ldap: add tests

tests/ldap-add/Makefile

@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+

tests/ldap-add/README.md

@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Add operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.

tests/ldap-add/ldap.syn

@@ -0,0 +1,4 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x49\x02\x01\x02\x68\x44\x04\x11\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x2f\x30\x1c\x04\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x31\x0d\x04\x03\x74\x6f\x70\x04\x06\x64\x6f\x6d\x61\x69\x6e\x30\x0f\x04\x02\x64\x63\x31\x09\x04\x07\x65\x78\x61\x6d\x70\x6c\x65";);
+default < (content:"\x30\x0c\x02\x01\x02\x69\x07\x0a\x01\x00\x04\x00\x04\x00";);
+

tests/ldap-add/test.yaml

@@ -0,0 +1,26 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 7
+        event_type: ldap
+        ldap.request.message_id: 2
+        ldap.request.operation: add_request
+        ldap.request.add_request.entry: dc=example,dc=com
+        ldap.request.add_request.attributes[0].name: objectClass
+        ldap.request.add_request.attributes[0].values[0]: top
+        ldap.request.add_request.attributes[0].values[1]: domain
+        ldap.request.add_request.attributes[1].name: dc
+        ldap.request.add_request.attributes[1].values[0]: example
+        ldap.responses[0].operation: add_response
+        ldap.responses[0].add_response.result_code: success
+        ldap.responses[0].add_response.matched_dn: ""
+        ldap.responses[0].add_response.message: ""

tests/ldap-bind/Makefile

@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+

tests/ldap-bind/README.md

@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Bind operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.

tests/ldap-bind/ldap.syn

@@ -0,0 +1,3 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x16\x02\x01\x01\x60\x11\x02\x01\x03\x04\x00\xa3\x0a\x04\x08\x43\x52\x41\x4d\x2d\x4d\x44\x35";);
+default < (content:"\x30\x30\x02\x01\x01\x61\x2b\x0a\x01\x0e\x04\x00\x04\x00\x87\x22\x3c\x31\x30\x61\x31\x33\x63\x37\x62\x66\x37\x30\x38\x63\x61\x30\x66\x33\x39\x39\x63\x61\x39\x39\x65\x39\x32\x37\x64\x61\x38\x38\x62\x3e";);

tests/ldap-bind/test.yaml

@@ -0,0 +1,15 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: ldap
+        ldap.request.message_id: 1
+

tests/ldap-compare/Makefile

@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+

tests/ldap-compare/README.md

@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Compare operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.

tests/ldap-compare/ldap.syn

@@ -0,0 +1,5 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x45\x02\x01\x02\x6e\x40\x04\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x18\x04\x0c\x65\x6d\x70\x6c\x6f\x79\x65\x65\x54\x79\x70\x65\x04\x08\x73\x61\x6c\x61\x72\x69\x65\x64";);
+default <
+(content:"\x30\x0c\x02\x01\x02\x6f\x07\x0a\x01\x06\x04\x00\x04\x00";);
+

tests/ldap-compare/test.yaml

@@ -0,0 +1,23 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 7
+        event_type: ldap
+        ldap.request.message_id: 2
+        ldap.request.operation: compare_request
+        ldap.request.compare_request.entry: uid=jdoe,ou=People,dc=example,dc=com
+        ldap.request.compare_request.attribute_value_assertion.description: employeeType
+        ldap.request.compare_request.attribute_value_assertion.value: salaried
+        ldap.responses[0].operation: compare_response
+        ldap.responses[0].compare_response.result_code: "compare_true"
+        ldap.responses[0].compare_response.matched_dn: ""
+        ldap.responses[0].compare_response.message: ""

tests/ldap-delete/Makefile

@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+

tests/ldap-delete/README.md

@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Delete operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.

tests/ldap-delete/ldap.syn

@@ -0,0 +1,3 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x29\x02\x01\x02\x4a\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d";);
+default < (content:"\x30\x0c\x02\x01\x02\x6b\x07\x0a\x01\x00\x04\x00\x04\x00";);

tests/ldap-delete/test.yaml

@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 7
+        event_type: ldap
+        ldap.request.message_id: 2
+        ldap.request.operation: del_request
+        ldap.request.del_request.dn: uid=jdoe,ou=People,dc=example,dc=com
+        ldap.responses[0].operation: del_response
+        ldap.responses[0].del_response.result_code: "success"
+        ldap.responses[0].del_response.matched_dn: ""
+        ldap.responses[0].del_response.message: ""

tests/ldap-extended/Makefile

@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+

tests/ldap-extended/README.md

@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Extended operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.

tests/ldap-extended/ldap.syn

@@ -0,0 +1,3 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x1d\x02\x01\x01\x77\x18\x80\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";);
+default < (content:"\x30\x24\x02\x01\x01\x78\x1f\x0a\x01\x00\x04\x00\x04\x00\x8a\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x37";);

tests/ldap-extended/test.yaml

@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 7
+        event_type: ldap
+        ldap.request.message_id: 1
+        ldap.request.operation: extended_request
+        ldap.request.extended_request.name: 1.3.6.1.4.1.1466.20037
+        ldap.responses[0].operation: extended_response
+        ldap.responses[0].extended_response.result_code: "success"
+        ldap.responses[0].extended_response.matched_dn: ""
+        ldap.responses[0].extended_response.message: ""
+        ldap.responses[0].extended_response.name: 1.3.6.1.4.1.1466.20037

tests/ldap-modify-dn/Makefile

@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+

tests/ldap-modify-dn/README.md

@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP ModifyDN operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.

tests/ldap-modify-dn/ldap.syn

@@ -0,0 +1,5 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x3c\x02\x01\x02\x6c\x37\x04\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x04\x0c\x75\x69\x64\x3d\x6a\x6f\x68\x6e\x2e\x64\x6f\x65\x01\x01\xff";);
+default <
+(content:"\x30\x0c\x02\x01\x02\x6d\x07\x0a\x01\x00\x04\x00\x04\x00";);
+

tests/ldap-modify-dn/test.yaml

@@ -0,0 +1,23 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 7
+        event_type: ldap
+        ldap.request.message_id: 2
+        ldap.request.operation: mod_dn_request
+        ldap.request.mod_dn_request.entry: uid=jdoe,ou=People,dc=example,dc=com
+        ldap.request.mod_dn_request.new_rdn: uid=john.doe
+        ldap.request.mod_dn_request.delete_old_rdn: true
+        ldap.responses[0].operation: mod_dn_response
+        ldap.responses[0].mod_dn_response.result_code: "success"
+        ldap.responses[0].mod_dn_response.matched_dn: ""
+        ldap.responses[0].mod_dn_response.message: ""

tests/ldap-modify/Makefile

@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+

tests/ldap-modify/README.md

@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Modify request is parsed and logged correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.

tests/ldap-modify/ldap.syn

@@ -0,0 +1,5 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x81\x80\x02\x01\x02\x66\x7b\x04\x24\x75\x69\x64\x3d\x6a\x64\x6f\x65\x2c\x6f\x75\x3d\x50\x65\x6f\x70\x6c\x65\x2c\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x53\x30\x18\x0a\x01\x01\x30\x13\x04\x09\x67\x69\x76\x65\x6e\x4e\x61\x6d\x65\x31\x06\x04\x04\x4a\x6f\x68\x6e\x30\x1c\x0a\x01\x00\x30\x17\x04\x09\x67\x69\x76\x65\x6e\x4e\x61\x6d\x65\x31\x0a\x04\x08\x4a\x6f\x6e\x61\x74\x68\x61\x6e\x30\x19\x0a\x01\x02\x30\x14\x04\x02\x63\x6e\x31\x0e\x04\x0c\x4a\x6f\x6e\x61\x74\x68\x61\x6e\x20\x44\x6f\x65";);
+default <
+(content:"\x30\x0c\x02\x01\x02\x67\x07\x0a\x01\x00\x04\x00\x04\x00";);
+

tests/ldap-modify/test.yaml

@@ -0,0 +1,29 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 7
+        event_type: ldap
+        ldap.request.message_id: 2
+        ldap.request.operation: modify_request
+        ldap.request.modify_request.object: uid=jdoe,ou=People,dc=example,dc=com
+        ldap.request.modify_request.changes[0].operation: delete
+        ldap.request.modify_request.changes[0].modification.attribute_type: givenName
+        ldap.request.modify_request.changes[0].modification.attribute_values[0]: John
+        ldap.request.modify_request.changes[1].operation: add
+        ldap.request.modify_request.changes[1].modification.attribute_type: givenName
+        ldap.request.modify_request.changes[1].modification.attribute_values[0]: Jonathan
+        ldap.request.modify_request.changes[2].operation: replace
+        ldap.request.modify_request.changes[2].modification.attribute_type: cn
+        ldap.request.modify_request.changes[2].modification.attribute_values[0]: Jonathan Doe
+        ldap.responses[0].modify_response.result_code: "success"
+        ldap.responses[0].modify_response.matched_dn: ""
+        ldap.responses[0].modify_response.message: ""

tests/ldap-search/Makefile

@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+

tests/ldap-search/README.md

@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Search operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.

