From 7fd86e800d444328358af4d8118cd6065058437e Mon Sep 17 00:00:00 2001
From: Giuseppe Longo <giuseppe@glongo.it>
Date: Tue, 28 May 2024 11:57:45 +0200
Subject: [PATCH] ldap: add tests

---
 tests/ldap-add/Makefile          |   3 +++
 tests/ldap-add/README.md         |   7 +++++++
 tests/ldap-add/ldap.pcap         | Bin 0 -> 603 bytes
 tests/ldap-add/ldap.syn          |   4 ++++
 tests/ldap-add/test.yaml         |  26 +++++++++++++++++++++++
 tests/ldap-bind/Makefile         |   3 +++
 tests/ldap-bind/README.md        |   7 +++++++
 tests/ldap-bind/ldap.pcap        | Bin 0 -> 588 bytes
 tests/ldap-bind/ldap.syn         |   3 +++
 tests/ldap-bind/test.yaml        |  15 ++++++++++++++
 tests/ldap-compare/Makefile      |   3 +++
 tests/ldap-compare/README.md     |   7 +++++++
 tests/ldap-compare/ldap.pcap     | Bin 0 -> 599 bytes
 tests/ldap-compare/ldap.syn      |   5 +++++
 tests/ldap-compare/test.yaml     |  23 +++++++++++++++++++++
 tests/ldap-delete/Makefile       |   3 +++
 tests/ldap-delete/README.md      |   7 +++++++
 tests/ldap-delete/ldap.pcap      | Bin 0 -> 571 bytes
 tests/ldap-delete/ldap.syn       |   3 +++
 tests/ldap-delete/test.yaml      |  21 +++++++++++++++++++
 tests/ldap-extended/Makefile     |   3 +++
 tests/ldap-extended/README.md    |   7 +++++++
 tests/ldap-extended/ldap.pcap    | Bin 0 -> 583 bytes
 tests/ldap-extended/ldap.syn     |   3 +++
 tests/ldap-extended/test.yaml    |  22 ++++++++++++++++++++
 tests/ldap-modify-dn/Makefile    |   3 +++
 tests/ldap-modify-dn/README.md   |   7 +++++++
 tests/ldap-modify-dn/ldap.pcap   | Bin 0 -> 590 bytes
 tests/ldap-modify-dn/ldap.syn    |   5 +++++
 tests/ldap-modify-dn/test.yaml   |  23 +++++++++++++++++++++
 tests/ldap-modify/Makefile       |   3 +++
 tests/ldap-modify/README.md      |   7 +++++++
 tests/ldap-modify/ldap.pcap      | Bin 0 -> 659 bytes
 tests/ldap-modify/ldap.syn       |   5 +++++
 tests/ldap-modify/test.yaml      |  29 ++++++++++++++++++++++++++
 tests/ldap-search/Makefile       |   3 +++
 tests/ldap-search/README.md      |   7 +++++++
 tests/ldap-search/ldap.pcap      | Bin 0 -> 831 bytes
 tests/ldap-search/ldap.syn       |   5 +++++
 tests/ldap-search/test.yaml      |  34 +++++++++++++++++++++++++++++++
 tests/ldap-unbind/Makefile       |   3 +++
 tests/ldap-unbind/README.md      |   7 +++++++
 tests/ldap-unbind/ldap.pcap      | Bin 0 -> 381 bytes
 tests/ldap-unbind/ldap.syn       |   2 ++
 tests/ldap-unbind/test.yaml      |  16 +++++++++++++++
 tests/ldap-unsolicited/Makefile  |   3 +++
 tests/ldap-unsolicited/README.md |   7 +++++++
 tests/ldap-unsolicited/ldap.pcap | Bin 0 -> 239 bytes
 tests/ldap-unsolicited/ldap.syn  |   3 +++
 tests/ldap-unsolicited/test.yaml |  21 +++++++++++++++++++
 50 files changed, 368 insertions(+)
 create mode 100644 tests/ldap-add/Makefile
 create mode 100644 tests/ldap-add/README.md
 create mode 100644 tests/ldap-add/ldap.pcap
 create mode 100644 tests/ldap-add/ldap.syn
 create mode 100644 tests/ldap-add/test.yaml
 create mode 100644 tests/ldap-bind/Makefile
 create mode 100644 tests/ldap-bind/README.md
 create mode 100644 tests/ldap-bind/ldap.pcap
 create mode 100644 tests/ldap-bind/ldap.syn
 create mode 100644 tests/ldap-bind/test.yaml
 create mode 100644 tests/ldap-compare/Makefile
 create mode 100644 tests/ldap-compare/README.md
 create mode 100644 tests/ldap-compare/ldap.pcap
 create mode 100644 tests/ldap-compare/ldap.syn
 create mode 100644 tests/ldap-compare/test.yaml
 create mode 100644 tests/ldap-delete/Makefile
 create mode 100644 tests/ldap-delete/README.md
 create mode 100644 tests/ldap-delete/ldap.pcap
 create mode 100644 tests/ldap-delete/ldap.syn
 create mode 100644 tests/ldap-delete/test.yaml
 create mode 100644 tests/ldap-extended/Makefile
 create mode 100644 tests/ldap-extended/README.md
 create mode 100644 tests/ldap-extended/ldap.pcap
 create mode 100644 tests/ldap-extended/ldap.syn
 create mode 100644 tests/ldap-extended/test.yaml
 create mode 100644 tests/ldap-modify-dn/Makefile
 create mode 100644 tests/ldap-modify-dn/README.md
 create mode 100644 tests/ldap-modify-dn/ldap.pcap
 create mode 100644 tests/ldap-modify-dn/ldap.syn
 create mode 100644 tests/ldap-modify-dn/test.yaml
 create mode 100644 tests/ldap-modify/Makefile
 create mode 100644 tests/ldap-modify/README.md
 create mode 100644 tests/ldap-modify/ldap.pcap
 create mode 100644 tests/ldap-modify/ldap.syn
 create mode 100644 tests/ldap-modify/test.yaml
 create mode 100644 tests/ldap-search/Makefile
 create mode 100644 tests/ldap-search/README.md
 create mode 100644 tests/ldap-search/ldap.pcap
 create mode 100644 tests/ldap-search/ldap.syn
 create mode 100644 tests/ldap-search/test.yaml
 create mode 100644 tests/ldap-unbind/Makefile
 create mode 100644 tests/ldap-unbind/README.md
 create mode 100644 tests/ldap-unbind/ldap.pcap
 create mode 100644 tests/ldap-unbind/ldap.syn
 create mode 100644 tests/ldap-unbind/test.yaml
 create mode 100644 tests/ldap-unsolicited/Makefile
 create mode 100644 tests/ldap-unsolicited/README.md
 create mode 100644 tests/ldap-unsolicited/ldap.pcap
 create mode 100644 tests/ldap-unsolicited/ldap.syn
 create mode 100644 tests/ldap-unsolicited/test.yaml

diff --git a/tests/ldap-add/Makefile b/tests/ldap-add/Makefile
new file mode 100644
index 000000000..318ba91b6
--- /dev/null
+++ b/tests/ldap-add/Makefile
@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/ldap-add/README.md b/tests/ldap-add/README.md
new file mode 100644
index 000000000..28f185b55
--- /dev/null
+++ b/tests/ldap-add/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Add operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/ldap-add/ldap.pcap b/tests/ldap-add/ldap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..fea935fb8b7cbe0e902e1589d5155f2141adf77e
GIT binary patch
literal 603
zc-p&ic+)~A1{MYw`2U}Qfe}bQ=nqZvt6*d>1F}JQiWd9A#R@$Nf49tY;9ziNV9)?5
zb6_hu#RvpUKp?uAu@$J03uH<FlLAB0Y=|lOl?YR`^@?@ad-v=A3cGOw)fA8kAd?td
zMK=Q#rT{T_fDq6WHHay$RR~kI{@pm;_nRl*7q=r$c-_Jc#Hj%SKvUEqrW~$jWM~8m
zg7CWx$&Y7j_l7PGH}?daQVcbv9;+!53JhNq7#IvZnHZTeTv!BCl5JBf5_1c3QgwjL
z<osL%eFGU5?);>z)Z`N9oW$Z{LtYl<lKcV|wv_zb#LPSceio*bWJ69CcBnp(gC5l(
zytSPxzrM)H{!_i#%v!vGlM2LPAa51kfp}|aJtKn)P!NPy@7R0X&SsH`;@P%mU{lPX
zrtHCL3ea1+Za{DG0KJvT&cz5!3M^nV3mOnEYyTgw-D3M`|DM$%W_SZU42X-tE<4A-
F007MTgGB%U

literal 0
Hc-jL100001

diff --git a/tests/ldap-add/ldap.syn b/tests/ldap-add/ldap.syn
new file mode 100644
index 000000000..daf7aeb85
--- /dev/null
+++ b/tests/ldap-add/ldap.syn
@@ -0,0 +1,4 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x49\x02\x01\x02\x68\x44\x04\x11\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x2f\x30\x1c\x04\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x31\x0d\x04\x03\x74\x6f\x70\x04\x06\x64\x6f\x6d\x61\x69\x6e\x30\x0f\x04\x02\x64\x63\x31\x09\x04\x07\x65\x78\x61\x6d\x70\x6c\x65";);
+default < (content:"\x30\x0c\x02\x01\x02\x69\x07\x0a\x01\x00\x04\x00\x04\x00";);
+
diff --git a/tests/ldap-add/test.yaml b/tests/ldap-add/test.yaml
new file mode 100644
index 000000000..10bc646ab
--- /dev/null
+++ b/tests/ldap-add/test.yaml
@@ -0,0 +1,26 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 7
+        event_type: ldap
+        ldap.request.message_id: 2
+        ldap.request.operation: add_request
+        ldap.request.add_request.entry: dc=example,dc=com
+        ldap.request.add_request.attributes[0].name: objectClass
+        ldap.request.add_request.attributes[0].values[0]: top
+        ldap.request.add_request.attributes[0].values[1]: domain
+        ldap.request.add_request.attributes[1].name: dc
+        ldap.request.add_request.attributes[1].values[0]: example
+        ldap.responses[0].operation: add_response
+        ldap.responses[0].add_response.result_code: success
+        ldap.responses[0].add_response.matched_dn: ""
+        ldap.responses[0].add_response.message: ""
diff --git a/tests/ldap-bind/Makefile b/tests/ldap-bind/Makefile
new file mode 100644
index 000000000..318ba91b6
--- /dev/null
+++ b/tests/ldap-bind/Makefile
@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/ldap-bind/README.md b/tests/ldap-bind/README.md
new file mode 100644
index 000000000..72918e738
--- /dev/null
+++ b/tests/ldap-bind/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Bind operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/ldap-bind/ldap.pcap b/tests/ldap-bind/ldap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1c84a11d0cf687df697a2ac1326cf90debed1f77
GIT binary patch
literal 588
zc-p&ic+)~A1{MYw`2U}Qfe}atO$|*en8?Xs24sV<^3@fB66`ic6S|alaxl0uFld03
zIk1(SVgv#vAQ0Wm*a}q01u`XoNr9ngHpG+(lMtr7({4Gx{Lt1jHNCwDP)z}u05XZO
zRdh2@VG0m)2M7U8QG=M0HW^{c0?xmmBV%`QPZodj0IyrPfjBil0BDLj#FW!hI2rta
zf*@R<%;X>?K7;jUfjkS?6bGm&o3NT9p}^1`#=u}826SeEAQK}q3&UbA77phiM_*lE
z7gLbw&!!{XsCp;m&icE&Y3mjTnBw(mDkyNlZsdo!an}q^h76z}2y5^sdL4N?bIH3I
z9|ORqL_tlNfz=eC8*3&4-Dm)mO4R0J<YNKGY`c<;p+Tadak6<*nz?~Ra-u<+v882l
xqNQc3rIC3`qJ>409mw8>nF!bWeOdU1yDx3Gg-{q1-Vjy>;^`pQ7v5!H00504cF+I-

literal 0
Hc-jL100001

diff --git a/tests/ldap-bind/ldap.syn b/tests/ldap-bind/ldap.syn
new file mode 100644
index 000000000..192f6df2b
--- /dev/null
+++ b/tests/ldap-bind/ldap.syn
@@ -0,0 +1,3 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x16\x02\x01\x01\x60\x11\x02\x01\x03\x04\x00\xa3\x0a\x04\x08\x43\x52\x41\x4d\x2d\x4d\x44\x35";);
+default < (content:"\x30\x30\x02\x01\x01\x61\x2b\x0a\x01\x0e\x04\x00\x04\x00\x87\x22\x3c\x31\x30\x61\x31\x33\x63\x37\x62\x66\x37\x30\x38\x63\x61\x30\x66\x33\x39\x39\x63\x61\x39\x39\x65\x39\x32\x37\x64\x61\x38\x38\x62\x3e";);
diff --git a/tests/ldap-bind/test.yaml b/tests/ldap-bind/test.yaml
new file mode 100644
index 000000000..0ea814fe1
--- /dev/null
+++ b/tests/ldap-bind/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: ldap
+        ldap.request.message_id: 1
+
diff --git a/tests/ldap-compare/Makefile b/tests/ldap-compare/Makefile
new file mode 100644
index 000000000..318ba91b6
--- /dev/null
+++ b/tests/ldap-compare/Makefile
@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/ldap-compare/README.md b/tests/ldap-compare/README.md
new file mode 100644
index 000000000..95caae1e3
--- /dev/null
+++ b/tests/ldap-compare/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Compare operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/ldap-compare/ldap.pcap b/tests/ldap-compare/ldap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..4de2b66d039f5a20571b707467a0528e223b85d5
GIT binary patch
literal 599
zc-p&ic+)~A1{MYw`2U}Qfe}dCN@=Bax$rWW0ofqDS@WQD*$F+Nw^u&w<X~`RV9)?5
zb6_hu#RvpUKp?uAu@$J03uH<FlLAB0Y=|j4ToI-$%RO^y=L(^JNAE9rhH47P1dvIL
zt)iQO3R8fXJ3t6%iW<a}iEao}0uNqXe|o3uG4Ib4rr>o8HxQ==2mnn{hnOPh!OKt!
z6a?W{*}HD3)*4M*9$(`QHYFcwN;6hdBor8K0Obu_nHZV!99UFJGgEA{Qu0%E@=I+4
zQu7OPQgu?2ZBr`}bD_-S{9FSG7M@ffKff|HHKej2m4%}?F(<JoGc^U|m=<q@mnK^!
z?%<SM*uF?!uoQ2=qylje$V-I}AYKac;bm|E3WD&nXMxOm471~3e=*++HpL8T${wty
z0KKGZ2lNsT&`bI3T#Rfiz=QxYQ^gnIGLfg(R&ICQ?;w?T^gQ0c4g%t0u*)tnFaQ7m
C4t`Mp

