Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect: add keywords for LDAPResult - v4 #12694

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

detect: add keywords for LDAPResult - v4 #12694

wants to merge 6 commits into from

Conversation

AkakiAlice
Copy link
Contributor

Ticket: #7532

Contribution style:

Our Contribution agreements:

Changes (if applicable):

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7532

Description:

  • Implement keywords ldap.responses.result_code and ldap.responses.message

Changes:

  • Fix cargo clippy

SV_BRANCH=OISF/suricata-verify#2310
Previous PR: #12691

@AkakiAlice
ldap: change variable name 'req' to 'resp' in function ldap_tx_get_re…
4aea1e5 
…sponses_dn
@AkakiAlice
ldap: rename DetectLdapRespData struct to be more specific
dfd8e32
@AkakiAlice
ldap: refactor function aux_ldap_parse_protocol_resp_op
93082e3 
Split code to create a generic function that parses LdapIndex
@AkakiAlice
ldap: create a generic funtion to match integer responses
c1567b5
@AkakiAlice
detect: add ldap.responses.result_code
2e9cc52 
ldap.responses.result_code matches on LDAP result code
This keyword maps the following eve fields:
ldap.responses[].bind_response.result_code
ldap.responses[].search_result_done.result_code
ldap.responses[].modify_response.result_code
ldap.responses[].add_response.result_code
ldap.responses[].del_response.result_code
ldap.responses[].mod_dn_response.result_code
ldap.responses[].compare_response.result_code
ldap.responses[].extended_response.result_code
It is an unsigned 32-bit integer
Doesn't support prefiltering

Ticket: OISF#7532
@AkakiAlice
detect: add ldap.responses.message
db29e2f 
ldap.responses.message matches on LDAPResult error message
This keyword maps the following eve fields:
ldap.responses[].bind_response.message
ldap.responses[].search_result_done.message
ldap.responses[].modify_response.message
ldap.responses[].add_response.message
ldap.responses[].del_response.message
ldap.responses[].mod_dn_response.message
ldap.responses[].compare_response.message
ldap.responses[].extended_response.message
It is a sticky buffer
Supports prefiltering

Ticket: OISF#7532
@AkakiAlice AkakiAlice mentioned this pull request Feb 28, 2025
Closed
5 tasks
@codecov Codecov
Copy link

codecov bot commented Feb 28, 2025

Codecov Report

Attention: Patch coverage is 81.90955% with 36 lines in your changes missing coverage. Please review.

Project coverage is 80.70%. Comparing base (0dc5b72) to head (db29e2f).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12694      +/-   ##
==========================================
- Coverage   80.71%   80.70%   -0.02%     
==========================================
  Files         936      936              
  Lines      259425   259511      +86     
==========================================
+ Hits       209399   209437      +38     
- Misses      50026    50074      +48
Flag Coverage Δ
fuzzcorpus 56.95% <17.58%> (-0.01%) ⬇️
livemode 19.43% <17.58%> (+0.01%) ⬆️
pcap 44.20% <19.09%> (-0.01%) ⬇️
suricata-verify 63.47% <81.90%> (-0.05%) ⬇️
unittests 58.20% <17.58%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

catenacyber
catenacyber reviewed Feb 28, 2025
View reviewed changes
doc/userguide/rules/ldap-keywords.rst
alert ldap any any -> any any (msg:"Test LDAP success at last index"; :example-rule-emphasis:`ldap.responses.result_code:success,-1;` sid:1;)

ldap.responses.message
----------------------------
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please fix the number of dashes

catenacyber
catenacyber requested changes Feb 28, 2025
View reviewed changes
Copy link
Contributor

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the work

CI : ✅
Code : checking now
Commits segmentation : ok
Commit messages : good
Git ID set : looks fine for me
CLA : you already contributed
Doc update : ⚠️ something to fix see comments
Redmine ticket : ok
Rustfmt ⚠️ could you please fix rustfmt rust/src/ldap/*.rs in a dedicated commit
Tests : approved suricata-verify PR
Dependencies added: none

catenacyber
catenacyber reviewed Feb 28, 2025
View reviewed changes
rust/src/ldap/detect.rs
tx,
&ctx.du32,
get_ldap_result_code,
|code, ctx_value| unsafe { rs_detect_u32_match(code, ctx_value) },
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use detect_match_uint (maybe detect_match_uint::<u32>) to avoid the unsafe ?

catenacyber
catenacyber reviewed Feb 28, 2025
View reviewed changes
rust/src/ldap/detect.rs
}

fn get_ldap_result_code(response: &LdapMessage) -> Option<u32> {
let result_code = match &response.protocol_op {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: just return match...

catenacyber
catenacyber reviewed Feb 28, 2025
View reviewed changes
doc/userguide/rules/ldap-keywords.rst
----------------------------

Matches on LDAP error messages from response operations.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should state that (response) operations not having a LDAPResult (like IntermediateResponse or SearchEntry) put an empty buffer here

catenacyber
catenacyber reviewed Feb 28, 2025
View reviewed changes
rust/src/ldap/detect.rs
ProtocolOp::ModDnResponse(resp) => resp.diagnostic_message.0.as_str(),
ProtocolOp::CompareResponse(resp) => resp.diagnostic_message.0.as_str(),
ProtocolOp::ExtendedResponse(resp) => resp.result.diagnostic_message.0.as_str(),
_ => "",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This behavior needs to be documented

catenacyber
catenacyber reviewed Feb 28, 2025
View reviewed changes
rust/src/ldap/detect.rs
_de: *mut c_void, _f: *mut c_void, _flags: u8, _state: *mut c_void, tx: *mut c_void,
_sig: *const c_void, ctx: *const c_void,
fn match_at_index<T>(
tx: &LdapTransaction, ctx_value: &DetectUintData<T>,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, Could we have a more generic type than LdapTransaction to fit other protocols ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber requested changes

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AkakiAlice @catenacyber