CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

Download our free guide to find hidden attackers.

Find hidden attackers with Open NDR

SEE HOW

cloud-network

Corelight announces cloud enrichment for AWS, GCP, and Azure

READ MORE

corelight partner programe guide

Corelight's partner program

VIEW PROGRAM

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Expand visibility around authentication and application anomalies with Corelight’s new LDAP analyzer

Comprehensive visibility into network protocols is a hallmark of Zeek (and therefore Corelight) data. That's why we are very happy to announce that with our v27.2 release we are supporting a new analyzer for the LDAP protocol. You likely know LDAP as a workhorse for carrying directory information across the network. While it's an open standard, it's most often seen as part of several server implementations, especially Microsoft's Active Directory, OpenLDAP, and others. It's also a critical transport component of information for other applications including those in the banking, energy, and healthcare sectors.

While there have been some partially developed analyzers/parsers for Zeek in the past, none were complete enough to be useful until the Zeek community came up with a version coded using Spicy (the new parser generator framework). With this new LDAP analyzer, all LDAP connections seen by the sensor will be analyzed, decoded, and logged.

When the analyzer is enabled, two new logs are created: the ldap.log and the ldap_search.log. The ldap.log contains general connection information as well as message information (version, operations, results, diagnostics and more) that's not related to searches. The ldap_search.log contains connection information as well as LDAP searches including the search filter and attributes, both of which are valuable for determining the purpose and result of the search.

When integrating this new analyzer into our platform, we found some issues with the support for Microsoft LDAP. We made some improvements and pushed those back upstream to the open-source repo. It's a great example of how Corelight works together with the Zeek community to magnify the best content for our customers.

What are some of the security use cases we expect this LDAP analyzer to enable? By viewing the logs, you'll have the visibility to monitor authentication attempts, directory lookups, and any queries using the LDAP protocol. This can be a helpful source of information about users, logins (both successful and failed), and membership in groups (which for example in Active Directory can also reveal organization details). Another use can be validating that specific applications are using the protocol as intended for their applications (e.g. a specific App should only use a specific set of search attributes or scope). Yet another use can be identifying attack tools using enumeration or brute-forcing techniques via LDAP.

A more specific example of how LDAP information can be used for specific attack detection is the recent log4shell vulnerability in log4j. This vulnerability was exploited widely over the LDAP protocol, allowing attackers to execute malicious code under potentially privileged LDAP systems. We at Corelight came out with a comprehensive set of detections, including those using LDAP, and blogged about them. But these detections were limited to alerts only and didn't include the full context of the LDAP protocol that this new analyzer will now enable. Customers will be able to use their own internal knowledge of their LDAP directories and visibility into external LDAP connections to detect and ultimately stop the next attack similar to log4shell that uses LDAP as a transport mechanism.

Recent Posts