From: Giuseppe Longo Date: Tue, 28 May 2024 09:57:45 +0000 (+0200) Subject: ldap: add tests X-Git-Tag: suricata-7.0.7~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1982%2Fhead;p=thirdparty%2Fsuricata-verify.git ldap: add tests --- diff --git a/tests/ldap-add/Makefile b/tests/ldap-add/Makefile new file mode 100644 index 000000000..318ba91b6 --- /dev/null +++ b/tests/ldap-add/Makefile @@ -0,0 +1,3 @@ +ldap.pcap: ldap.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/ldap-add/README.md b/tests/ldap-add/README.md new file mode 100644 index 000000000..28f185b55 --- /dev/null +++ b/tests/ldap-add/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that LDAP Add operation is parsed correctly. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/ldap-add/ldap.pcap b/tests/ldap-add/ldap.pcap new file mode 100644 index 000000000..fea935fb8 Binary files /dev/null and b/tests/ldap-add/ldap.pcap differ diff --git a/tests/ldap-add/ldap.syn b/tests/ldap-add/ldap.syn new file mode 100644 index 000000000..daf7aeb85 --- /dev/null +++ b/tests/ldap-add/ldap.syn @@ -0,0 +1,4 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;); +default > (content:"\x30\x49\x02\x01\x02\x68\x44\x04\x11\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x2f\x30\x1c\x04\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x31\x0d\x04\x03\x74\x6f\x70\x04\x06\x64\x6f\x6d\x61\x69\x6e\x30\x0f\x04\x02\x64\x63\x31\x09\x04\x07\x65\x78\x61\x6d\x70\x6c\x65";); +default < (content:"\x30\x0c\x02\x01\x02\x69\x07\x0a\x01\x00\x04\x00\x04\x00";); + diff --git a/tests/ldap-add/test.yaml b/tests/ldap-add/test.yaml new file mode 100644 index 000000000..10bc646ab --- /dev/null +++ b/tests/ldap-add/test.yaml @@ -0,0 +1,26 @@ +requires: + min-version: 8 + +args: + - -k none + +pcap: ldap.pcap + +checks: + - filter: + count: 1 + match: + pcap_cnt: 7 + event_type: ldap + ldap.request.message_id: 2 + ldap.request.operation: add_request + ldap.request.add_request.entry: dc=example,dc=com + ldap.request.add_request.attributes[0].name: objectClass + ldap.request.add_request.attributes[0].values[0]: top + ldap.request.add_request.attributes[0].values[1]: domain + ldap.request.add_request.attributes[1].name: dc + ldap.request.add_request.attributes[1].values[0]: example + ldap.responses[0].operation: add_response + ldap.responses[0].add_response.result_code: success + ldap.responses[0].add_response.matched_dn: "" + ldap.responses[0].add_response.message: "" diff --git a/tests/ldap-bind/Makefile b/tests/ldap-bind/Makefile new file mode 100644 index 000000000..318ba91b6 --- /dev/null +++ b/tests/ldap-bind/Makefile @@ -0,0 +1,3 @@ +ldap.pcap: ldap.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/ldap-bind/README.md b/tests/ldap-bind/README.md new file mode 100644 index 000000000..72918e738 --- /dev/null +++ b/tests/ldap-bind/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that LDAP Bind operation is parsed correctly. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/ldap-bind/ldap.pcap b/tests/ldap-bind/ldap.pcap new file mode 100644 index 000000000..1c84a11d0 Binary files /dev/null and b/tests/ldap-bind/ldap.pcap differ diff --git a/tests/ldap-bind/ldap.syn b/tests/ldap-bind/ldap.syn new file mode 100644 index 000000000..192f6df2b --- /dev/null +++ b/tests/ldap-bind/ldap.syn @@ -0,0 +1,3 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;); +default > (content:"\x30\x16\x02\x01\x01\x60\x11\x02\x01\x03\x04\x00\xa3\x0a\x04\x08\x43\x52\x41\x4d\x2d\x4d\x44\x35";); +default < (content:"\x30\x30\x02\x01\x01\x61\x2b\x0a\x01\x0e\x04\x00\x04\x00\x87\x22\x3c\x31\x30\x61\x31\x33\x63\x37\x62\x66\x37\x30\x38\x63\x61\x30\x66\x33\x39\x39\x63\x61\x39\x39\x65\x39\x32\x37\x64\x61\x38\x38\x62\x3e";); diff --git a/tests/ldap-bind/test.yaml b/tests/ldap-bind/test.yaml new file mode 100644 index 000000000..0ea814fe1 --- /dev/null +++ b/tests/ldap-bind/test.yaml @@ -0,0 +1,15 @@ +requires: + min-version: 8 + +args: + - -k none + +pcap: ldap.pcap + +checks: + - filter: + count: 1 + match: + event_type: ldap + ldap.request.message_id: 1 + diff --git a/tests/ldap-compare/Makefile b/tests/ldap-compare/Makefile new file mode 100644 index 000000000..318ba91b6 --- /dev/null +++ b/tests/ldap-compare/Makefile @@ -0,0 +1,3 @@ +ldap.pcap: ldap.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/ldap-compare/README.md b/tests/ldap-compare/README.md new file mode 100644 index 000000000..95caae1e3 --- /dev/null +++ b/tests/ldap-compare/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that LDAP Compare operation is parsed correctly. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/ldap-compare/ldap.pcap b/tests/ldap-compare/ldap.pcap new file mode 100644 index 000000000..4de2b66d0 Binary files /dev/null and b/tests/ldap-compare/ldap.pcap differ diff --git a/tests/ldap-compare/ldap.syn b/tests/ldap-compare/ldap.syn new file mode 100644 index 000000000..eca1db29a --- /dev/null +++ b/tests/ldap-compare/ldap.syn @@ -0,0 +1,5 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;); +default > (content:"\x30\x45\x02\x01\x02\x6e\x40\x04\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x18\x04\x0c\x65\x6d\x70\x6c\x6f\x79\x65\x65\x54\x79\x70\x65\x04\x08\x73\x61\x6c\x61\x72\x69\x65\x64";); +default < +(content:"\x30\x0c\x02\x01\x02\x6f\x07\x0a\x01\x06\x04\x00\x04\x00";); + diff --git a/tests/ldap-compare/test.yaml b/tests/ldap-compare/test.yaml new file mode 100644 index 000000000..7928e7fc4 --- /dev/null +++ b/tests/ldap-compare/test.yaml @@ -0,0 +1,23 @@ +requires: + min-version: 8 + +args: + - -k none + +pcap: ldap.pcap + +checks: + - filter: + count: 1 + match: + pcap_cnt: 7 + event_type: ldap + ldap.request.message_id: 2 + ldap.request.operation: compare_request + ldap.request.compare_request.entry: uid=jdoe,ou=People,dc=example,dc=com + ldap.request.compare_request.attribute_value_assertion.description: employeeType + ldap.request.compare_request.attribute_value_assertion.value: salaried + ldap.responses[0].operation: compare_response + ldap.responses[0].compare_response.result_code: "compare_true" + ldap.responses[0].compare_response.matched_dn: "" + ldap.responses[0].compare_response.message: "" diff --git a/tests/ldap-delete/Makefile b/tests/ldap-delete/Makefile new file mode 100644 index 000000000..318ba91b6 --- /dev/null +++ b/tests/ldap-delete/Makefile @@ -0,0 +1,3 @@ +ldap.pcap: ldap.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/ldap-delete/README.md b/tests/ldap-delete/README.md new file mode 100644 index 000000000..9b39b0c15 --- /dev/null +++ b/tests/ldap-delete/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that LDAP Delete operation is parsed correctly. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/ldap-delete/ldap.pcap b/tests/ldap-delete/ldap.pcap new file mode 100644 index 000000000..b4018d7d9 Binary files /dev/null and b/tests/ldap-delete/ldap.pcap differ diff --git a/tests/ldap-delete/ldap.syn b/tests/ldap-delete/ldap.syn new file mode 100644 index 000000000..41a30734a --- /dev/null +++ b/tests/ldap-delete/ldap.syn @@ -0,0 +1,3 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;); +default > (content:"\x30\x29\x02\x01\x02\x4a\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d";); +default < (content:"\x30\x0c\x02\x01\x02\x6b\x07\x0a\x01\x00\x04\x00\x04\x00";); diff --git a/tests/ldap-delete/test.yaml b/tests/ldap-delete/test.yaml new file mode 100644 index 000000000..415be8d74 --- /dev/null +++ b/tests/ldap-delete/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 8 + +args: + - -k none + +pcap: ldap.pcap + +checks: + - filter: + count: 1 + match: + pcap_cnt: 7 + event_type: ldap + ldap.request.message_id: 2 + ldap.request.operation: del_request + ldap.request.del_request.dn: uid=jdoe,ou=People,dc=example,dc=com + ldap.responses[0].operation: del_response + ldap.responses[0].del_response.result_code: "success" + ldap.responses[0].del_response.matched_dn: "" + ldap.responses[0].del_response.message: "" diff --git a/tests/ldap-extended/Makefile b/tests/ldap-extended/Makefile new file mode 100644 index 000000000..318ba91b6 --- /dev/null +++ b/tests/ldap-extended/Makefile @@ -0,0 +1,3 @@ +ldap.pcap: ldap.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/ldap-extended/README.md b/tests/ldap-extended/README.md new file mode 100644 index 000000000..e2e8c934a --- /dev/null +++ b/tests/ldap-extended/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that LDAP Extended operation is parsed correctly. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/ldap-extended/ldap.pcap b/tests/ldap-extended/ldap.pcap new file mode 100644 index 000000000..50067b2fb Binary files /dev/null and b/tests/ldap-extended/ldap.pcap differ diff --git a/tests/ldap-extended/ldap.syn b/tests/ldap-extended/ldap.syn new file mode 100644 index 000000000..f988f782e --- /dev/null +++ b/tests/ldap-extended/ldap.syn @@ -0,0 +1,3 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;); +default > (content:"\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";); +default < (content:"\x30\x24\x02\x01\x01\x78\x1f\x0a\x01\x00\x04\x00\x04\x00\x8a\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";); diff --git a/tests/ldap-extended/test.yaml b/tests/ldap-extended/test.yaml new file mode 100644 index 000000000..99bf35dc2 --- /dev/null +++ b/tests/ldap-extended/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +args: + - -k none + +pcap: ldap.pcap + +checks: + - filter: + count: 1 + match: + pcap_cnt: 7 + event_type: ldap + ldap.request.message_id: 1 + ldap.request.operation: extended_request + ldap.request.extended_request.name: 1.3.6.1.4.1.1466.20037 + ldap.responses[0].operation: extended_response + ldap.responses[0].extended_response.result_code: "success" + ldap.responses[0].extended_response.matched_dn: "" + ldap.responses[0].extended_response.message: "" + ldap.responses[0].extended_response.name: 1.3.6.1.4.1.1466.20037 diff --git a/tests/ldap-modify-dn/Makefile b/tests/ldap-modify-dn/Makefile new file mode 100644 index 000000000..318ba91b6 --- /dev/null +++ b/tests/ldap-modify-dn/Makefile @@ -0,0 +1,3 @@ +ldap.pcap: ldap.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/ldap-modify-dn/README.md b/tests/ldap-modify-dn/README.md new file mode 100644 index 000000000..4177d52da --- /dev/null +++ b/tests/ldap-modify-dn/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that LDAP ModifyDN operation is parsed correctly. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/ldap-modify-dn/ldap.pcap b/tests/ldap-modify-dn/ldap.pcap new file mode 100644 index 000000000..8048de815 Binary files /dev/null and b/tests/ldap-modify-dn/ldap.pcap differ diff --git a/tests/ldap-modify-dn/ldap.syn b/tests/ldap-modify-dn/ldap.syn new file mode 100644 index 000000000..93f0c04eb --- /dev/null +++ b/tests/ldap-modify-dn/ldap.syn @@ -0,0 +1,5 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;); +default > (content:"\x30\x3c\x02\x01\x02\x6c\x37\x04\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x04\x0c\x75\x69\x64\x3d\x6a\x6f\x68\x6e\x2e\x64\x6f\x65\x01\x01\xff";); +default < +(content:"\x30\x0c\x02\x01\x02\x6d\x07\x0a\x01\x00\x04\x00\x04\x00";); + diff --git a/tests/ldap-modify-dn/test.yaml b/tests/ldap-modify-dn/test.yaml new file mode 100644 index 000000000..567eef2c8 --- /dev/null +++ b/tests/ldap-modify-dn/test.yaml @@ -0,0 +1,23 @@ +requires: + min-version: 8 + +args: + - -k none + +pcap: ldap.pcap + +checks: + - filter: + count: 1 + match: + pcap_cnt: 7 + event_type: ldap + ldap.request.message_id: 2 + ldap.request.operation: mod_dn_request + ldap.request.mod_dn_request.entry: uid=jdoe,ou=People,dc=example,dc=com + ldap.request.mod_dn_request.new_rdn: uid=john.doe + ldap.request.mod_dn_request.delete_old_rdn: true + ldap.responses[0].operation: mod_dn_response + ldap.responses[0].mod_dn_response.result_code: "success" + ldap.responses[0].mod_dn_response.matched_dn: "" + ldap.responses[0].mod_dn_response.message: "" diff --git a/tests/ldap-modify/Makefile b/tests/ldap-modify/Makefile new file mode 100644 index 000000000..318ba91b6 --- /dev/null +++ b/tests/ldap-modify/Makefile @@ -0,0 +1,3 @@ +ldap.pcap: ldap.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/ldap-modify/README.md b/tests/ldap-modify/README.md new file mode 100644 index 000000000..484d194cc --- /dev/null +++ b/tests/ldap-modify/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that LDAP Modify request is parsed and logged correctly. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/ldap-modify/ldap.pcap b/tests/ldap-modify/ldap.pcap new file mode 100644 index 000000000..0772435ab Binary files /dev/null and b/tests/ldap-modify/ldap.pcap differ diff --git a/tests/ldap-modify/ldap.syn b/tests/ldap-modify/ldap.syn new file mode 100644 index 000000000..e8de55f43 --- /dev/null +++ b/tests/ldap-modify/ldap.syn @@ -0,0 +1,5 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;); +default > (content:"\x30\x81\x80\x02\x01\x02\x66\x7b\x04\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x53\x30\x18\x0a\x01\x01\x30\x13\x04\x09\x67\x69\x76\x65\x6e\x4e\x61\x6d\x65\x31\x06\x04\x04\x4a\x6f\x68\x6e\x30\x1c\x0a\x01\x00\x30\x17\x04\x09\x67\x69\x76\x65\x6e\x4e\x61\x6d\x65\x31\x0a\x04\x08\x4a\x6f\x6e\x61\x74\x68\x61\x6e\x30\x19\x0a\x01\x02\x30\x14\x04\x02\x63\x6e\x31\x0e\x04\x0c\x4a\x6f\x6e\x61\x74\x68\x61\x6e\x20\x44\x6f\x65";); +default < +(content:"\x30\x0c\x02\x01\x02\x67\x07\x0a\x01\x00\x04\x00\x04\x00";); + diff --git a/tests/ldap-modify/test.yaml b/tests/ldap-modify/test.yaml new file mode 100644 index 000000000..8a8cdec20 --- /dev/null +++ b/tests/ldap-modify/test.yaml @@ -0,0 +1,29 @@ +requires: + min-version: 8 + +args: + - -k none + +pcap: ldap.pcap + +checks: + - filter: + count: 1 + match: + pcap_cnt: 7 + event_type: ldap + ldap.request.message_id: 2 + ldap.request.operation: modify_request + ldap.request.modify_request.object: uid=jdoe,ou=People,dc=example,dc=com + ldap.request.modify_request.changes[0].operation: delete + ldap.request.modify_request.changes[0].modification.attribute_type: givenName + ldap.request.modify_request.changes[0].modification.attribute_values[0]: John + ldap.request.modify_request.changes[1].operation: add + ldap.request.modify_request.changes[1].modification.attribute_type: