--- /dev/null
+ldap.pcap: ldap.syn
+ flowsynth.py -f pcap -w $@ $^
+
--- /dev/null
+# Test Purpose
+
+Test that LDAP Add operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x49\x02\x01\x02\x68\x44\x04\x11\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x2f\x30\x1c\x04\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x31\x0d\x04\x03\x74\x6f\x70\x04\x06\x64\x6f\x6d\x61\x69\x6e\x30\x0f\x04\x02\x64\x63\x31\x09\x04\x07\x65\x78\x61\x6d\x70\x6c\x65";);
+default < (content:"\x30\x0c\x02\x01\x02\x69\x07\x0a\x01\x00\x04\x00\x04\x00";);
+
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+pcap: ldap.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ pcap_cnt: 7
+ event_type: ldap
+ ldap.request.message_id: 2
+ ldap.request.operation: add_request
+ ldap.request.add_request.entry: dc=example,dc=com
+ ldap.request.add_request.attributes[0].name: objectClass
+ ldap.request.add_request.attributes[0].values[0]: top
+ ldap.request.add_request.attributes[0].values[1]: domain
+ ldap.request.add_request.attributes[1].name: dc
+ ldap.request.add_request.attributes[1].values[0]: example
+ ldap.responses[0].operation: add_response
+ ldap.responses[0].add_response.result_code: success
+ ldap.responses[0].add_response.matched_dn: ""
+ ldap.responses[0].add_response.message: ""
--- /dev/null
+ldap.pcap: ldap.syn
+ flowsynth.py -f pcap -w $@ $^
+
--- /dev/null
+# Test Purpose
+
+Test that LDAP Bind operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x16\x02\x01\x01\x60\x11\x02\x01\x03\x04\x00\xa3\x0a\x04\x08\x43\x52\x41\x4d\x2d\x4d\x44\x35";);
+default < (content:"\x30\x30\x02\x01\x01\x61\x2b\x0a\x01\x0e\x04\x00\x04\x00\x87\x22\x3c\x31\x30\x61\x31\x33\x63\x37\x62\x66\x37\x30\x38\x63\x61\x30\x66\x33\x39\x39\x63\x61\x39\x39\x65\x39\x32\x37\x64\x61\x38\x38\x62\x3e";);
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+pcap: ldap.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: ldap
+ ldap.request.message_id: 1
+
--- /dev/null
+ldap.pcap: ldap.syn
+ flowsynth.py -f pcap -w $@ $^
+
--- /dev/null
+# Test Purpose
+
+Test that LDAP Compare operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x45\x02\x01\x02\x6e\x40\x04\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x18\x04\x0c\x65\x6d\x70\x6c\x6f\x79\x65\x65\x54\x79\x70\x65\x04\x08\x73\x61\x6c\x61\x72\x69\x65\x64";);
+default <
+(content:"\x30\x0c\x02\x01\x02\x6f\x07\x0a\x01\x06\x04\x00\x04\x00";);
+
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+pcap: ldap.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ pcap_cnt: 7
+ event_type: ldap
+ ldap.request.message_id: 2
+ ldap.request.operation: compare_request
+ ldap.request.compare_request.entry: uid=jdoe,ou=People,dc=example,dc=com
+ ldap.request.compare_request.attribute_value_assertion.description: employeeType
+ ldap.request.compare_request.attribute_value_assertion.value: salaried
+ ldap.responses[0].operation: compare_response
+ ldap.responses[0].compare_response.result_code: "compare_true"
+ ldap.responses[0].compare_response.matched_dn: ""
+ ldap.responses[0].compare_response.message: ""
--- /dev/null
+ldap.pcap: ldap.syn
+ flowsynth.py -f pcap -w $@ $^
+
--- /dev/null
+# Test Purpose
+
+Test that LDAP Delete operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x29\x02\x01\x02\x4a\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d";);
+default < (content:"\x30\x0c\x02\x01\x02\x6b\x07\x0a\x01\x00\x04\x00\x04\x00";);
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+pcap: ldap.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ pcap_cnt: 7
+ event_type: ldap
+ ldap.request.message_id: 2
+ ldap.request.operation: del_request
+ ldap.request.del_request.dn: uid=jdoe,ou=People,dc=example,dc=com
+ ldap.responses[0].operation: del_response
+ ldap.responses[0].del_response.result_code: "success"
