-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathntp.bro
119 lines (93 loc) · 2.43 KB
/
ntp.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
module NTP;
export {
redef enum Log::ID += { LOG };
redef enum Notice::Type += {
NTP_Alarm,
NTP_Monlist_Queries,
};
type ntp_record: record {
ts: time &log;
uid: string &log;
orig: addr &log;
resp: addr &log;
refid: count &default=0 &log;
code: count &default=0 &log;
stratum: count &default=0 &log;
poll: count &default=0 &log;
precision: int &default=to_int("0") &log;
#distance: interval;
#dispersion: interval;
reftime: time &log;
#orig: time;
#rec: time;
#xmt: time;
excess: string &default="NULL" &log;
};
# The code value maps to the NTP mode type - for now I am mostly
# interested in control messages.
#
# Mode Description
# 0 reserved.
# 1 Symmetric active.
# 2 Symmetric passive.
# 3 Client.
# 4 Server.
# 5 Broadcast.
# 6 NTP control message.
# 7 private use.
const NTP_RESERVED = 0;
const NTP_SYM_ACTIVE = 1;
const NTP_SYM_PASSIVE = 2;
const NTP_CLIENT = 3;
const NTP_SERVER = 4;
const NTP_BROADCAST = 5;
const NTP_CONTROL = 6;
const NTP_PRIVATE = 7;
const ports = { 123/udp,};
redef likely_server_ports += { ports };
const log_only_control: bool = F &redef;
# So we don't warn more than one time
global ntp_host: table[addr] of count;
} # end export
event ntp_message(c: connection, msg: ntp_msg, excess: string)
{
# we are handed a ntp_msg type which is slightly different than the
# ntp_record used for dealing with the policy side of things.
if ( log_only_control && ((msg$code != NTP_CONTROL) || (msg$code != NTP_PRIVATE)) )
return;
local t_rec: ntp_record;
t_rec$orig = c$id$orig_h;
t_rec$resp = c$id$resp_h;
t_rec$uid = c$uid;
t_rec$ts = c$start_time;
if ( msg?$id )
t_rec$refid = msg$id;
if ( msg?$code )
t_rec$code = msg$code;
if ( msg?$stratum )
t_rec$stratum = msg$stratum;
if ( msg?$poll )
t_rec$poll = msg$poll;
if ( msg?$precision )
t_rec$precision = msg$precision;
if ( msg?$ref_t )
t_rec$reftime = msg$ref_t;
t_rec$excess = excess;
if ((msg$code == NTP_PRIVATE) || (msg$code == NTP_CONTROL)) {
if ( c$id$orig_h !in ntp_host ) {
NOTICE([$note=NTP::NTP_Monlist_Queries,
$conn=c,
$suppress_for=6hrs,
$msg=fmt("NTP monlist queries"),
$identifier=cat(c$id$orig_h)]);
}
else
++ntp_host[c$id$orig_h];
}
Log::write(LOG, t_rec);
}
event bro_init() &priority=5
{
Log::create_stream(NTP::LOG, [$columns=ntp_record]);
Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
}