ldap: add ldap.rules file

Add a file containing rules to match LDAP protocol events. Ticket #8368 (cherry picked from commit b6fa3c8e8c)
1 month ago · 870a09cb7b
parent 3264677d4c
commit 870a09cb7b
2 changed files with 9 additions and 0 deletions
--- a/rules/README.md
+++ b/rules/README.md
@ -29,6 +29,7 @@ signature IDs.
 | QUIC     | 2231000 | 2231999 |
 | FTP      | 2232000 | 2232999 |
 | POP3     | 2236000 | 2236999 |
+| LDAP     | 2237000 | 2237999 |
 | DNS      | 2240000 | 2240999 |
 | PGSQL    | 2241000 | 2241999 |
 | mDNS     | 2242000 | 2242999 |
--- a/rules/ldap-events.rules
+++ b/rules/ldap-events.rules
@ -0,0 +1,8 @@
+# LDAP app layer event rules
+#
+# SID's fall in the 2237000+ range.
+
+alert ldap any any -> any any (msg:"SURICATA LDAP too many transactions"; app-layer-event:ldap.too_many_transactions; classtype:protocol-command-decode; sid:2237000; rev:1;)
+alert ldap any any -> any any (msg:"SURICATA LDAP invalid data"; app-layer-event:ldap.invalid_data; classtype:protocol-command-decode; sid:2237001; rev:1;)
+alert ldap any any -> any any (msg:"SURICATA LDAP request not found"; app-layer-event:ldap.request_not_found; classtype:protocol-command-decode; sid:2237002; rev:1;)
+