From 7626344122f48915bd438ecd54bfb7784e416795 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Wed, 31 Jul 2019 11:17:53 -0400
Subject: [PATCH] Tiny tweaks to try and address ticket #506

---
 scripts/base/protocols/ntp/main.zeek       | 15 ++++++++-------
 src/analyzer/protocol/ntp/ntp-analyzer.pac |  4 ++--
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/scripts/base/protocols/ntp/main.zeek b/scripts/base/protocols/ntp/main.zeek
index ed55ac4ee4..7aad2c8dce 100644
--- a/scripts/base/protocols/ntp/main.zeek
+++ b/scripts/base/protocols/ntp/main.zeek
@@ -56,6 +56,12 @@ redef record connection += {
 const ports = { 123/udp };
 redef likely_server_ports += { ports };
 
+event zeek_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
+	Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
+	}
+
 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
 	{
 	local info: Info;
@@ -65,7 +71,7 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
 	info$version = msg$version;
 	info$mode = msg$mode;
 
-	if ( msg$mode < 6 )
+	if ( msg?$std_msg )
 		{
 		info$stratum = msg$std_msg$stratum;
 		info$poll = msg$std_msg$poll;
@@ -96,12 +102,7 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
 
 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=-5
 	{
-	if ( msg$mode < 6 )
+	if ( c?$ntp && msg$mode <= 5 )
 		Log::write(NTP::LOG, c$ntp);
 	}
 
-event zeek_init() &priority=5
-	{
-	Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
-	Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
-	}
diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index 226a71236e..961557b079 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -83,7 +83,7 @@ refine flow NTP_Flow += {
 			}
 
 		return rv;
-        %}
+		%}
 
 	# This builds the control msg record
 	function BuildNTPControlMsg(ncm: NTP_control_msg): BroVal
@@ -140,7 +140,7 @@ refine flow NTP_Flow += {
 		rv->Assign(1, val_mgr->GetCount(${msg.mode}));
 
 		// The standard record
-		if ( ${msg.mode} > 0 && ${msg.mode} < 6 )
+		if ( ${msg.mode} >=1 && ${msg.mode} <= 5 )
 			rv->Assign(2, BuildNTPStdMsg(${msg.std}));
 		else if ( ${msg.mode} == 6 )
 			rv->Assign(3, BuildNTPControlMsg(${msg.control}));