues/7453
Description:
ldap.rs
static muttopub(super) static mutso I can use ALPROTO_LDAP on file ldap/detect.rsmod.rs
detecttypes.rs
detect-engine-register.c
ScDetectLdapRegister()detect.rs
ldap-keywords.rst
index.rst
ldap-keywordsSV_BRANCH=OISF/suricata-verify#2206