Snort mailing list archives

Previous By Date Next
Previous By Thread Next

LDAPv3 with simple authentication

From: FOULDE Damien <damien.foulde () axians com>
Date: Mon, 19 Dec 2016 11:39:24 +0000
Hello,

 

We need to write a signature to match on LDAPv3 with simple authentication.

LDAPv3 is described in the RFC 2251 through Abstract Syntax Notation 1
(ASN.1) and encoded through a subset of Basic Encoding Rules (BER) in the
packets.

You may have a look to this great website
http://www.selfadsi.org/ldap.htm#Frame to have a quick look over the
encoding.

https://en.wikipedia.org/wiki/X.690#BER_encoding is also a good source of
information.

As you should have seen the length can be encoded in a short or long form.

When the short form is used the MSB is set to 0 and the 7 remaining bits are
used to encode the length directly from 0 to 127.

Using the byte_jump function we should be able to jump to the next encoded
data.

When the long form is used the MSB is set to 1 and the 7 remaining bits are
used to encode the number of bytes that follow from 1 to 126 which will
contains the actual length.

Using byte_extract and byte_jump functions with bitmask we should be able to
jump to the next encoded data.

Before reaching the point where the LDAPv3 authentication is set to simple
(encoded to 0) or sasl (encoded to 3) there're 5 short or long length bytes.

Is there a way through the subset of snort packet dissection functions to
match on this without writing 32 (2^5) different signatures to match all
short / long possibilities ?

The BER encoding is also used to encode SNMP, the same kind of issue may
have been seen there also.

 

Thank you for your help,

 

Damien

Attachment: smime.p7s
Description: 

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: