Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Recog support for LDAP searchResponse and encoded examples #111

Merged
merged 1 commit into from
Aug 25, 2016
Merged

Add Recog support for LDAP searchResponse and encoded examples #111

merged 1 commit into from
Aug 25, 2016

Conversation

tsellers-r7
Copy link
Contributor

@tsellers-r7 tsellers-r7 commented Aug 25, 2016
edited
Loading

This PR adds support for parsing the binary LDAP searchResponse banner. There are 55 new fingerprints with 68 total tests.

It also adds the _encoding attribute to example fingerprint elements to allow example strings to be base64 encoded.

For example:

    <example _encoding="base64">
         dGllczGEAAAAlQQWMS4yLjg0MC4xMTM1NTYuMS40LjgwMAQuZGF0YS5yZW1vdmVkLjCE
         AAAAKAQdZG9tYWluQ29udHJvbGxlckZ1bmN0aW9uYWxpdHkxhAAAAAMEATc=
    </example>

jhart-r7
jhart-r7 reviewed Aug 25, 2016
View reviewed changes
README.md
@@ -54,6 +54,15 @@ tests that `RomSShell_4.62` matches the provided regular expression and that the

The `param` elements contain a `pos` attribute, which indicates what capture field from the `pattern` should be extracted, or `0` for a static string. The `name` attribute is the key that will be reported in the case of a successful match and the `value` will either be a static string for `pos` values of `0` or missing and taken from the captured field.

The `example` string can be base64 encoded to permit the use of unprintable characters. To signal this to Recog an `_encoding` attribute with the value of `base64` is added to the `example` element. Based64 encoded text that is longer than 80 characters should be wrapped as shown below.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This 80-character wrapping is a suggestion rather than a requirement, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, as far as I know there are no technical requirements for wrapping the lines. I've tested with one line that was 170 chars and it passed validation.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, thats what I thought. Maybe tweak this wording a bit to make it clear that this is not required but suggested for readability/maintenance.

@jhart-r7 jhart-r7 self-assigned this Aug 25, 2016
jhart-r7
jhart-r7 reviewed Aug 25, 2016
View reviewed changes
xml/ldap_searchresult.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Notes: Ruby will fail to build the RegExp if it contains \x84 which is a standard
byte in ANS.1 Sequence length fields.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ASN ;)

@jhart-r7 jhart-r7 merged commit 7a6d60b into rapid7:master Aug 25, 2016
jhart-r7 added a commit that referenced this pull request Aug 25, 2016
@jhart-r7
Land #111, @tsellers-r7's addition of LDAP search response matching
a1c5841 
 message aborts
@tsellers-r7 tsellers-r7 deleted the recog_ldap_searchResponse branch August 26, 2016 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jhart-r7 jhart-r7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tsellers-r7 @jhart-r7