[bro] WeirdActivity truncated_NTP pb ?

Sat Jan 8 06:48:38 PST 2005

Hi,

Happy New Year,

I have this event :

1105106060.883849:WeirdActivity:NOTICE_ALARM_ALWAYS:::::::::::truncated_NTP 
x.x.x.x/32785 > 157.99.64.66/123:

but ntp request is not trunc :

$ tcpdump383 -vvnSlr bro_truncated_ntp.pcap
14:54:20.883849 IP (tos 0x0, ttl  63, id 42724, offset 0, flags [DF], 
length: 40) x.x.x.x.32785 > 157.99.64.66.123: [udp sum ok] 
[len=12]NTPv2 res1, strat 2, poll 0, prec 1 dist 0.000000, disp 0.000000 
[|ntp]

$ tcpdump372 -vvnSlr bro_truncated_ntp.pcap
14:54:20.883849 x.x.x.x.32785 > 157.99.64.66.123: [udp sum ok] 
[len=12] v2 res1 strat 2 poll 0 prec 1 dist 0.000000 disp 0.000000 ref 
0.0.0.0 [|ntp] (DF) (ttl 63, id 42724, len 40)

$ tethereal0101 -ta -nr bro_truncated_ntp.pcap
   1 14:54:20.883849 x.x.x.x -> 157.99.64.66 NTP NTP control

$ tethereal0101 -ta -Vnr bro_truncated_ntp.pcap
...
     Fragment offset: 0
     Time to live: 63
     Protocol: UDP (0x11)
     Header checksum: 0x5681 (correct)
     Source: x.x.x.x (x.x.x.x)
     Destination: 157.99.64.66 (157.99.64.66)
User Datagram Protocol, Src Port: 32785 (32785), Dst Port: 123 (123)
     Source port: 32785 (32785)
     Destination port: 123 (123)
     Length: 20
     Checksum: 0x2ad7 (correct)
Network Time Protocol
     Flags: 0x16
         00.. .... = Leap Indicator: no warning (0)
         ..01 0... = Version number: reserved (2)
         .... .110 = Mode: reserved for NTP control message (6)
     Flags 2: 0x02
         0... .... = Response bit: Request (0)
         .0.. .... = Error bit: 0
         ..0. .... = More bit: 0
         ...0 0010 = Opcode: READVAR (2)

false positive ?

Im use bro09a7 on freebsd410 with "bro.init mt"
Im use default rules/conf.

Regards

Rmkml at Wanadoo.fr