+ ldap.responses[0].del_response.matched_dn: ""
+ ldap.responses[0].del_response.message: ""
--- /dev/null
+ldap.pcap: ldap.syn
+ flowsynth.py -f pcap -w $@ $^
+
--- /dev/null
+# Test Purpose
+
+Test that LDAP Extended operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";);
+default < (content:"\x30\x24\x02\x01\x01\x78\x1f\x0a\x01\x00\x04\x00\x04\x00\x8a\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";);
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+pcap: ldap.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ pcap_cnt: 7
+ event_type: ldap
+ ldap.request.message_id: 1
+ ldap.request.operation: extended_request
+ ldap.request.extended_request.name: 1.3.6.1.4.1.1466.20037
+ ldap.responses[0].operation: extended_response
+ ldap.responses[0].extended_response.result_code: "success"
+ ldap.responses[0].extended_response.matched_dn: ""
+ ldap.responses[0].extended_response.message: ""
+ ldap.responses[0].extended_response.name: 1.3.6.1.4.1.1466.20037
--- /dev/null
+ldap.pcap: ldap.syn
+ flowsynth.py -f pcap -w $@ $^
+
--- /dev/null
+# Test Purpose
+
+Test that LDAP ModifyDN operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x3c\x02\x01\x02\x6c\x37\x04\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x04\x0c\x75\x69\x64\x3d\x6a\x6f\x68\x6e\x2e\x64\x6f\x65\x01\x01\xff";);
+default <
+(content:"\x30\x0c\x02\x01\x02\x6d\x07\x0a\x01\x00\x04\x00\x04\x00";);
+
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+pcap: ldap.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ pcap_cnt: 7
+ event_type: ldap
+ ldap.request.message_id: 2
+ ldap.request.operation: mod_dn_request
+ ldap.request.mod_dn_request.entry: uid=jdoe,ou=People,dc=example,dc=com
+ ldap.request.mod_dn_request.new_rdn: uid=john.doe
+ ldap.request.mod_dn_request.delete_old_rdn: true
+ ldap.responses[0].operation: mod_dn_response
+ ldap.responses[0].mod_dn_response.result_code: "success"
+ ldap.responses[0].mod_dn_response.matched_dn: ""
+ ldap.responses[0].mod_dn_response.message: ""
--- /dev/null
+ldap.pcap: ldap.syn
+ flowsynth.py -f pcap -w $@ $^
+
--- /dev/null
+# Test Purpose
+
+Test that LDAP Modify request is parsed and logged correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x81\x80\x02\x01\x02\x66\x7b\x04\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x53\x30\x18\x0a\x01\x01\x30\x13\x04\x09\x67\x69\x76\x65\x6e\x4e\x61\x6d\x65\x31\x06\x04\x04\x4a\x6f\x68\x6e\x30\x1c\x0a\x01\x00\x30\x17\x04\x09\x67\x69\x76\x65\x6e\x4e\x61\x6d\x65\x31\x0a\x04\x08\x4a\x6f\x6e\x61\x74\x68\x61\x6e\x30\x19\x0a\x01\x02\x30\x14\x04\x02\x63\x6e\x31\x0e\x04\x0c\x4a\x6f\x6e\x61\x74\x68\x61\x6e\x20\x44\x6f\x65";);
+default <
+(content:"\x30\x0c\x02\x01\x02\x67\x07\x0a\x01\x00\x04\x00\x04\x00";);
+
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+pcap: ldap.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ pcap_cnt: 7
+ event_type: ldap
+ ldap.request.message_id: 2
+ ldap.request.operation: modify_request
+ ldap.request.modify_request.object: uid=jdoe,ou=People,dc=example,dc=com
+ ldap.request.modify_request.changes[0].operation: delete
+ ldap.request.modify_request.changes[0].modification.attribute_type: givenName
+ ldap.request.modify_request.changes[0].modification.attribute_values[0]: John
+ ldap.request.modify_request.changes[1].operation: add
+ ldap.request.modify_request.changes[1].modification.attribute_type: givenName
+ ldap.request.modify_request.changes[1].modification.attribute_values[0]: Jonathan
+ ldap.request.modify_request.changes[2].operation: replace
+ ldap.request.modify_request.changes[2].modification.attribute_type: cn
+ ldap.request.modify_request.changes[2].modification.attribute_values[0]: Jonathan Doe
+ ldap.responses[0].modify_response.result_code: "success"
+ ldap.responses[0].modify_response.matched_dn: ""
+ ldap.responses[0].modify_response.message: ""
--- /dev/null
+ldap.pcap: ldap.syn
+ flowsynth.py -f pcap -w $@ $^
+
--- /dev/null
+# Test Purpose
+
+Test that LDAP Search operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x56\x02\x01\x02\x63\x51\x04\x11\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x0a\x01\x02\x0a\x01\x00\x02\x02\x03\xe8\x02\x01\x1e\x01\x01\x00\xa0\x24\xa3\x15\x04\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x04\x06\x70\x65\x72\x73\x6f\x6e\xa3\x0b\x04\x03\x75\x69\x64\x04\x04\x6a\x64\x6f\x65\x30\x06\x04\x01\x2a\x04\x01\x2b";);
+default < (content:"\x30\x49\x02\x01\x02\x64\x44\x04\x11\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x2f\x30\x1c\x04\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x31\x0d\x04\x03\x74\x6f\x70\x04\x06\x64\x6f\x6d\x61\x69\x6e\x30\x0f\x04\x02\x64\x63\x31\x09\x04\x07\x65\x78\x61\x6d\x70\x6c\x65";);
+default < (content:"\x30\x0c\x02\x01\x02\x65\x07\x0a\x01\x00\x04\x00\x04\x00";);
+
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+pcap: ldap.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: ldap
+ ldap.request.message_id: 2
+ ldap.request.operation: search_request
+ ldap.request.search_request.base_object: dc=example,dc=com
+ ldap.request.search_request.scope: 2
+ ldap.request.search_request.deref_alias: 0
+ ldap.request.search_request.size_limit: 1000
+ ldap.request.search_request.time_limit: 30
+ ldap.request.search_request.types_only: false
+ ldap.request.search_request.attributes[0]: "*"
+ ldap.request.search_request.attributes[1]: +
+ ldap.responses[0].operation: search_result_entry
+ ldap.responses[0].search_result_entry.base_object: dc=example,dc=com
+ ldap.responses[0].search_result_entry.attributes[0].type: objectClass
+ ldap.responses[0].search_result_entry.attributes[0].values[0]: top
+ ldap.responses[0].search_result_entry.attributes[0].values[1]: domain
+ ldap.responses[0].search_result_entry.attributes[1].type: dc
+ ldap.responses[0].search_result_entry.attributes[1].values[0]: example
+ ldap.responses[1].operation: search_result_done
+ ldap.responses[1].search_result_done.result_code: success
+ ldap.responses[1].search_result_done.matched_dn: ""
+ ldap.responses[1].search_result_done.message: ""
--- /dev/null
+ldap.pcap: ldap.syn
+ flowsynth.py -f pcap -w $@ $^
+
--- /dev/null
+# Test Purpose
+
+Test that LDAP Unbind operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x05\x02\x01\x03\x42\x00";);
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+pcap: ldap.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ pcap_cnt: 5
+ event_type: ldap
+ ldap.request.message_id: 3
+ ldap.request.operation: unbind_request
--- /dev/null
+ldap.pcap: ldap.syn
+ flowsynth.py -f pcap -w $@ $^
+
--- /dev/null
+# Test Purpose
+
+Test that LDAP Unsolicited message is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
--- /dev/null
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default < (content:"\x30\x49\x02\x01\x00\x78\x44\x0a\x01\x34\x04\x00\x04\x25\x54\x68\x65\x20\x44\x69\x72\x65\x63\x74\x6f\x72\x79\x20\x53\x65\x72\x76\x65\x72\x20\x69\x73\x20\x73\x68\x75\x74\x74\x69\x6e\x67\x20\x64\x6f\x77\x6e\x8a\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x36";);
+
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+ - --set stream.midstream=true
+
+pcap: ldap.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ pcap_cnt: 2
+ event_type: ldap
+ ldap.responses[0].operation: extended_response
+ ldap.responses[0].message_id: 0
+ ldap.responses[0].extended_response.result_code: "unavailable"
+ ldap.responses[0].extended_response.matched_dn: ""
+ ldap.responses[0].extended_response.message: "The Directory Server is shutting down"
+ ldap.responses[0].extended_response.name: "1.3.6.1.4.1.1466.20036"
projects / thirdparty / suricata-verify.git / commitdiff
