LDAP Parser Options File

Document created by RSA Information Design and Development on Nov 28, 2017Last modified by RSA Information Design and Development on Nov 15, 2018
Version 55Show Document
  • View in full screen mode
 

Caution: RSA strongly suggests that you do not subscribe to the options file. Subsequent downloads of this file will overwrite all changes that you have made to the file.

Note the following:

  • If you deploy the options file, it can be found in the same directory as parsers: /etc/netwitness/ng/parsers/.
  • The parser is not dependent upon the options file. The parser will load and run even in the absence of the options file. The options file is only required if you need to change the default settings.
  • If you do not have an options file (or if your options file is invalid), the parser uses the default settings.

Note: The parser will never use both the defaults and customized options. If the options file exists and its contents can be loaded, then the defaults will not be used at all.

By default, the LDAP parse only parses the username and password if the port is 389. The options file allows parsing from any specified port, as well as some other configuration.

The LDAP_options file contains the following options for controlling the parser:

  • ports
  • idOnly
  • parseResponses

To change an option from false to true, edit the line inside the corresponding function, from

return false

to

return true

And similarly to go from true to false.

ports

Default value: "389, 686"

Specifies the ports on which to look for LDAP sessions. The value should be a comma or space delineated list of port numbers. For example:

"389, 686"

LDAP sessions on ports other than those listed will not be identified, nor parsed.

idOnly

Default value: false

If enabled, LDAP sessions will be identified but no meta will be extracted. This may improve overall system performance.

If enabled, the parseResponses option is ignored.

Note: Modifying this option requires a service restart to take effect; a simple parser reload is insufficient.

parseResponses

Default value: false

By default, meta is not extracted from LDAP responses. If you enable this option (set its value to true), meta will be extracted from LDAP responses. Note that this will result in a greater amount of meta, and may decrease overall system performance.

If enabled, the meta goes to ldap.response, which is a non-standard key.

You are here
Table of Contents > RSA NetWitness Platform Content > Parsers > Lua Packet Parsers > LDAP Parser Options

Attachments

    Outcomes