literal 0
Hc-jL100001

diff --git a/tests/ldap-compare/ldap.syn b/tests/ldap-compare/ldap.syn
new file mode 100644
index 000000000..eca1db29a
--- /dev/null
+++ b/tests/ldap-compare/ldap.syn
@@ -0,0 +1,5 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x45\x02\x01\x02\x6e\x40\x04\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x18\x04\x0c\x65\x6d\x70\x6c\x6f\x79\x65\x65\x54\x79\x70\x65\x04\x08\x73\x61\x6c\x61\x72\x69\x65\x64";);
+default <
+(content:"\x30\x0c\x02\x01\x02\x6f\x07\x0a\x01\x06\x04\x00\x04\x00";);
+
diff --git a/tests/ldap-compare/test.yaml b/tests/ldap-compare/test.yaml
new file mode 100644
index 000000000..7928e7fc4
--- /dev/null
+++ b/tests/ldap-compare/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 7
+        event_type: ldap
+        ldap.request.message_id: 2
+        ldap.request.operation: compare_request
+        ldap.request.compare_request.entry: uid=jdoe,ou=People,dc=example,dc=com
+        ldap.request.compare_request.attribute_value_assertion.description: employeeType
+        ldap.request.compare_request.attribute_value_assertion.value: salaried
+        ldap.responses[0].operation: compare_response
+        ldap.responses[0].compare_response.result_code: "compare_true"
+        ldap.responses[0].compare_response.matched_dn: ""
+        ldap.responses[0].compare_response.message: ""
diff --git a/tests/ldap-delete/Makefile b/tests/ldap-delete/Makefile
new file mode 100644
index 000000000..318ba91b6
--- /dev/null
+++ b/tests/ldap-delete/Makefile
@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/ldap-delete/README.md b/tests/ldap-delete/README.md
new file mode 100644
index 000000000..9b39b0c15
--- /dev/null
+++ b/tests/ldap-delete/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Delete operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/ldap-delete/ldap.pcap b/tests/ldap-delete/ldap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b4018d7d945feaab0d96dd2f7ffcb34eff04dd9b
GIT binary patch
literal 571
zc-p&ic+)~A1{MYw`2U}Qfe}bgK5COT_X8V)8ITRaf8So8!9F|F-EnsOUk(OW1_lj~
zG6%MjQ;a~s1O%d+8C!u0xj?1_Fexw;&4!q=>m$Mx-svHa(q7zR{}q(XfNBcJ1dvIL
zt)iQO3R8fXJ3t6%iW<a}zE22KR##X3&y1_Q)5(8v6<)V+1957A0MHb5h$+85voRzB
z1wnX4+pZUjgKx6O)@5^nO$mmYG9Rlc5(*4C2N@U)G?^Hgyi`gvQ*5(R@>6y4OKk&E
z^9yoPbyAXTQ!5g4q0Hp`T#$wTzagBRX?dXfjPZee3+^&(#q0T0kOq*m3;#fzz3)34
zg9}g)g#Cl7nD}=3v!s7rGXrdj8Pt?LSWN*sTNfCZ20TD#XR~uL0;8G*Y-ZaJgv%c8
a6H@c9t6Zz+By5E@KtYO&!7h8pzyJVz+kY(p

literal 0
Hc-jL100001

diff --git a/tests/ldap-delete/ldap.syn b/tests/ldap-delete/ldap.syn
new file mode 100644
index 000000000..41a30734a
--- /dev/null
+++ b/tests/ldap-delete/ldap.syn
@@ -0,0 +1,3 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x29\x02\x01\x02\x4a\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d";);
+default < (content:"\x30\x0c\x02\x01\x02\x6b\x07\x0a\x01\x00\x04\x00\x04\x00";);
diff --git a/tests/ldap-delete/test.yaml b/tests/ldap-delete/test.yaml
new file mode 100644
index 000000000..415be8d74
--- /dev/null
+++ b/tests/ldap-delete/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 7
+        event_type: ldap
+        ldap.request.message_id: 2
+        ldap.request.operation: del_request
+        ldap.request.del_request.dn: uid=jdoe,ou=People,dc=example,dc=com
+        ldap.responses[0].operation: del_response
+        ldap.responses[0].del_response.result_code: "success"
+        ldap.responses[0].del_response.matched_dn: ""
+        ldap.responses[0].del_response.message: ""
diff --git a/tests/ldap-extended/Makefile b/tests/ldap-extended/Makefile
new file mode 100644
index 000000000..318ba91b6
--- /dev/null
+++ b/tests/ldap-extended/Makefile
@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/ldap-extended/README.md b/tests/ldap-extended/README.md
new file mode 100644
index 000000000..e2e8c934a
--- /dev/null
+++ b/tests/ldap-extended/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Extended operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/ldap-extended/ldap.pcap b/tests/ldap-extended/ldap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..50067b2fbf7ce5666509c77bcc74de489c78fcf9
GIT binary patch
literal 583
zc-p&ic+)~A1{MYw`2U}Qfe}bAKVg$5<jloj24sWqJT|NIvfDTAm|J1V!olFmz@PzA
z=D=2RiV+ByfIxIJV=GW07s!+VCIyC~*$`8VTo9(zUR8@<G36;sg_zJSR8v4EfJ|a+
z72OO}m;%Jy0YX4i)F7sCx*|+bXMEXlb#}aQa#qq*yl&wJ;?w{EpegDQQ|jHg7(#)9
zAk6u%w)otxIu`*;33IS1?od-!V>LxWf#KT$1_lFJpfk%Q8pI6sjP=a)4E0Qa*wDnx
zOwY)`z}OsQNuwvisaq#m{5=tDW+S-qSTbG@rvkAS*r^;4rv`X&F~k4`L3r0>nX-kM
zJ(DJ!ubB=u#Sd!A60D{Gotnf9bgBwaszRQN5g5HJ3|)9!Ea#1Iab?bZr2~m2XH+_V
Sy5bF7Eg<d&xw!BV0|NjDrg9bl

literal 0
Hc-jL100001

diff --git a/tests/ldap-extended/ldap.syn b/tests/ldap-extended/ldap.syn
new file mode 100644
index 000000000..f988f782e
--- /dev/null
+++ b/tests/ldap-extended/ldap.syn
@@ -0,0 +1,3 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";);
+default < (content:"\x30\x24\x02\x01\x01\x78\x1f\x0a\x01\x00\x04\x00\x04\x00\x8a\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";);
diff --git a/tests/ldap-extended/test.yaml b/tests/ldap-extended/test.yaml
new file mode 100644
index 000000000..99bf35dc2
--- /dev/null
+++ b/tests/ldap-extended/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 7
+        event_type: ldap
+        ldap.request.message_id: 1
+        ldap.request.operation: extended_request
+        ldap.request.extended_request.name: 1.3.6.1.4.1.1466.20037
+        ldap.responses[0].operation: extended_response
+        ldap.responses[0].extended_response.result_code: "success"
+        ldap.responses[0].extended_response.matched_dn: ""
+        ldap.responses[0].extended_response.message: ""
+        ldap.responses[0].extended_response.name: 1.3.6.1.4.1.1466.20037
diff --git a/tests/ldap-modify-dn/Makefile b/tests/ldap-modify-dn/Makefile
new file mode 100644
index 000000000..318ba91b6
--- /dev/null
+++ b/tests/ldap-modify-dn/Makefile
@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/ldap-modify-dn/README.md b/tests/ldap-modify-dn/README.md
new file mode 100644
index 000000000..4177d52da
--- /dev/null
+++ b/tests/ldap-modify-dn/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP ModifyDN operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/ldap-modify-dn/ldap.pcap b/tests/ldap-modify-dn/ldap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..8048de815ae3fdb8caf6ad8954e0a22bbe53090b
GIT binary patch
literal 590
zc-p&ic+)~A1{MYw`2U}Qfe}bI$!MjmwPa&31F}JwO+#}-yvyxudynO>I2c?R7&Ji2
z9N0=uF#-V-5QuJOYy~Rh0+|xPq`*)#8)C`@D}*Wjk^M9O?FbY6ZTk8Tswp57KqfJ^
zif#rfOaWr<03o0$Y7kRaStCsOz^#ANRk-=V1BsGjc-_Jc#Hj%SKvUEqrfA!;F_ZuW
zLAa*wzt;Rm%M(?W9}xqak_I)U2dgO(3Jf=aZZWW7Vr0rOXHhB5OtH;M$xqeEFSQLw
z%`eDF)k#UVO|3}Gg))=#b6I%6s`4}P^nfZE8UKUapzeV1iF!`LlS?vx+V?a+?Z+D)
zsX*)r@=4)Kh)>=CO>qGVg7D_&GQo$^?jM)sV{`|bVg@y34^~rvKGF3D`h*AQlU#N#
nMquo-fX&?Hh;Z4dmx>)0(~XwJ*O*Si8^)eMTnu*EZ3YGauiAQ%

