From 82ca3e667b7752b173154f200019692f918eb518 Mon Sep 17 00:00:00 2001 From: Alice Akaki Date: Thu, 27 Feb 2025 20:09:17 -0400 Subject: [PATCH] ldap: fix LDAPDN nits Change variable name 'req' to 'resp' in function ldap_tx_get_responses_dn and documentation nits Fixes: 73ae6e997f6c ("detect: add ldap.responses.dn") 16dcee46fc8a ("detect: add ldap.request.dn") --- doc/userguide/rules/ldap-keywords.rst | 38 ++++++++++++++------------- rust/src/ldap/detect.rs | 18 ++++++------- 2 files changed, 29 insertions(+), 27 deletions(-) diff --git a/doc/userguide/rules/ldap-keywords.rst b/doc/userguide/rules/ldap-keywords.rst index b37d099bf2..d33ae02a22 100644 --- a/doc/userguide/rules/ldap-keywords.rst +++ b/doc/userguide/rules/ldap-keywords.rst @@ -173,18 +173,19 @@ Comparison is case-sensitive. Syntax:: - ldap.request.dn; content:dc=example,dc=com; + ldap.request.dn; content:""; ``ldap.request.dn`` is a 'sticky buffer' and can be used as a ``fast_pattern``. This keyword maps to the EVE fields: -``ldap.request.bind_request.name`` -``ldap.request.add_request.entry`` -``ldap.request.search_request.base_object`` -``ldap.request.modify_request.object`` -``ldap.request.del_request.dn`` -``ldap.request.mod_dn_request.entry`` -``ldap.request.compare_request.entry`` + + - ``ldap.request.bind_request.name`` + - ``ldap.request.add_request.entry`` + - ``ldap.request.search_request.base_object`` + - ``ldap.request.modify_request.object`` + - ``ldap.request.del_request.dn`` + - ``ldap.request.mod_dn_request.entry`` + - ``ldap.request.compare_request.entry`` Example ^^^^^^^ @@ -215,22 +216,23 @@ Comparison is case-sensitive. Syntax:: - ldap.responses.dn; content:dc=example,dc=com; + ldap.responses.dn; content:""; ``ldap.responses.dn`` is a 'sticky buffer' and can be used as a ``fast_pattern``. ``ldap.responses.dn`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. This keyword maps to the EVE fields: -``ldap.responses[].search_result_entry.base_object`` -``ldap.responses[].bind_response.matched_dn`` -``ldap.responses[].search_result_done.matched_dn`` -``ldap.responses[].modify_response.matched_dn`` -``ldap.responses[].add_response.matched_dn`` -``ldap.responses[].del_response.matched_dn`` -``ldap.responses[].mod_dn_response.matched_dn`` -``ldap.responses[].compare_response.matched_dn`` -``ldap.responses[].extended_response.matched_dn`` + + - ``ldap.responses[].search_result_entry.base_object`` + - ``ldap.responses[].bind_response.matched_dn`` + - ``ldap.responses[].search_result_done.matched_dn`` + - ``ldap.responses[].modify_response.matched_dn`` + - ``ldap.responses[].add_response.matched_dn`` + - ``ldap.responses[].del_response.matched_dn`` + - ``ldap.responses[].mod_dn_response.matched_dn`` + - ``ldap.responses[].compare_response.matched_dn`` + - ``ldap.responses[].extended_response.matched_dn`` Example ^^^^^^^ diff --git a/rust/src/ldap/detect.rs b/rust/src/ldap/detect.rs index c982be5148..ee5a081e5c 100644 --- a/rust/src/ldap/detect.rs +++ b/rust/src/ldap/detect.rs @@ -362,15 +362,15 @@ unsafe extern "C" fn ldap_tx_get_responses_dn( let response = &tx.responses[local_id as usize]; // We expect every response in one tx to be the same protocol_op let str_buffer: &str = match &response.protocol_op { - ProtocolOp::SearchResultEntry(req) => req.object_name.0.as_str(), - ProtocolOp::BindResponse(req) => req.result.matched_dn.0.as_str(), - ProtocolOp::SearchResultDone(req) => req.matched_dn.0.as_str(), - ProtocolOp::ModifyResponse(req) => req.result.matched_dn.0.as_str(), - ProtocolOp::AddResponse(req) => req.matched_dn.0.as_str(), - ProtocolOp::DelResponse(req) => req.matched_dn.0.as_str(), - ProtocolOp::ModDnResponse(req) => req.matched_dn.0.as_str(), - ProtocolOp::CompareResponse(req) => req.matched_dn.0.as_str(), - ProtocolOp::ExtendedResponse(req) => req.result.matched_dn.0.as_str(), + ProtocolOp::SearchResultEntry(resp) => resp.object_name.0.as_str(), + ProtocolOp::BindResponse(resp) => resp.result.matched_dn.0.as_str(), + ProtocolOp::SearchResultDone(resp) => resp.matched_dn.0.as_str(), + ProtocolOp::ModifyResponse(resp) => resp.result.matched_dn.0.as_str(), + ProtocolOp::AddResponse(resp) => resp.matched_dn.0.as_str(), + ProtocolOp::DelResponse(resp) => resp.matched_dn.0.as_str(), + ProtocolOp::ModDnResponse(resp) => resp.matched_dn.0.as_str(), + ProtocolOp::CompareResponse(resp) => resp.matched_dn.0.as_str(), + ProtocolOp::ExtendedResponse(resp) => resp.result.matched_dn.0.as_str(), _ => return false, }; -- 2.47.2