Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I identify insecure LDAP connections?

saltybeagle
Explorer
‎06-12-2013 10:19 AM

I'm trying to identify insecure connections to our LDAP server. We're using OpenLDAP, and I want to exclude connections which use STARTTLS or port 636.

Tags (3)
0 Karma
Reply

saltybeagle
Explorer
‎06-12-2013 10:25 AM

I found a possible solution using the ssf value (security strength factor). When StartTLS or SSL is used, the ssf is greater than 0. But the ssf value is logged as 0 at other points when the connection is secure. By finding connections where ssf < 128, you can filter out the secure connections.

source="YOUR-LDAP-SOURCE" | transaction conn maxpause=5m | search ssf<128 | top uid

By using the transaction command you can group the individual connection sequences by the conn attribute, then search for those with a lower ssf AES bit encryption.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...