givenName + ldap.request.modify_request.changes[1].modification.attribute_values[0]: Jonathan + ldap.request.modify_request.changes[2].operation: replace + ldap.request.modify_request.changes[2].modification.attribute_type: cn + ldap.request.modify_request.changes[2].modification.attribute_values[0]: Jonathan Doe + ldap.responses[0].modify_response.result_code: "success" + ldap.responses[0].modify_response.matched_dn: "" + ldap.responses[0].modify_response.message: "" diff --git a/tests/ldap-search/Makefile b/tests/ldap-search/Makefile new file mode 100644 index 000000000..318ba91b6 --- /dev/null +++ b/tests/ldap-search/Makefile @@ -0,0 +1,3 @@ +ldap.pcap: ldap.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/ldap-search/README.md b/tests/ldap-search/README.md new file mode 100644 index 000000000..5c58b4e75 --- /dev/null +++ b/tests/ldap-search/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that LDAP Search operation is parsed correctly. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/ldap-search/ldap.pcap b/tests/ldap-search/ldap.pcap new file mode 100644 index 000000000..485d4cd07 Binary files /dev/null and b/tests/ldap-search/ldap.pcap differ diff --git a/tests/ldap-search/ldap.syn b/tests/ldap-search/ldap.syn new file mode 100644 index 000000000..046f379b4 --- /dev/null +++ b/tests/ldap-search/ldap.syn @@ -0,0 +1,5 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;); +default > (content:"\x30\x56\x02\x01\x02\x63\x51\x04\x11\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x0a\x01\x02\x0a\x01\x00\x02\x02\x03\xe8\x02\x01\x1e\x01\x01\x00\xa0\x24\xa3\x15\x04\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x04\x06\x70\x65\x72\x73\x6f\x6e\xa3\x0b\x04\x03\x75\x69\x64\x04\x04\x6a\x64\x6f\x65\x30\x06\x04\x01\x2a\x04\x01\x2b";); +default < (content:"\x30\x49\x02\x01\x02\x64\x44\x04\x11\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x2f\x30\x1c\x04\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x31\x0d\x04\x03\x74\x6f\x70\x04\x06\x64\x6f\x6d\x61\x69\x6e\x30\x0f\x04\x02\x64\x63\x31\x09\x04\x07\x65\x78\x61\x6d\x70\x6c\x65";); +default < (content:"\x30\x0c\x02\x01\x02\x65\x07\x0a\x01\x00\x04\x00\x04\x00";); + diff --git a/tests/ldap-search/test.yaml b/tests/ldap-search/test.yaml new file mode 100644 index 000000000..44d476239 --- /dev/null +++ b/tests/ldap-search/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 8 + +args: + - -k none + +pcap: ldap.pcap + +checks: + - filter: + count: 1 + match: + event_type: ldap + ldap.request.message_id: 2 + ldap.request.operation: search_request + ldap.request.search_request.base_object: dc=example,dc=com + ldap.request.search_request.scope: 2 + ldap.request.search_request.deref_alias: 0 + ldap.request.search_request.size_limit: 1000 + ldap.request.search_request.time_limit: 30 + ldap.request.search_request.types_only: false + ldap.request.search_request.attributes[0]: "*" + ldap.request.search_request.attributes[1]: + + ldap.responses[0].operation: search_result_entry + ldap.responses[0].search_result_entry.base_object: dc=example,dc=com + ldap.responses[0].search_result_entry.attributes[0].type: objectClass + ldap.responses[0].search_result_entry.attributes[0].values[0]: top + ldap.responses[0].search_result_entry.attributes[0].values[1]: domain + ldap.responses[0].search_result_entry.attributes[1].type: dc + ldap.responses[0].search_result_entry.attributes[1].values[0]: example + ldap.responses[1].operation: search_result_done + ldap.responses[1].search_result_done.result_code: success + ldap.responses[1].search_result_done.matched_dn: "" + ldap.responses[1].search_result_done.message: "" diff --git a/tests/ldap-unbind/Makefile b/tests/ldap-unbind/Makefile new file mode 100644 index 000000000..318ba91b6 --- /dev/null +++ b/tests/ldap-unbind/Makefile @@ -0,0 +1,3 @@ +ldap.pcap: ldap.