Initial commit

Author: AliAtashGar7

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,33 @@
+---
+name: Bug Report
+about: Report an issue with LDAPSentinel
+title: "[BUG] - [Title of the bug]"
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**Steps to Reproduce**
+
+1. Step one
+2. Step two
+3. Step three
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Environment:**
+
+- OS: [e.g., Ubuntu 20.04]
+- Zeek version: [e.g., Zeek 5.1.0]
+- LDAPSentinel version: [e.g., 0.1.0]
+- Other relevant software versions or configurations
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature Request
+about: Suggest an idea for LDAPSentinel
+title: "[FEATURE REQUEST] - [Title of the feature]"
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/workflows/ci.yml

@@ -0,0 +1,39 @@
+name: CI for LDAPSentinel
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    # Checkout the code
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Set up Zeek environment
+    - name: Set up Zeek
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y zeek
+        # You may also install other dependencies like spicy-ldap if necessary
+
+    # Run Zeek scripts or tests
+    - name: Run tests with Zeek
+      run: |
+        # Assuming you have some tests in the "tests" directory
+        zeek -i eth0 scripts/ldap-sentinel.zeek
+        # Add any additional commands to run your tests
+
+    # Optionally, you can upload test results to GitHub if you use a testing framework
+    - name: Upload test results
+      uses: actions/upload-artifact@v2
+      with:
+        name: test-results
+        path: path/to/test/results

CHANGELOG.md

@@ -0,0 +1,30 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [Unreleased]
+
+### Added
+
+- Initial version of LDAPSentinel, a tool for detecting suspicious and malicious LDAP queries.
+- Added basic query detection logic to identify reconnaissance and attack patterns in LDAP traffic.
+
+## [0.1.0] - 2025-01-11
+
+### Added
+
+- First official release of LDAPSentinel.
+- Implemented core LDAP query analysis using the spicy-ldap package.
+- Initial `zkg.meta` and repository structure setup.
+
+### Changed
+
+- N/A
+
+### Fixed
+
+- N/A
+
+### Removed
+
+- N/A

CONTRIBUTING.md

@@ -0,0 +1,87 @@
+# Contributing to LDAPSentinel
+
+Thank you for your interest in contributing to **LDAPSentinel**! We welcome contributions of all kinds, including bug reports, feature requests, code contributions, documentation improvements, and more. Your involvement helps make this project better for everyone.
+
+## Code of Conduct
+
+Please note that this project is governed by a [Code of Conduct](https://www.contributor-covenant.org/version/2/1/code_of_conduct/). By participating, you agree to abide by its terms. Be respectful, considerate, and constructive in all interactions.
+
+## How to Contribute
+
+### Reporting Issues
+
+If you encounter any problems or have suggestions for improvement, please create an issue in the [GitHub Issues](https://github.com/your-username/LDAPSentinel/issues) section. Include as much detail as possible:
+
+- Steps to reproduce the issue
+- Expected behavior
+- Actual behavior
+- Any relevant logs or screenshots
+
+### Contributing Code
+
+We welcome code contributions, whether it’s fixing bugs, adding features, or improving existing functionality. To contribute code:
+
+1. **Fork the repository**: Click the "Fork" button on the repository page to create your own copy.
+2. **Clone your fork**: Use `git clone` to clone your fork to your local machine.
+   
+   ```bash
+   git clone https://github.com/your-username/LDAPSentinel.git
+   ```
+3. **Create a new branch**: Create a branch for your changes.
+   
+   ```bash
+   git checkout -b feature-or-bugfix-description
+   ```
+4. **Make your changes**: Modify the code or documentation as needed.
+5. **Run tests**: Ensure your changes pass all existing tests and add new ones if necessary.
+6. **Commit your changes**: Write a clear and descriptive commit message.
+   
+   ```bash
+   git commit -m "Brief description of your changes"
+   ```
+7. **Push your branch**: Push your branch to your forked repository.
+   
+   ```bash
+   git push origin feature-or-bugfix-description
+   ```
+8. **Submit a pull request**: Go to the original repository and create a pull request. Describe your changes in detail and link to any relevant issues.
+
+### Setting Up the Environment
+
+To set up the development environment for **LDAPSentinel**:
+
+1. Ensure you have [Zeek](https://zeek.org) installed (version 6.0 or earlier).
+2. Install the [spicy-ldap](https://github.com/zeek/spicy-analyzers) package for parsing LDAP traffic.
+3. Clone this repository and navigate to the project directory.
+4. Load the `main.zeek` script into your Zeek instance for testing.
+
+### Testing
+
+Tests are located in the `tests/` directory. To run the tests:
+
+1. Use the provided `.pcap` files to simulate LDAP traffic.
+2. Run Zeek with the test configuration:
+   
+   ```bash
+   zeek -r tests/sample_ldap_traffic.pcap scripts/__load__.zeek
+   ```
+3. Verify the output matches expected results in the `tests/basic.test` file.
+
+### Submitting Contributions
+
+Before submitting your contributions, ensure the following:
+
+- Your code adheres to the project’s style guidelines.
+- Your changes are well-documented.
+- All tests pass, and new tests have been added for new functionality.
+
+### Style Guidelines
+
+- Follow Zeek scripting conventions for clarity and maintainability.
+- Use meaningful variable and function names.
+- Write concise and descriptive comments where necessary.
+- Keep commit messages clear and concise.
+
+---
+
+Thank you for contributing to **LDAPSentinel**! Your support and collaboration are greatly appreciated.

LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Ali AtashGar
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1 +1,96 @@
-# LDAPSentinel
+<<<<<<< HEAD
+# LDAPSentinel
+=======
+# LDAPSentinel Repository Structure and README
+
+## Repository Structure
+
+```
+LDAPSentinel/
+├── .github/
+│   ├── ISSUE_TEMPLATE/
+│   │   └── bug_report.md
+│   └── workflows/
+│       └── ci.yml
+├── LICENSE
+├── README.md
+├── CONTRIBUTING.md
+├── zkg.meta
+├── CHANGELOG.md
+├── scripts/
+│   ├── __load__.zeek
+│   └── main.zeek
+├── tests/
+│   ├── basic.test
+│   └── sample_ldap_traffic.pcap
+
+```
+
+## README
+
+# LDAPDetection - LDAPSentinel
+
+## Overview
+
+LDAPDetection, also known as "LDAPSentinel," is a Zeek script designed to enhance LDAP traffic analysis by identifying potentially suspicious queries. It leverages the spicy-ldap package to parse LDAP traffic for versions of Zeek that do not natively support LDAP.
+
+## Key Features
+
+- Detects LDAP traffic using spicy-ldap for versions of Zeek prior to 6.1.
+- Identifies suspicious LDAP queries based on predefined filters.
+- Provides detailed logging to aid in security investigations.
+
+## Compatibility
+
+This project is tailored for users running Zeek versions **below 6.1**, as these versions lack built-in support for the LDAP protocol in the `base/protocols/` directory. Starting from Zeek version 6.1, native support for LDAP exists, and this script may require adaptation to integrate seamlessly.
+
+## Installation
+
+1. **Install Dependencies**
+   
+   - Ensure you have Zeek installed.
+   
+   - Install spicy-ldap:
+     
+     ```bash
+     zkg install spicy-ldap
+     ```
+
+2. **Clone Repository**
+   
+   ```bash
+   git clone https://github.com/yourusername/LDAPSentinel.git
+   cd LDAPSentinel
+   ```
+
+3. **Load the Script**
+   Add the following to your `local.zeek` configuration file:
+   
+   ```zeek
+   @load LDAPDetection
+   ```
+
+4. **Deploy the Configuration**
+   
+   ```bash
+   zeekctl deploy
+   ```
+
+## Usage
+
+Once deployed, the script will analyze LDAP traffic and identify queries matching the suspicious filter set. Logs will provide details of the source, destination, and detected queries.
+
+For more usage details, refer to the [usage documentation](docs/usage.md).
+
+## Contributing
+
+We welcome contributions! Please see the [CONTRIBUTING.md](CONTRIBUTING.md) file for guidelines on how to contribute to this project.
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+
+## Changelog
+
+All changes to this project are documented in the [CHANGELOG.md](CHANGELOG.md) file.
+>>>>>>> 29e751c (Initial commit)

scripts/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/main.zeek

@@ -0,0 +1,55 @@
+@load spicy-ldap
+@load base/frameworks/notice
+
+module LDAPDetection;
+
+export {
+    redef enum Notice::Type += {
+        Suspicious_LDAP_Activity
+    };
+
+    const suspicious_filters: set[string] = {
+    "(groupType:1.2.840.113556.1.4.803:=2147483648)",
+    "(groupType:1.2.840.113556.1.4.803:=2147483656)",
+    "(groupType:1.2.840.113556.1.4.803:=2147483652)",
+    "(groupType:1.2.840.113556.1.4.803:=2147483650)",
+    "(sAMAccountType=805306369)",
+    "(sAMAccountType=805306368)",
+    "(sAMAccountType=536870913)",
+    "(sAMAccountType=536870912)",
+    "(sAMAccountType=268435457)",
+    "(sAMAccountType=268435456)",
+    "(objectCategory=groupPolicyContainer)",
+    "(objectCategory=organizationalUnit)",
+    "(objectCategory=Computer)",
+    "(objectCategory=nTDSDSA)",
+    "(objectCategory=server)",
+    "(objectCategory=domain)",
+    "(objectCategory=person)",
+    "(objectCategory=group)",
+    "(objectCategory=user)",
+    "(objectClass=trustedDomain)",
+    "(objectClass=computer)",
+    "(objectClass=server)",
+    "(objectClass=group)",
+    "(objectClass=user)",
+    "(primaryGroupID=521)",
+    "(primaryGroupID=516)",
+    "(primaryGroupID=515)",
+    "(primaryGroupID=512)",
+    "Domain Admins",
+    "objectGUID=*",
+    "(schemaIDGUID=*)",
+    "admincount=1"
+    };
+}
+
+event LDAP::log_ldap_search(rec: LDAP::Search) {
+    for (filter in LDAPDetection::suspicious_filters) {
+        if (filter in rec$filter) {  # Check if filter is a substring of rec$filter
+        print fmt("Suspicious LDAP query detected: %s, %s", rec$filter, rec$id);
+        NOTICE([$note=Suspicious_LDAP_Activity, $msg=fmt("Suspicious LDAP query detected: %s", rec$filter), $identifier=rec$filter]);
+            break;
+        }
+    }
+}

tests/basic.test.log

@@ -0,0 +1,3 @@
+{"ts":1736113502.166532,"note":"LDAPDetection::Suspicious_LDAP_Activity","msg":"Suspicious LDAP query detected: (&(objectCategory=computer)(objectClass=computer))","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
+{"ts":1736113532.512622,"note":"LDAPDetection::Suspicious_LDAP_Activity","msg":"Suspicious LDAP query detected: (&(sAMAccountName=*)(objectCategory=user))","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}
+{"ts":1736113554.944964,"note":"LDAPDetection::Suspicious_LDAP_Activity","msg":"Suspicious LDAP query detected: (&(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(servicePrincipalName=*))","actions":["Notice::ACTION_LOG"],"email_dest":[],"suppress_for":3600.0}