Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 07:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

fix auth field (key_id and mac) in standard and control msg

Browse source
This commit is contained in:
Mauro Palumbo 2019-06-06 16:38:05 +02:00
parent df0a4b9bb7
commit 2cd2c65fe3
4 changed files with 51 additions and 78 deletions
Download patch file Download diff file Expand all files Collapse all files

63
scripts/base/init-bare.zeek
View file

@ -2526,54 +2526,6 @@ export {
};
}
module NTP;
export {
## NTP message as defined in :rfc:`5905`.
## Doesn't include fields for mode 7 (reserved for private use), e.g. monlist
type NTP::Message: record {
## The NTP version number
version: count;
## The NTP mode being used
mode: count;
## The stratum (primary server, secondary server, etc.)
stratum: count;
## The maximum interval between successive messages
poll: interval;
## The precision of the system clock
precision: interval;
## Total round-trip delay to the reference clock
root_delay: interval;
## Total dispersion to the reference clock
root_disp: interval;
## For stratum 0, 4 character string used for debugging
kiss_code: string &optional;
## For stratum 1, ID assigned to the reference clock by IANA
ref_id: string &optional;
## Above stratum 1, when using IPv4, the IP address of the reference clock
ref_addr: addr &optional;
## Above stratum 1, when using IPv6, the first four bytes of the MD5 hash of the
## IPv6 address of the reference clock
ref_v6_hash_prefix: string &optional;
## Time when the system clock was last set or correct
ref_time: time;
## Time at the client when the request departed for the NTP server
org_time: time;
## Time at the server when the request arrived from the NTP client
rec_time: time;
## Time at the server when the response departed for the NTP client
xmt_time: time;
## Key used to designate a secret MD5 key
key_id: count &optional;
## MD5 hash computed over the key followed by the NTP packet header and extension fields
digest: string &optional;
## Number of extension fields (which are not currently parsed)
num_exts: count &default=0;
};
}
module NTLM;
@ -5045,15 +4997,16 @@ export {
## The sequence number of the command or response
sequence : count;
## The current status of the system, peer or clock
status : count; #TODO: this must be further specified
status : count; #TODO: this can be further parsed internally
## A 16-bit integer identifying a valid association
association_id : count;
## A 16-bit integer indicating the offset, in octets, of the first octet in the data area
offs : count;
## A 16-bit integer indicating the length of the data field, in octets
c : count;
## The message data for the command or response + Authenticator (optional)
data : string &optional; # TODO: distinguish data and authenticator
data : string &optional;
## This is an integer identifying the cryptographic
## key used to generate the message-authentication code
key_id : count &optional;
## This is a crypto-checksum computed by the encryption procedure
crypto_checksum : string &optional;
};
## NTP mode7 message for mode=7. Note that this is not defined in any RFC
@ -5095,7 +5048,7 @@ export {
## 7 - authentication failure (i.e. permission denied)
err : count;
## Rest of data
data : string &optional; # TODO: can be further parsed
data : string &optional;
};
## NTP message as defined in :rfc:`5905`.

24
scripts/base/protocols/ntp/main.zeek
View file

@ -76,6 +76,12 @@ export {
status : count &log;
## A 16-bit integer identifying a valid association
association_id : count &log;
## This is an integer identifying the cryptographic
## key used to generate the message-authentication code
ctrl_key_id : count &optional &log;
## This is a crypto-checksum computed by the encryption procedure
crypto_checksum : string &optional &log;
## An implementation-specific code which specifies the
## operation to be (which has been) performed and/or the
@ -133,13 +139,13 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
info$root_delay = msg$std_msg$root_delay;
info$root_disp = msg$std_msg$root_disp;
if ( info?$kiss_code)
if ( msg$std_msg?$kiss_code)
info$kiss_code = msg$std_msg$kiss_code;
if ( info?$ref_id)
if ( msg$std_msg?$ref_id)
info$ref_id = msg$std_msg$ref_id;
if ( info?$ref_addr)
if ( msg$std_msg?$ref_addr)
info$ref_addr = msg$std_msg$ref_addr;
if ( info?$ref_v6_hash_prefix)
if ( msg$std_msg?$ref_v6_hash_prefix)
info$ref_v6_hash_prefix = msg$std_msg$ref_v6_hash_prefix;
info$ref_time = msg$std_msg$ref_time;
@ -147,9 +153,9 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
info$rec_time = msg$std_msg$rec_time;
info$xmt_time = msg$std_msg$xmt_time;
if ( info?$key_id)
if ( msg$std_msg?$key_id)
info$key_id = msg$std_msg$key_id;
if ( info?$digest)
if ( msg$std_msg?$digest)
info$digest = msg$std_msg$digest;
info$num_exts = msg$std_msg$num_exts;
@ -163,6 +169,12 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
info$sequence = msg$control_msg$sequence;
info$status = msg$control_msg$status;
info$association_id = msg$control_msg$association_id;
if ( msg$control_msg?$key_id)
info$ctrl_key_id = msg$control_msg$key_id;
if ( msg$control_msg?$crypto_checksum)
info$crypto_checksum = msg$control_msg$crypto_checksum;
}
if ( msg$mode==7 ) {