ldap.log and ldap_search.log
Added in version 6.1.
The Lightweight Directory Access Protocol (LDAP) is a widely observed protocol commonly used for authenticating, directory lookups, centralizing organisational information and accessing client information on email servers. Accordingly, the protocol attracts significant attention from those with adversarial intention.
LDAP Protocol Overview
LDAP communicates using a client-server model. The LDAP server contains the directory information and the LDAP client performs operations against this information. This is a quick overview of how the protocol works:
Sessions: An LDAP session begins with a client connecting to an LDAP server, optionally securing the connection with encryption, and then binding to the server by providing credentials.
Queries: Clients search for entries in the LDAP directory using LDAP queries, which consist of a base Distinguished Name (DN), a scope (such as one level or the entire subtree), and a filter to match entries. Queries are read only.
Operations: Clients with the correct privileges can perform a variety of operations; in addition to search, they can add, delete or modify.
Data Format: LDAP data entries are formatted as records consisting of a DN and a set of attributes. Each attribute has a name and one or more values.
The LDAP analyzer outputs two LDAP related logs. ldap.log contains
details about the LDAP session except those related to searches.
ldap_search.log contains information related to LDAP searches.
For details on every element of the ldap.log and ldap_search.log
refer to LDAP::MessageInfo and LDAP::SearchInfo, respectively.
Below is an inspection of the ldap.log and ldap_search.log in JSON format.
ldap.log
An example of an ldap.log.
zeek@zeek-6.1:~ zeek -C LogAscii::use_json=T LDAP::default_log_search_attributes=T -r ldap-simpleauth.pcap
zeek@zeek-6.1:~ jq . ldap.log
{
"ts": 1463256456.051759,
"uid": "ChD43F3guxAmJ5f2aj",
"id.orig_h": "10.0.0.1",
"id.orig_p": 25936,
"id.resp_h": "10.0.0.2",
"id.resp_p": 3268,
"message_id": 3,
"version": 3,
"opcode": "bind simple",
"result": "success",
"object": "CN=xxxxxxxx,OU=Users,OU=Accounts,DC=xx,DC=xxx,DC=xxxxx,DC=net",
"argument": "REDACTED"
}
ldap_search.log
An example of an ldap_search.log. Note the default for
LDAP::default_log_search_attributes is F, excluding attributes
from the log.
zeek@zeek-6.1:~ zeek -C LogAscii::use_json=T LDAP::default_log_search_attributes=T -r ldap-simpleauth.pcap
zeek@zeek-6.1:~ jq . ldap_search.log
{
"ts": 1463256456.047579,
"uid": "CAOF1l3FR8UzQ7mIb8",
"id.orig_h": "10.0.0.1",
"id.orig_p": 25936,
"id.resp_h": "10.0.0.2",
"id.resp_p": 3268,
"message_id": 2,
"scope": "tree",
"deref_aliases": "always",
"base_object": "DC=xx,DC=xxx,DC=xxxxx,DC=net",
"result_count": 1,
"result": "success",
"filter": "(&(objectclass=*)(sAMAccountName=xxxxxxxx))",
"attributes": [
"sAMAccountName"
]
}
StartTLS
Added in version 7.0.
Zeek’s LDAP analyzer supports the
extended StartTLS
operation, handing off analysis to Zeek’s TLS analyzer. The following shows an
example ldap.log entry for the StartTLS request.
$ zeek -C LogAscii::use_json=T -r ldap-starttls.pcap
$ jq < ldap.log
{
"ts": 1721218680.158341,
"uid": "CW0qzo9A3QsrCWL4k",
"id.orig_h": "127.0.0.1",
"id.orig_p": 45936,
"id.resp_h": "127.0.1.1",
"id.resp_p": 389,
"message_id": 1,
"opcode": "extended",
"result": "success",
"object": "1.3.6.1.4.1.1466.20037 (StartTLS)"
}
The conn.log’s history field will contain ssl and ldap in
the service field.
Conclusion
The Zeek LDAP logs provide additional insights that help improve observability into this protocol.