[Bro] NTP Analyzer not working as expected

Young, Robert (ryoung16) ryoung16 at harris.com
Thu Jan 7 12:55:02 PST 2016

This was the response I received

Robert Young
Senior Network Engineer/Team Lead, Terrestrial Network Engineering, Shared Services
Office: +1-832-668-2635 / Mobile: +1-281-701-9684

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Seth Hall
Sent: Thursday, January 07, 2016 10:05 AM
To: Robert Young <rfjl12345 at gmail.com>
Cc: bro at bro.org
Subject: Re: [Bro] NTP Analyzer not working as expected

> On Jan 6, 2016, at 8:17 PM, Robert Young <rfjl12345 at gmail.com> wrote:
> Hi Guys, I am trying to detect hosts that are ntp clients to verify they are not also acting as a server.  I have setup the basic script as seen below using event ntp_msg().  When I run the code I see the msg code for client(3) and server(4) as expected.  But what does not look correct is the orig_h is the same for both the request from the client and the response from the server.  In this test the client is and they server is 172.16.1. 41  Anyone have any ideas of what I may have missed ? or have I hit a bug ?

Bro “sessionizes” UDP traffic.  What you are seeing is the result of that.  The assumption is the first to speak is the originator of the “connection”.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list