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/ldap-unbind/README.md b/tests/ldap-unbind/README.md new file mode 100644 index 000000000..c260dd2e6 --- /dev/null +++ b/tests/ldap-unbind/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that LDAP Unbind operation is parsed correctly. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/ldap-unbind/ldap.pcap b/tests/ldap-unbind/ldap.pcap new file mode 100644 index 000000000..5e43324ce Binary files /dev/null and b/tests/ldap-unbind/ldap.pcap differ diff --git a/tests/ldap-unbind/ldap.syn b/tests/ldap-unbind/ldap.syn new file mode 100644 index 000000000..ea9931478 --- /dev/null +++ b/tests/ldap-unbind/ldap.syn @@ -0,0 +1,2 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;); +default > (content:"\x30\x05\x02\x01\x03\x42\x00";); diff --git a/tests/ldap-unbind/test.yaml b/tests/ldap-unbind/test.yaml new file mode 100644 index 000000000..9153085c7 --- /dev/null +++ b/tests/ldap-unbind/test.yaml @@ -0,0 +1,16 @@ +requires: + min-version: 8 + +args: + - -k none + +pcap: ldap.pcap + +checks: + - filter: + count: 1 + match: + pcap_cnt: 5 + event_type: ldap + ldap.request.message_id: 3 + ldap.request.operation: unbind_request diff --git a/tests/ldap-unsolicited/Makefile b/tests/ldap-unsolicited/Makefile new file mode 100644 index 000000000..318ba91b6 --- /dev/null +++ b/tests/ldap-unsolicited/Makefile @@ -0,0 +1,3 @@ +ldap.pcap: ldap.syn + flowsynth.py -f pcap -w $@ $^ + diff --git a/tests/ldap-unsolicited/README.md b/tests/ldap-unsolicited/README.md new file mode 100644 index 000000000..d06937da1 --- /dev/null +++ b/tests/ldap-unsolicited/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that LDAP Unsolicited message is parsed correctly. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/ldap-unsolicited/ldap.pcap b/tests/ldap-unsolicited/ldap.pcap new file mode 100644 index 000000000..1aecea317 Binary files /dev/null and b/tests/ldap-unsolicited/ldap.pcap differ diff --git a/tests/ldap-unsolicited/ldap.syn b/tests/ldap-unsolicited/ldap.syn new file mode 100644 index 000000000..edd0767d6 --- /dev/null +++ b/tests/ldap-unsolicited/ldap.syn @@ -0,0 +1,3 @@ +flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;); +default < (content:"\x30\x49\x02\x01\x00\x78\x44\x0a\x01\x34\x04\x00\x04\x25\x54\x68\x65\x20\x44\x69\x72\x65\x63\x74\x6f\x72\x79\x20\x53\x65\x72\x76\x65\x72\x20\x69\x73\x20\x73\x68\x75\x74\x74\x69\x6e\x67\x20\x64\x6f\x77\x6e\x8a\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x36";); + diff --git a/tests/ldap-unsolicited/test.yaml b/tests/ldap-unsolicited/test.yaml new file mode 100644 index 000000000..72dc30a7a --- /dev/null +++ b/tests/ldap-unsolicited/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 8 + +args: + - -k none + - --set stream.midstream=true + +pcap: ldap.pcap + +checks: + - filter: + count: 1 + match: + pcap_cnt: 2 + event_type: ldap + ldap.responses[0].operation: extended_response + ldap.responses[0].message_id: 0 + ldap.responses[0].extended_response.result_code: "unavailable" + ldap.responses[0].extended_response.matched_dn: "" + ldap.responses[0].extended_response.message: "The Directory Server is shutting down" + ldap.responses[0].extended_response.name: "1.3.6.1.4.1.1466.20036"