Is LDAP keyword available right now?

hello suricata team.
I try to use ldap keyword in my ruleset. so I copy that rule from suricata document.

alert ldap any any -> any any (msg:"Test LDAP bind request"; ldap.request.operation:0; sid:1;)

but, I get an error when run suricata with this rule

Error: detect-parse: unknown rule keyword 'ldap.request.operation'. [SigParseOptions:detect-parse.c:898]
Error: detect: error parsing signature "alert ldap any any -> any any (msg:"Test LDAP bind request"; ldap.request.operation:0; sid:1;)" from file /var/lib/suricata/rules/suricata.rules at line 1047 [DetectLoadSigFile:detect-engine-loader.c:182]
Error: suricata: Loading signatures failed. [LoadSignatures:suricata.c:2409]

here is my suricata version

This is Suricata version 8.0.0-dev (11bf3e16e 2024-11-07)

Hello there,

Could you please share the whole command you’ve used to run Suricata, and more of the output, not just the error?

I just tried using that same rule with one of the LDAP pcaps we have in our Suricata-Verify testing suite, and that worked.

Thanks in advance.

Thanks for your reply. the command is very simple:

sudo suricata -T

and full suricata.log content :

[383309 - Suricata-Main] 2025-02-27 09:32:07 Notice: suricata: This is Suricata version 8.0.0-dev (11bf3e16e 2024-11-07) running in SYSTEM mode
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: cpu: CPUs/cores online: 18
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: suricata: Running suricata under test mode
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: suricata: Setting engine mode to IDS mode by default
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: exception-policy: master exception-policy set to: auto
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: logopenfile: eve-log output device (regular) initialized: alert.json
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: logopenfile: eve-log output device (regular) initialized: flow.json
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: logopenfile: stats output device (regular) initialized: stats.log
[383309 - Suricata-Main] 2025-02-27 09:32:07 Error: detect-parse: unknown rule keyword 'ldap.request.operation'.
[383309 - Suricata-Main] 2025-02-27 09:32:07 Error: detect: error parsing signature "alert ldap any any -> any any (msg:"Test LDAP bind request"; ldap.request.operation:0; sid:1;)" from file /var/lib/suricata/rules/suricata.rules at line 1047
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: detect: 9 rule files processed. 1553 rules successfully loaded, 1 rules failed, 0 rules skipped
[383309 - Suricata-Main] 2025-02-27 09:32:07 Error: suricata: Loading signatures failed.

Sorry. I’m foolish :sweat_smile:. I just pull latest suricata code and run it again. it works.!

1 Like

No foolishness! I see that I should also have noticed that the date of that 8 version was also prior to the merging of that keyword.

I’m glad you got it sorted out :slight_smile:

Thanks @haoranli let us know which ldap keywords you would like in Task #7452: ldap: add keywords to match output - Suricata - Open Information Security Foundation

1 Like