[bro] WeirdActivity truncated_NTP pb ?
Christian Kreibich
christian at whoop.org
Sat Jan 8 11:38:12 PST 2005
On Sat, 2005-01-08 at 15:48 +0100, rmkml wrote:
> Hi,
>
> Happy New Year,
>
> I have this event :
>
> 1105106060.883849:WeirdActivity:NOTICE_ALARM_ALWAYS:::::::::::truncated_NTP
> x.x.x.x/32785 > 157.99.64.66/123:
>
> but ntp request is not trunc :
>
> $ tcpdump383 -vvnSlr bro_truncated_ntp.pcap
> 14:54:20.883849 IP (tos 0x0, ttl 63, id 42724, offset 0, flags [DF],
> length: 40) x.x.x.x.32785 > 157.99.64.66.123: [udp sum ok]
> [len=12]NTPv2 res1, strat 2, poll 0, prec 1 dist 0.000000, disp 0.000000
> [|ntp]
^^^^^^
Yes it is ... your output indicates that your trace contains truncated
NTP packets. Presumably you fed this trace to Bro...
>From the tcpdump manpage: "Packets truncated because of a limited
snapshot are indicated in the output with ``[|proto]'', where proto is
the name of the protocol level at which the truncation has occurred."
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list