|
I am looking for a good way to log the complete LDAP conversation when a client attempts to authenticate. I think I have found some ways to do this from the client but I really need to do it on the server side so I can detect certain behaviors that are anomalous. Also an unfortunate issue is that whatever program it is it has to be freely available and not behind a login. It can be a free trial as it would only be used once. I can use Splunk if that is useful for this. The curve for configuration is a little rough but if someone has experience with it being useful for this I will try it.
|
# ? Oct 29, 2015 11:50 |
|
|
# ? Mar 29, 2024 14:35 |
|
TCPdump or wireshark will work if it's not LDAPS. If it is you would need to get the certificate added to wireshark for the decode, or see if there is verbose logging output for the LDAP daemon.
|
# ? Oct 29, 2015 13:42 |
|
Partycat posted:TCPdump or wireshark will work if it's not LDAPS. If it is you would need to get the certificate added to wireshark for the decode, or see if there is verbose logging output for the LDAP daemon. I won't know in advance if it is LDAPS or LDAP but I am assuming LDAP. I sort of wanted to approach it on the DC itself just to avoid any issues. Is the wireshark learning curve tough for LDAP monitoring? I can use it for DNS and web stuff pretty well but just haven't messed with LDAP yet. Essentially I will be in an unknown environment that has a group of people attacking mostly linux systems. There will likely be some attacks against an additional Windows AD infrastructure that hosts DNS and some other services so it seems like being able to analyze authentication against AD might allow for some insight as to what accounts may be compromised and also what is being attacked.
|
# ? Oct 29, 2015 16:00 |