[Bro] NTP Analyzer not working as expected

Seth Hall seth at icir.org
Thu Jan 7 08:04:32 PST 2016

> On Jan 6, 2016, at 8:17 PM, Robert Young <rfjl12345 at gmail.com> wrote:
> Hi Guys, I am trying to detect hosts that are ntp clients to verify they are not also acting as a server.  I have setup the basic script as seen below using event ntp_msg().  When I run the code I see the msg code for client(3) and server(4) as expected.  But what does not look correct is the orig_h is the same for both the request from the client and the response from the server.  In this test the client is and they server is 172.16.1. 41  Anyone have any ideas of what I may have missed ? or have I hit a bug ?

Bro “sessionizes” UDP traffic.  What you are seeing is the result of that.  The assumption is the first to speak is the originator of the “connection”.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list