From b6fa3c8e8c2df8d3568b13d5ea4daa4ed0c860bc Mon Sep 17 00:00:00 2001
From: Giuseppe Longo <glongo@oisf.net>
Date: Tue, 10 Mar 2026 14:13:11 +0100
Subject: [PATCH] ldap: add ldap.rules file

Add a file containing rules to match LDAP protocol events.

Ticket #8368
---
 rules/README.md         | 1 +
 rules/ldap-events.rules | 8 ++++++++
 2 files changed, 9 insertions(+)
 create mode 100644 rules/ldap-events.rules

diff --git a/rules/README.md b/rules/README.md
index e4fb0124ab..a0c031256f 100644
--- a/rules/README.md
+++ b/rules/README.md
@@ -29,6 +29,7 @@ signature IDs.
 | QUIC     | 2231000 | 2231999 |
 | FTP      | 2232000 | 2232999 |
 | POP3     | 2236000 | 2236999 |
+| LDAP     | 2237000 | 2237999 |
 | DNS      | 2240000 | 2240999 |
 | PGSQL    | 2241000 | 2241999 |
 | mDNS     | 2242000 | 2242999 |
diff --git a/rules/ldap-events.rules b/rules/ldap-events.rules
new file mode 100644
index 0000000000..b172cd1026
--- /dev/null
+++ b/rules/ldap-events.rules
@@ -0,0 +1,8 @@
+# LDAP app layer event rules
+#
+# SID's fall in the 2237000+ range.
+
+alert ldap any any -> any any (msg:"SURICATA LDAP too many transactions"; app-layer-event:ldap.too_many_transactions; classtype:protocol-command-decode; sid:2237000; rev:1;)
+alert ldap any any -> any any (msg:"SURICATA LDAP invalid data"; app-layer-event:ldap.invalid_data; classtype:protocol-command-decode; sid:2237001; rev:1;)
+alert ldap any any -> any any (msg:"SURICATA LDAP request not found"; app-layer-event:ldap.request_not_found; classtype:protocol-command-decode; sid:2237002; rev:1;)
+