12-08-2021 10:45 AM
Hello all
I'm trying to catch suspicious ldap queries (recon activity).
For the example I want catch this kind of querie : (primaryGroupID=512)
I tried to make a custom rule. However for ldap, there are only 2 possibilities:
- ldap-req-searchrequest-baseobject
- ldap-rsp-searchresentry-objectname
both of them don't fit my needs cause they don't match the filter field.
I tried with unknown-req-tcp-payload but it did not work. Reading the forum I understood that I can't use this context since ldap is seen as a known application.
https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-paylo...
So I'm running out of ideas to catch this kind of request.
If somebody have a tips
Thank's
01-13-2022 12:59 AM - edited 01-13-2022 01:00 AM
Please see if this helps as this is new feature in 10.0 with the enhanced signature match:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
