Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap-analyzer doesn't work fully from Malcolm v2.0.5 and up #35

Closed
mmguero opened this issue Jan 26, 2021 · 2 comments
Closed

ldap-analyzer doesn't work fully from Malcolm v2.0.5 and up #35

mmguero opened this issue Jan 26, 2021 · 2 comments
Assignees
@mmguero
Labels
bug Something isn't working build For issues related to compilation/building regression It worked at one point... zeek Relating to Malcolm's use of Zeek
Projects
Malcolm

Comments

@mmguero
Copy link
Collaborator

mmguero commented Jan 26, 2021

In Malcolm v2.0.5 we switched from GCC toolchain to LLVM toolchain. At this point, the ldap-analyzer stopped working correctly in that the ldap.log file is not being generated for write operations.

It turns out that if zeek and/or the plugin (not sure if it's one or the other) is compiled with a GCC toolchain it "works," but with an LLVM toolchain it doesn't.

I've distilled down a reproduction environment here: https://github.com/mmguero-dev/misc-debug/tree/main/zeek-ldap-analyzer
@mmguero mmguero added bug Something isn't working zeek Relating to Malcolm's use of Zeek regression It worked at one point... build For issues related to compilation/building labels Jan 26, 2021
@mmguero mmguero self-assigned this Jan 26, 2021
@mmguero
Copy link
Collaborator Author

mmguero commented Jan 26, 2021

See zeek/zeek#1378

@mmguero mmguero mentioned this issue Feb 5, 2021
Merged
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 5, 2021
@mmguero
Topic/2.6.1 merge (#159)
8d5e416 
Malcolm v2.6.1 contains the following changes:

v2.6.0...v2.6.1

* Added [TFTP](https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol) [Zeek parser](https://github.com/zeek/spicy-tftp) and corresponding Logstash parsing, Arkime WISE support and Kibana dashboards
* Provide browser-based access to zeek/extracted-files directory (idaholab#34)
* Fix LDAP analyzer not parsing all events (idaholab#35)
* Provide more fine-tuned controls for Zeek's node.cfg in Hedgehog sensor (idaholab#36, /pull/158)
* set zeek.uid to conn_uids for files.log entries (idaholab#33)
* Modify Zeek build chain to use default GCC compilers instead of LLVM/clang,which reduces build dependencies
* Use Firefox instead of Chromium for browser in ISO-installed versions of Malcolm and in Hedgehog Linux
* Updated copyright notices in text from "2020" to "2021" (which is the bulk of the changed files in this commit)
* Version bumps
  * Yara to 4.0.4
@mmguero
Copy link
Collaborator Author

mmguero commented Feb 5, 2021

Released in Malcolm v2.6.1. The fix mainly pertains to switching the build chain from llvm to gcc

@mmguero mmguero closed this as completed Feb 5, 2021
@mmguero mmguero added this to Done in Malcolm Feb 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
bug Something isn't working build For issues related to compilation/building regression It worked at one point... zeek Relating to Malcolm's use of Zeek
Projects
No open projects
Malcolm
  
Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mmguero