How do I identify insecure LDAP connections?


I'm trying to identify insecure connections to our LDAP server. We're using OpenLDAP, and I want to exclude connections which use STARTTLS or port 636.

Tags (3)
0 Karma


I found a possible solution using the ssf value (security strength factor). When StartTLS or SSL is used, the ssf is greater than 0. But the ssf value is logged as 0 at other points when the connection is secure. By finding connections where ssf < 128, you can filter out the secure connections.

source="YOUR-LDAP-SOURCE" | transaction conn maxpause=5m | search ssf<128 | top uid

By using the transaction command you can group the individual connection sequences by the conn attribute, then search for those with a lower ssf AES bit encryption.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...