NTP: Detect out-of-order packets

The NTP mode provides us with the identity of the endpoints. For the
simple CLIENT / SERVER modes, flip the connection if we detect
orig/resp disagreeing with what the message says. This mainly
results in the history getting a ^ and the ntp.log / conn.log
showing the corrected endpoints.

Closes #2998.

src/analyzer/protocol/ntp/ntp-analyzer.pac

@@ -130,11 +130,25 @@
 
 refine flow NTP_Flow += {
 
+	%member{
+		bool flipped_;
+	%}
+
+	%init{
+		flipped_ = false;
+	%}
 
 	function proc_ntp_message(msg: NTP_PDU): bool
 		%{
 		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
+		// Flip roles for SERVER mode message from orig or a CLIENT mode message from resp.
+		if ( ((${msg.mode} == SERVER && is_orig()) || (${msg.mode} == CLIENT && ! is_orig())) && ! flipped_ )
+			{
+			connection()->zeek_analyzer()->Conn()->FlipRoles();
+			flipped_ = true;
+			}
+
 		if ( ! ntp_message )
 			return false;
 

src/analyzer/protocol/ntp/ntp-protocol.pac

@@ -1,5 +1,14 @@
 # This is the common part in the header format.
 # See RFC 5905 for details
+enum NTP_Mode {
+	SYMMETRIC_ACTIVE = 1,
+	SYMMETRIC_PASSIVE = 2,
+	CLIENT = 3,
+	SERVER = 4,
+	BROADCAST_SERVER = 5,
+	BROADCAST_CLIENT = 6,
+};
+
 type NTP_PDU(is_orig: bool) = record {
 	# The first byte of the NTP header contains the leap indicator,
 	# the version and the mode