literal 0
Hc-jL100001

diff --git a/tests/ldap-modify-dn/ldap.syn b/tests/ldap-modify-dn/ldap.syn
new file mode 100644
index 000000000..93f0c04eb
--- /dev/null
+++ b/tests/ldap-modify-dn/ldap.syn
@@ -0,0 +1,5 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x3c\x02\x01\x02\x6c\x37\x04\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x04\x0c\x75\x69\x64\x3d\x6a\x6f\x68\x6e\x2e\x64\x6f\x65\x01\x01\xff";);
+default <
+(content:"\x30\x0c\x02\x01\x02\x6d\x07\x0a\x01\x00\x04\x00\x04\x00";);
+
diff --git a/tests/ldap-modify-dn/test.yaml b/tests/ldap-modify-dn/test.yaml
new file mode 100644
index 000000000..567eef2c8
--- /dev/null
+++ b/tests/ldap-modify-dn/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 7
+        event_type: ldap
+        ldap.request.message_id: 2
+        ldap.request.operation: mod_dn_request
+        ldap.request.mod_dn_request.entry: uid=jdoe,ou=People,dc=example,dc=com
+        ldap.request.mod_dn_request.new_rdn: uid=john.doe
+        ldap.request.mod_dn_request.delete_old_rdn: true
+        ldap.responses[0].operation: mod_dn_response
+        ldap.responses[0].mod_dn_response.result_code: "success"
+        ldap.responses[0].mod_dn_response.matched_dn: ""
+        ldap.responses[0].mod_dn_response.message: ""
diff --git a/tests/ldap-modify/Makefile b/tests/ldap-modify/Makefile
new file mode 100644
index 000000000..318ba91b6
--- /dev/null
+++ b/tests/ldap-modify/Makefile
@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/ldap-modify/README.md b/tests/ldap-modify/README.md
new file mode 100644
index 000000000..484d194cc
--- /dev/null
+++ b/tests/ldap-modify/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Modify request is parsed and logged correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/ldap-modify/ldap.pcap b/tests/ldap-modify/ldap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0772435ab625bae664b46f98de1d4eef512c84e3
GIT binary patch
literal 659
zc-p&ic+)~A1{MYw`2U}Qfe}dm<<m;*V&Pyg1F}Il<7J0pP|-wz1qYX&;9ziNV9)?5
zb6_hu#RvpUKp?uAu@$J03uH<FlLAB0Y=|jqSP`ZiFm6B66PISY^u*y6sHT8S0GY(t
zD!Lh{Fa?OY1B8I4s6k9=XG56Muq{t^u^P{(sEh9+@w$Z@h*JXufTpNJOwr)rVAu&1
z1Yrle%*+4RH=a$K#lIG8%4(=7?pRHcP+&OD!@ywB*uccdlvd56Qkt1!o0XEEs*_)8
z8<3h`kdvyDl5Cq=k(di*Cg<lG1RF?jF)|tmvv8(omZj$TCFZ6Yvazsu<!9s>$Z#<-
z7>FawaItWB<>w`qWF+PpNOCbU8HlhjCFdFPvGBlz6<qRDK^{@(Mg&LE_M^e;<{sU%
zIpp(1yn&hu#C@RPC|m*wj<-NlT!4Zge6sT8$75Y=xqr+Gv%sd9K~33%)f8ZG=n4RX
ug9jKI>FhwCumB;*%<Vh~mt}67HmhA^{n4ARv@G#PR38u*gIzX_fdK%#KactV

