[Bro] NTP Analyzer not working as expected
Robert Young
rfjl12345 at gmail.com
Wed Jan 6 17:17:40 PST 2016
Hi Guys, I am trying to detect hosts that are ntp clients to verify they
are not also acting as a server. I have setup the basic script as seen
below using event ntp_msg(). When I run the code I see the msg code for
client(3) and server(4) as expected. But what does not look correct is the
orig_h is the same for both the request from the client and the response
from the server. In this test the client is 172.16.1.7 and they server is
172.16.1. 41 Anyone have any ideas of what I may have missed ? or have I
hit a bug ?
Regards,
Robert
Debug output:
>>>>>>>>>>>>>>>>>>>>
ID:=, 1229867348
orig_h=, 172.16.1.7
resp_host=, 172.16.1.41
msg code=, 3
excess=,
<<<<<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>>>>>>
ID:=, 2733850379
orig_h=, 172.16.1.7
resp_host=, 172.16.1.41
msg code=, 4
excess=,
<<<<<<<<<<<<<<<<<<
[image: Inline image 1]
Code:
module NTP;
export {
redef enum Log::ID += { LOG };
redef enum Notice::Type += {
NTP_ALARM,
NTP_Monlist_Queries,
};
type ntp_record: record {
ts: time &log;
uid: string &log;
orig: addr &log;
resp: addr &log;
refid: count &default=0 &log;
code: count &default=0 &log;
stratum: count &default=0 &log;
poll: count &default=0 &log;
precision: int &default=to_int("0") &log;
#distance: interval;
#dispersion: interval;
reftime: time &log;
#orig: time;
#rec: time;
#xmt: time;
excess: string &default="NULL" &log;
};
# The code value maps to the NTP mode type - for now I am mostly
# interested in control messages.
#
# Mode Description
# 0 reserved.
# 1 Symmetric active.
# 2 Symmetric passive.
# 3 Client.
# 4 Server.
# 5 Broadcast.
# 6 NTP control message.
# 7 private use.
const NTP_RESERVED = 0;
const NTP_SYM_ACTIVE = 1;
const NTP_SYM_PASSIVE = 2;
const NTP_CLIENT = 3;
const NTP_SERVER = 4;
const NTP_BROADCAST = 5;
const NTP_CONTROL = 6;
const NTP_PRIVATE = 7;
const ports = { 123/udp,};
redef likely_server_ports += { ports };
const log_only_control: bool = F &redef;
# So we don't warn more than one time
global ntp_host: table[addr] of count;
hook Notice::policy(n: Notice::Info)
{
if ( n$note == NTP::NTP_ALARM )
add n$actions[Notice::ACTION_EMAIL];
}
redef capture_filters += {
["watched network"] = "net 172.16.1.41/32"};
} # end export
redef Site::local_nets += {
172.16.1.41/32
};
event bro_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
}
event ntp_message(c: connection, msg: ntp_msg, excess: string)
{
local manage_ip:addr = 0.0.0.0;
local int_desc:string ="none";
print">>>>>>>>>>>>>>>>>>>>";
print"ID:=",msg$id;
print "orig_h=",c$id$orig_h;
print "resp_host=",c$id$resp_h;
print"msg code=",msg$code;
print "excess=",excess;
print " <<<<<<<<<<<<<<<<<<";
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160106/c505dad4/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 26911 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160106/c505dad4/attachment-0002.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wireshark.PNG
Type: image/png
Size: 21980 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160106/c505dad4/attachment-0003.bin
More information about the Bro
mailing list