Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I identify insecure LDAP connections?

saltybeagle
Explorer
‎06-12-2013 10:19 AM

I'm trying to identify insecure connections to our LDAP server. We're using OpenLDAP, and I want to exclude connections which use STARTTLS or port 636.

Tags (3)
0 Karma
Reply

saltybeagle
Explorer
‎06-12-2013 10:25 AM

I found a possible solution using the ssf value (security strength factor). When StartTLS or SSL is used, the ssf is greater than 0. But the ssf value is logged as 0 at other points when the connection is secure. By finding connections where ssf < 128, you can filter out the secure connections.

source="YOUR-LDAP-SOURCE" | transaction conn maxpause=5m | search ssf<128 | top uid

By using the transaction command you can group the individual connection sequences by the conn attribute, then search for those with a lower ssf AES bit encryption.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...