Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
Demonachizer
Aug 7, 2004
I am looking for a good way to log the complete LDAP conversation when a client attempts to authenticate. I think I have found some ways to do this from the client but I really need to do it on the server side so I can detect certain behaviors that are anomalous. Also an unfortunate issue is that whatever program it is it has to be freely available and not behind a login. It can be a free trial as it would only be used once.

I can use Splunk if that is useful for this. The curve for configuration is a little rough but if someone has experience with it being useful for this I will try it.

Adbot
ADBOT LOVES YOU

Partycat
Oct 25, 2004

TCPdump or wireshark will work if it's not LDAPS. If it is you would need to get the certificate added to wireshark for the decode, or see if there is verbose logging output for the LDAP daemon.

Demonachizer
Aug 7, 2004

Partycat posted:

TCPdump or wireshark will work if it's not LDAPS. If it is you would need to get the certificate added to wireshark for the decode, or see if there is verbose logging output for the LDAP daemon.

I won't know in advance if it is LDAPS or LDAP but I am assuming LDAP. I sort of wanted to approach it on the DC itself just to avoid any issues.

Is the wireshark learning curve tough for LDAP monitoring? I can use it for DNS and web stuff pretty well but just haven't messed with LDAP yet.

Essentially I will be in an unknown environment that has a group of people attacking mostly linux systems. There will likely be some attacks against an additional Windows AD infrastructure that hosts DNS and some other services so it seems like being able to analyze authentication against AD might allow for some insight as to what accounts may be compromised and also what is being attacked.

  • Locked thread