Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time



This package provides an analyzer for Lightweight Directory Access Protocol write operations. The following operations will be written to ldap.log after running the analyzer:

  • modifyRequest and modifyResponse
  • modifyDNRequest and modifyDNResponse
  • addRequest and addResponse
  • deleteRequest and deleteResponse
  • bindRequest and bindResponse

Additionally, the analyzer will deliver GSSAPI GSS-SPNEGO authentication data in LDAP bindRequests to the gssapi analyzer to be written to the Kerberos or NTLM logs.

Environment Configuration

If using the analyzer as a plugin from the repo:

  1. Install bro-pkg manager
  • $ pip install bro-pkg
  • (Recommended: latest version) $ pip install git+git://
  1. Configure bro-pkg & environment
  • Bro-pkg needs PATH to bro-config: $ export PATH=$PATH:/path_to/bro/build (modify /path/to)
  • Run the autoconfiguration: $ bro-pkg autoconfig
  • Setup Bro's environment to match bro-pkgl $ eval $(bro-pkg env)
  1. Run the plugin straight from git:
  • $ bro-pkg install ldap-analyzer
  • Test to make sure the plugin is loaded $ bro -N | grep LDAP (you should see the plugin loaded)
  • $ bro -C -r your_ldap.pcap ( -C is optional and used if the pcap contains checksums. This must come before the -r )

If using the analyzer as a local plugin:

  • $ git clone
  • $ cd ldap-analyzer
  • $ ./configure --bro-dist=/path/to/bro && make
  • $ export BRO_PLUGIN_PATH=$BRO_PLUGIN_PATH/path/to/ldap-analyzer
  • Check if plugin got loaded $ bro -N | grep LDAP
  • Run it : $ bro -r your_ldap.pcap


  • Testing script produces an error. It attempts to access a non-existent file.
You can’t perform that action at this time.