literal 0
Hc-jL100001

diff --git a/tests/ldap-modify/ldap.syn b/tests/ldap-modify/ldap.syn
new file mode 100644
index 000000000..e8de55f43
--- /dev/null
+++ b/tests/ldap-modify/ldap.syn
@@ -0,0 +1,5 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x81\x80\x02\x01\x02\x66\x7b\x04\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x53\x30\x18\x0a\x01\x01\x30\x13\x04\x09\x67\x69\x76\x65\x6e\x4e\x61\x6d\x65\x31\x06\x04\x04\x4a\x6f\x68\x6e\x30\x1c\x0a\x01\x00\x30\x17\x04\x09\x67\x69\x76\x65\x6e\x4e\x61\x6d\x65\x31\x0a\x04\x08\x4a\x6f\x6e\x61\x74\x68\x61\x6e\x30\x19\x0a\x01\x02\x30\x14\x04\x02\x63\x6e\x31\x0e\x04\x0c\x4a\x6f\x6e\x61\x74\x68\x61\x6e\x20\x44\x6f\x65";);
+default <
+(content:"\x30\x0c\x02\x01\x02\x67\x07\x0a\x01\x00\x04\x00\x04\x00";);
+
diff --git a/tests/ldap-modify/test.yaml b/tests/ldap-modify/test.yaml
new file mode 100644
index 000000000..8a8cdec20
--- /dev/null
+++ b/tests/ldap-modify/test.yaml
@@ -0,0 +1,29 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 7
+        event_type: ldap
+        ldap.request.message_id: 2
+        ldap.request.operation: modify_request
+        ldap.request.modify_request.object: uid=jdoe,ou=People,dc=example,dc=com
+        ldap.request.modify_request.changes[0].operation: delete
+        ldap.request.modify_request.changes[0].modification.attribute_type: givenName
+        ldap.request.modify_request.changes[0].modification.attribute_values[0]: John
+        ldap.request.modify_request.changes[1].operation: add
+        ldap.request.modify_request.changes[1].modification.attribute_type: givenName
+        ldap.request.modify_request.changes[1].modification.attribute_values[0]: Jonathan
+        ldap.request.modify_request.changes[2].operation: replace
+        ldap.request.modify_request.changes[2].modification.attribute_type: cn
+        ldap.request.modify_request.changes[2].modification.attribute_values[0]: Jonathan Doe
+        ldap.responses[0].modify_response.result_code: "success"
+        ldap.responses[0].modify_response.matched_dn: ""
+        ldap.responses[0].modify_response.message: ""
diff --git a/tests/ldap-search/Makefile b/tests/ldap-search/Makefile
new file mode 100644
index 000000000..318ba91b6
--- /dev/null
+++ b/tests/ldap-search/Makefile
@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/ldap-search/README.md b/tests/ldap-search/README.md
new file mode 100644
index 000000000..5c58b4e75
--- /dev/null
+++ b/tests/ldap-search/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Search operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/ldap-search/ldap.pcap b/tests/ldap-search/ldap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..485d4cd07d2ccaf48f5b731f666e413deb113046
GIT binary patch
literal 831
zc-p&ic+)~A1{MYw`2U}Qfe}bYE(=X-u47;@V}RfXq4mqHyYkk&E~}o$!QjfkpaD|m
zz*cgK5eS%oKy))>D^MX9$dmvk1%{&85L1@aBTOk#EZvnSJM)eH$v8<=Q$QwwOk!*m
z-3(Ni0>s<_LO@g0Af}WzAWW%>6m>GSV`F^Yn|B1STeyKZH9!DpiaNxUKaC6weGCx%
zu4-|j!!m`3e`|6T!KO4oO)0`^ii85gH=r8~!k8GDk^@-;Q<7~{D-v@Ha#D4G%;fxB
zE=DFUMg}G(<`+zia*T`&3se@1vT)}oWu+#UIOil57qhSxq!tzD=Pl-DVJ^)~VPVNi
z$xk(4V`0={Vblh>PN)^(#~SW}DlxhD2UP8qKHv?hR3J_U`LXak#E)NqrU1PO#-=PH
z&z7oIdRj>NCxT5WhMH23)fAu~Kc4~m(G%#$6c;RhG|)GYLGhCzFAH-?egO+xN`7u)
zW}X2*3sXw6AtwtvR3FGed)g4*YRa8?U)XVxeeo*uQ+T5;8HhK4z10HoR$e;;g9`%$
z=gsk*F7eAmS?Ki<C$K4IP*e7xd20jATRNYB-r@mzE0rA>Ni0AJGSjRB;j*{e?tc2G
Uo0qab&Flg}m+b?)tc-yH057ky`Tzg`

literal 0
Hc-jL100001

diff --git a/tests/ldap-search/ldap.syn b/tests/ldap-search/ldap.syn
new file mode 100644
index 000000000..046f379b4
--- /dev/null
+++ b/tests/ldap-search/ldap.syn
@@ -0,0 +1,5 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x56\x02\x01\x02\x63\x51\x04\x11\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x0a\x01\x02\x0a\x01\x00\x02\x02\x03\xe8\x02\x01\x1e\x01\x01\x00\xa0\x24\xa3\x15\x04\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x04\x06\x70\x65\x72\x73\x6f\x6e\xa3\x0b\x04\x03\x75\x69\x64\x04\x04\x6a\x64\x6f\x65\x30\x06\x04\x01\x2a\x04\x01\x2b";);
+default < (content:"\x30\x49\x02\x01\x02\x64\x44\x04\x11\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x2f\x30\x1c\x04\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x31\x0d\x04\x03\x74\x6f\x70\x04\x06\x64\x6f\x6d\x61\x69\x6e\x30\x0f\x04\x02\x64\x63\x31\x09\x04\x07\x65\x78\x61\x6d\x70\x6c\x65";);
+default < (content:"\x30\x0c\x02\x01\x02\x65\x07\x0a\x01\x00\x04\x00\x04\x00";);
+
diff --git a/tests/ldap-search/test.yaml b/tests/ldap-search/test.yaml
new file mode 100644
index 000000000..44d476239
--- /dev/null
+++ b/tests/ldap-search/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: ldap
+        ldap.request.message_id: 2
+        ldap.request.operation: search_request
+        ldap.request.search_request.base_object: dc=example,dc=com
+        ldap.request.search_request.scope: 2
+        ldap.request.search_request.deref_alias: 0
+        ldap.request.search_request.size_limit: 1000
+        ldap.request.search_request.time_limit: 30
+        ldap.request.search_request.types_only: false
+        ldap.request.search_request.attributes[0]: "*"
+        ldap.request.search_request.attributes[1]: +
+        ldap.responses[0].operation: search_result_entry
+        ldap.responses[0].search_result_entry.base_object: dc=example,dc=com
+        ldap.responses[0].search_result_entry.attributes[0].type: objectClass
+        ldap.responses[0].search_result_entry.attributes[0].values[0]: top
+        ldap.responses[0].search_result_entry.attributes[0].values[1]: domain
+        ldap.responses[0].search_result_entry.attributes[1].type: dc
+        ldap.responses[0].search_result_entry.attributes[1].values[0]: example
+        ldap.responses[1].operation: search_result_done
+        ldap.responses[1].search_result_done.result_code: success
+        ldap.responses[1].search_result_done.matched_dn: ""
+        ldap.responses[1].search_result_done.message: "" 
diff --git a/tests/ldap-unbind/Makefile b/tests/ldap-unbind/Makefile
new file mode 100644
index 000000000..318ba91b6
--- /dev/null
+++ b/tests/ldap-unbind/Makefile
@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/ldap-unbind/README.md b/tests/ldap-unbind/README.md
new file mode 100644
index 000000000..c260dd2e6
--- /dev/null
+++ b/tests/ldap-unbind/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Unbind operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/ldap-unbind/ldap.pcap b/tests/ldap-unbind/ldap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5e43324ce1b979ede8af9cd0e26445c4e5ea3881
GIT binary patch
literal 381
zc-p&ic+)~A1{MYw`2U}Qfe}c1wb`VlXEHOG0ofpY@ra7d=JJYTOXcDdIT&0S7&Ji2
z9N0=uF#-V-5QuJOYy~Rh0+|xPq`*)#8)Ax87Qz$<huO}D&h8YMpD7uMY6{2%kV%ZK
zqMLyVQ-GK|KnQ4x8pM>FNT!G|$O<RbpIrTPOK>_~w{Qb-YJdRH6m^Ix53-pVY=MFx
zoS>>K9DYtKj&Z5|X0R#xP*V<LHAO;!!R7)3g8?fOBeN6OFy1_blXT4wC1eR*PuspG
R>?dB2r2?@K*hvZu3;=>eMfv~$