tests/ldap-search/ldap.syn

@@ -0,0 +1,5 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x56\x02\x01\x02\x63\x51\x04\x11\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x0a\x01\x02\x0a\x01\x00\x02\x02\x03\xe8\x02\x01\x1e\x01\x01\x00\xa0\x24\xa3\x15\x04\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x04\x06\x70\x65\x72\x73\x6f\x6e\xa3\x0b\x04\x03\x75\x69\x64\x04\x04\x6a\x64\x6f\x65\x30\x06\x04\x01\x2a\x04\x01\x2b";);
+default < (content:"\x30\x49\x02\x01\x02\x64\x44\x04\x11\x64\x63\x3d\x65\x78\x61\x6d\x70\x6c\x65\x2c\x64\x63\x3d\x63\x6f\x6d\x30\x2f\x30\x1c\x04\x0b\x6f\x62\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x31\x0d\x04\x03\x74\x6f\x70\x04\x06\x64\x6f\x6d\x61\x69\x6e\x30\x0f\x04\x02\x64\x63\x31\x09\x04\x07\x65\x78\x61\x6d\x70\x6c\x65";);
+default < (content:"\x30\x0c\x02\x01\x02\x65\x07\x0a\x01\x00\x04\x00\x04\x00";);
+

tests/ldap-search/test.yaml

@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: ldap
+        ldap.request.message_id: 2
+        ldap.request.operation: search_request
+        ldap.request.search_request.base_object: dc=example,dc=com
+        ldap.request.search_request.scope: 2
+        ldap.request.search_request.deref_alias: 0
+        ldap.request.search_request.size_limit: 1000
+        ldap.request.search_request.time_limit: 30
+        ldap.request.search_request.types_only: false
+        ldap.request.search_request.attributes[0]: "*"
+        ldap.request.search_request.attributes[1]: +
+        ldap.responses[0].operation: search_result_entry
+        ldap.responses[0].search_result_entry.base_object: dc=example,dc=com
+        ldap.responses[0].search_result_entry.attributes[0].type: objectClass
+        ldap.responses[0].search_result_entry.attributes[0].values[0]: top
+        ldap.responses[0].search_result_entry.attributes[0].values[1]: domain
+        ldap.responses[0].search_result_entry.attributes[1].type: dc
+        ldap.responses[0].search_result_entry.attributes[1].values[0]: example
+        ldap.responses[1].operation: search_result_done
+        ldap.responses[1].search_result_done.result_code: success
+        ldap.responses[1].search_result_done.matched_dn: ""
+        ldap.responses[1].search_result_done.message: "" 

tests/ldap-unbind/Makefile

@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+

tests/ldap-unbind/README.md

@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Unbind operation is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.

tests/ldap-unbind/ldap.syn

@@ -0,0 +1,2 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default > (content:"\x30\x05\x02\x01\x03\x42\x00";);

tests/ldap-unbind/test.yaml

@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 5
+        event_type: ldap
+        ldap.request.message_id: 3
+        ldap.request.operation: unbind_request

tests/ldap-unsolicited/Makefile

@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+	flowsynth.py -f pcap -w $@ $^
+

tests/ldap-unsolicited/README.md

@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP Unsolicited message is parsed correctly.
+
+## PCAP
+
+This PCAP was generated with flowsynth.

tests/ldap-unsolicited/ldap.syn

@@ -0,0 +1,3 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default < (content:"\x30\x49\x02\x01\x00\x78\x44\x0a\x01\x34\x04\x00\x04\x25\x54\x68\x65\x20\x44\x69\x72\x65\x63\x74\x6f\x72\x79\x20\x53\x65\x72\x76\x65\x72\x20\x69\x73\x20\x73\x68\x75\x74\x74\x69\x6e\x67\x20\x64\x6f\x77\x6e\x8a\x16\x31\x2e\x33\x2e\x36\x2e\x31\x2e\x34\x2e\x31\x2e\x31\x34\x36\x36\x2e\x32\x30\x30\x33\x36";);
+