-Test ldap.request.attribute_type keyword.
+Test ldap.request.attribute_type and ldap.responses.attribute_type keywords.
PCAP from ../ldap-search/ldap.pcap
alert ldap any any -> any any (msg:"Test request attribute type"; ldap.request.attribute_type; content:"*"; startswith; endswith; sid:1;)
alert ldap any any -> any any (msg:"Test request attribute type"; ldap.request.attribute_type; content:"+"; startswith; endswith; sid:2;)
+alert ldap any any -> any any (msg:"Test responses attribute type"; ldap.responses.attribute_type; content:"objectClass"; startswith; endswith; sid:3;)
+alert ldap any any -> any any (msg:"Test responses attribute type"; ldap.responses.attribute_type; content:"dc"; startswith; endswith; sid:4;)
\ No newline at end of file
event_type: alert
ldap.request.operation: search_request
ldap.request.search_request.attributes[1]: +
- alert.signature_id: 2
\ No newline at end of file
+ alert.signature_id: 2
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ ldap.responses[0].operation: search_result_entry
+ ldap.responses[0].search_result_entry.attributes[0].type: objectClass
+ alert.signature_id: 3
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ ldap.responses[0].operation: search_result_entry
+ ldap.responses[0].search_result_entry.attributes[1].type: dc
+ alert.signature_id: 4
projects / thirdparty / suricata-verify.git / commitdiff
