ldap: return empty buffer in ldap_tx_get_responses_dn

Funciton ldap_tx_get_responses_dn returns empty buffer in case
the response doesn't contain the distinguished name field

Fixes: 73ae6e997f6c ("detect: add ldap.responses.dn")

diff --git a/doc/userguide/rules/ldap-keywords.rst b/doc/userguide/rules/ldap-keywords.rst
index d33ae02a226e6c3bf03f939c1df0242e3688d491..1e76c99360c66e7068349c3d15db84353c215ab6 100644 (file)
--- a/doc/userguide/rules/ldap-keywords.rst
+++ b/doc/userguide/rules/ldap-keywords.rst
@@ -234,6 +234,12 @@ This keyword maps to the EVE fields:
    - ``ldap.responses[].compare_response.matched_dn``
    - ``ldap.responses[].extended_response.matched_dn``
 
+.. note::
+
+    If a response within the array does not contain the
+    distinguished name field, this field will be interpreted
+    as an empty buffer.
+
 Example
 ^^^^^^^
 

diff --git a/rust/src/ldap/detect.rs b/rust/src/ldap/detect.rs
index ee5a081e5c5553d6b892f61f6b5d8b78ae1f660c..1e80c970fe2892924602d6f7303451aa5bd4cdf1 100644 (file)
--- a/rust/src/ldap/detect.rs
+++ b/rust/src/ldap/detect.rs
@@ -371,7 +371,9 @@ unsafe extern "C" fn ldap_tx_get_responses_dn(
         ProtocolOp::ModDnResponse(resp) => resp.matched_dn.0.as_str(),
         ProtocolOp::CompareResponse(resp) => resp.matched_dn.0.as_str(),
         ProtocolOp::ExtendedResponse(resp) => resp.result.matched_dn.0.as_str(),
-        _ => return false,
+        _ => "",
+        // This ensures that the iteration continues,
+        // allowing other responses in the transaction to be processed correctly
     };
 
     *buffer = str_buffer.as_ptr();