literal 0
Hc-jL100001

diff --git a/tests/ldap-unbind/ldap.syn b/tests/ldap-unbind/ldap.syn
new file mode 100644
index 000000000..ea9931478
--- /dev/null
+++ b/tests/ldap-unbind/ldap.syn
@@ -0,0 +1,2 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x05\x02\x01\x03\x42\x00";);
diff --git a/tests/ldap-unbind/test.yaml b/tests/ldap-unbind/test.yaml
new file mode 100644
index 000000000..9153085c7
--- /dev/null
+++ b/tests/ldap-unbind/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 5
+        event_type: ldap
+        ldap.request.message_id: 3
+        ldap.request.operation: unbind_request
diff --git a/tests/ldap-unsolicited/Makefile b/tests/ldap-unsolicited/Makefile
new file mode 100644
index 000000000..318ba91b6
--- /dev/null
+++ b/tests/ldap-unsolicited/Makefile
@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/ldap-unsolicited/README.md b/tests/ldap-unsolicited/README.md
new file mode 100644
index 000000000..d06937da1
--- /dev/null
+++ b/tests/ldap-unsolicited/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Unsolicited message is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/ldap-unsolicited/ldap.pcap b/tests/ldap-unsolicited/ldap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1aecea31768c0abc3f1e3c4e94a5961858cfc7df
GIT binary patch
literal 239
zc-p&ic+)~A1{MYw`2U}Qfe}d0kO)dUYs$jV2xNn>*R%JP1)G><ekXYraWJ?tFcgE7
zIk1(~GXVi32(*fB1}aPiV(tJ51%^5+1_lF9CPsz|7cNE<76um8kc?CXm&~Hn<dXcN
zN`>ImqO#N?h0J1w;*8RglFYnxg_QjAye=_AJ!3sHJwrVcAT~5HGt)CNFfcX)If&ho
zg~1GHJ_v6!{d+j@=vGbM{D;wC2WdbZbPD7akfTI5Gq!>p1H>Bw1QZww?=Ua`0MD2<
A82|tP

literal 0
Hc-jL100001

diff --git a/tests/ldap-unsolicited/ldap.syn b/tests/ldap-unsolicited/ldap.syn
new file mode 100644
index 000000000..edd0767d6
--- /dev/null
+++ b/tests/ldap-unsolicited/ldap.syn
@@ -0,0 +1,3 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default < (content:"\x30\x49\x02\x01\x00\x78\x44\x0a\x01\x34\x04\x00\x04\x25\x54\x68\x65\x20\x44\x69\x72\x65\x63\x74\x6f\x72\x79\x20\x53\x65\x72\x76\x65\x72\x20\x69\x73\x20\x73\x68\x75\x74\x74\x69\x6e\x67\x20\x64\x6f\x77\x6e\x8a\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x36";);
+
diff --git a/tests/ldap-unsolicited/test.yaml b/tests/ldap-unsolicited/test.yaml
new file mode 100644
index 000000000..72dc30a7a
--- /dev/null
+++ b/tests/ldap-unsolicited/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+  - --set stream.midstream=true
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 2
+        event_type: ldap
+        ldap.responses[0].operation: extended_response
+        ldap.responses[0].message_id: 0
+        ldap.responses[0].extended_response.result_code: "unavailable"
+        ldap.responses[0].extended_response.matched_dn: ""
+        ldap.responses[0].extended_response.message: "The Directory Server is shutting down"
+        ldap.responses[0].extended_response.name: "1.3.6.1.4.1.1466.20036"
-- 
2.47.2