mirror of
https://github.com/zeek/zeek.git
synced 2025-10-08 01:28:20 +00:00
WIP: BinPAC NTP analyzer
This commit is contained in:
Vlad Grigorescu
parent
be4f6eae0e
commit
2005a76896
12 changed files with 743 additions and 307 deletions
|
|
@ -1,3 +1,3 @@
|
|||
# Generated by binpac_quickstart
|
||||
@load ./main
|
||||
@load-sigs ./dpd.sig
|
||||
@load ./consts
|
||||
15
scripts/base/protocols/ntp/consts.zeek
Normal file
15
scripts/base/protocols/ntp/consts.zeek
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
module NTP;
|
||||
|
||||
export {
|
||||
## The descriptions of the NTP mode value, as described
|
||||
## in :rfc:`5905`, Figure 1
|
||||
const modes: table[count] of string = {
|
||||
[1] = "symmetric active",
|
||||
[2] = "symmetric passive",
|
||||
[3] = "client",
|
||||
[4] = "server",
|
||||
[5] = "broadcast server",
|
||||
[6] = "broadcast client",
|
||||
[7] = "reserved",
|
||||
} &default=function(i: count):string { return fmt("unknown-%d", i); } &redef;
|
||||
}
|
||||
|
|
@ -1,53 +1,119 @@
|
|||
##! Implements base functionality for NTP analysis.
|
||||
##! Generates the Ntp.log file.
|
||||
module NTP;
|
||||
|
||||
# Generated by binpac_quickstart
|
||||
|
||||
module Ntp;
|
||||
@load ./consts
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Info: record {
|
||||
## Timestamp for when the event happened.
|
||||
ts: time &log;
|
||||
ts: time &log;
|
||||
## Unique ID for the connection.
|
||||
uid: string &log;
|
||||
uid: string &log;
|
||||
## The connection's 4-tuple of endpoint addresses/ports.
|
||||
id: conn_id &log;
|
||||
|
||||
# ## TODO: Add other fields here that you'd like to log.
|
||||
id: conn_id &log;
|
||||
## The version of NTP
|
||||
ver: count &log;
|
||||
## The stratum (primary, secondary, etc.) of the server
|
||||
stratum: count &log &optional;
|
||||
## The precision of the system clock of the client
|
||||
precision: interval &log &optional;
|
||||
## The time at the client that the request was sent to the server
|
||||
org_time: time &log &optional;
|
||||
## The time at the server when the request was received
|
||||
rec_time: time &log &optional;
|
||||
## The time at the server when the reply was sent
|
||||
xmt_time: time &log &optional;
|
||||
## For stratum 0, 4 character string used for debugging
|
||||
kiss_code: string &log &optional;
|
||||
## For stratum 1, ID assigned to the clock by IANA
|
||||
ref_id: string &log &optional;
|
||||
## The IP of the server's reference clock
|
||||
ref_clock: addr &log &optional;
|
||||
};
|
||||
|
||||
## Event that can be handled to access the NTP record as it is sent on
|
||||
## to the loggin framework.
|
||||
## to the logging framework.
|
||||
global log_ntp: event(rec: Info);
|
||||
}
|
||||
|
||||
# TODO: The recommended method to do dynamic protocol detection
|
||||
# (DPD) is with the signatures in dpd.sig. If you can't come up
|
||||
# with any signatures, then you can do port-based detection by
|
||||
# uncommenting the following and specifying the port(s):
|
||||
redef record connection += {
|
||||
ntp: Info &optional;
|
||||
};
|
||||
|
||||
# const ports = { 1234/udp, 5678/udp };
|
||||
const ports = { 123/udp };
|
||||
|
||||
redef likely_server_ports += { ports };
|
||||
|
||||
# redef likely_server_ports += { ports };
|
||||
|
||||
event bro_init() &priority=5
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(Ntp::LOG, [$columns=Info, $ev=log_ntp, $path="ntp"]);
|
||||
Log::create_stream(NTP::LOG, [$columns=Info, $ev=log_ntp, $path="ntp"]);
|
||||
|
||||
# TODO: If you're using port-based DPD, uncomment this.
|
||||
# Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
|
||||
Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
|
||||
}
|
||||
|
||||
event ntp_event(c: connection)
|
||||
event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
|
||||
{
|
||||
# Record initialization
|
||||
local info: Info;
|
||||
info$ts = network_time();
|
||||
info$uid = c$uid;
|
||||
info$id = c$id;
|
||||
if ( c?$ntp )
|
||||
info = c$ntp;
|
||||
else
|
||||
{
|
||||
info$ts = network_time();
|
||||
info$uid = c$uid;
|
||||
info$id = c$id;
|
||||
info$ver = msg$version;
|
||||
}
|
||||
|
||||
Log::write(Ntp::LOG, info);
|
||||
}
|
||||
# From the request, we get the desired precision
|
||||
if ( is_orig )
|
||||
{
|
||||
info$precision = msg$precision;
|
||||
c$ntp = info;
|
||||
return;
|
||||
}
|
||||
|
||||
# From the response, we fill out most of the rest of the fields.
|
||||
info$stratum = msg$stratum;
|
||||
info$org_time = msg$org_time;
|
||||
info$rec_time = msg$rec_time;
|
||||
info$xmt_time = msg$xmt_time;
|
||||
|
||||
# Stratum 1 has the textual reference ID
|
||||
if ( msg$stratum == 1 )
|
||||
info$ref_id = gsub(msg$ref_id, /\x00*/, "");
|
||||
|
||||
# Higher stratums using IPv4 have the address of the reference server.
|
||||
if ( msg$stratum > 1 )
|
||||
{
|
||||
if ( is_v4_addr(c$id$orig_h) )
|
||||
info$ref_clock = msg$ref_addr;
|
||||
}
|
||||
c$ntp = info;
|
||||
}
|
||||
|
||||
event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=-5
|
||||
{
|
||||
if ( ! is_orig )
|
||||
{
|
||||
Log::write(NTP::LOG, c$ntp);
|
||||
delete c$ntp;
|
||||
}
|
||||
}
|
||||
|
||||
event connection_state_remove(c: connection) &priority=-5
|
||||
{
|
||||
if ( c?$ntp )
|
||||
Log::write(NTP::LOG, c$ntp);
|
||||
}
|
||||
|
||||
event ntp_mode6_message(c: connection, is_orig: bool, opcode: count)
|
||||
{
|
||||
print "Mode 6", opcode;
|
||||
}
|
||||
|
||||
event ntp_mode7_message(c: connection, is_orig: bool, opcode: count)
|
||||
{
|
||||
print "Mode 7", opcode;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue