Comprehensive visibility into network protocols is a hallmark of Zeek (and therefore Corelight) data. That's why we are very happy to announce that with our v27.2 release we are supporting a new analyzer for the LDAP protocol. You likely know LDAP as a workhorse for carrying directory information across the network. While it's an open standard, it's most often seen as part of several server implementations, especially Microsoft's Active Directory, OpenLDAP, and others. It's also a critical transport component of information for other applications including those in the banking, energy, and healthcare sectors.
While there have been some partially developed analyzers/parsers for Zeek in the past, none were complete enough to be useful until the Zeek community came up with a version coded using Spicy (the new parser generator framework). With this new LDAP analyzer, all LDAP connections seen by the sensor will be analyzed, decoded, and logged.
When the analyzer is enabled, two new logs are created: the ldap.log and the ldap_search.log. The ldap.log contains general connection information as well as message information (version, operations, results, diagnostics and more) that's not related to searches. The ldap_search.log contains connection information as well as LDAP searches including the search filter and attributes, both of which are valuable for determining the purpose and result of the search.
When integrating this new analyzer into our platform, we found some issues with the support for Microsoft LDAP. We made some improvements and pushed those back upstream to the open-source repo. It's a great example of how Corelight works together with the Zeek community to magnify the best content for our customers.
What are some of the security use cases we expect this LDAP analyzer to enable? By viewing the logs, you'll have the visibility to monitor authentication attempts, directory lookups, and any queries using the LDAP protocol. This can be a helpful source of information about users, logins (both successful and failed), and membership in groups (which for example in Active Directory can also reveal organization details). Another use can be validating that specific applications are using the protocol as intended for their applications (e.g. a specific App should only use a specific set of search attributes or scope). Yet another use can be identifying attack tools using enumeration or brute-forcing techniques via LDAP.
A more specific example of how LDAP information can be used for specific attack detection is the recent log4shell vulnerability in log4j. This vulnerability was exploited widely over the LDAP protocol, allowing attackers to execute malicious code under potentially privileged LDAP systems. We at Corelight came out with a comprehensive set of detections, including those using LDAP, and blogged about them. But these detections were limited to alerts only and didn't include the full context of the LDAP protocol that this new analyzer will now enable. Customers will be able to use their own internal knowledge of their LDAP directories and visibility into external LDAP connections to detect and ultimately stop the next attack similar to log4shell that uses LDAP as a transport mechanism.
