Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/seth/506-fix-ntp-analyzer-fields-missing'

Browse source 
* origin/topic/seth/506-fix-ntp-analyzer-fields-missing:
  Tiny tweaks to try and address ticket #506
This commit is contained in:
Jon Siwek 2019-07-31 10:44:05 -07:00
commit 851a11086d
4 changed files with 15 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,4 +1,8 @@
2.6-725 | 2019-07-31 10:44:05 -0700
* GH-506: fix NTP script errors (Seth Hall, Corelight)
2.6-723 | 2019-07-30 19:36:56 -0700 2.6-723 | 2019-07-30 19:36:56 -0700
* Add LogAscii::enable_utf_8 option (Dev Bali, Corelight) * Add LogAscii::enable_utf_8 option (Dev Bali, Corelight)

2
VERSION
View file

@ -1 +1 @@
2.6-723 2.6-725

15
scripts/base/protocols/ntp/main.zeek
View file

@ -56,6 +56,12 @@ redef record connection += {
const ports = { 123/udp }; const ports = { 123/udp };
redef likely_server_ports += { ports }; redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
}
event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
{ {
local info: Info; local info: Info;
@ -65,7 +71,7 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
info$version = msg$version; info$version = msg$version;
info$mode = msg$mode; info$mode = msg$mode;
if ( msg$mode < 6 ) if ( msg?$std_msg )
{ {
info$stratum = msg$std_msg$stratum; info$stratum = msg$std_msg$stratum;
info$poll = msg$std_msg$poll; info$poll = msg$std_msg$poll;
@ -96,12 +102,7 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=-5 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=-5
{ {
if ( msg$mode < 6 ) if ( c?$ntp && msg$mode <= 5 )
Log::write(NTP::LOG, c$ntp); Log::write(NTP::LOG, c$ntp);
} }
event zeek_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
}

2
src/analyzer/protocol/ntp/ntp-analyzer.pac
View file

@ -140,7 +140,7 @@ refine flow NTP_Flow += {
rv->Assign(1, val_mgr->GetCount(${msg.mode})); rv->Assign(1, val_mgr->GetCount(${msg.mode}));
// The standard record // The standard record
if ( ${msg.mode} > 0 && ${msg.mode} < 6 ) if ( ${msg.mode} >=1 && ${msg.mode} <= 5 )
rv->Assign(2, BuildNTPStdMsg(${msg.std})); rv->Assign(2, BuildNTPStdMsg(${msg.std}));
else if ( ${msg.mode} == 6 ) else if ( ${msg.mode} == 6 )
rv->Assign(3, BuildNTPControlMsg(${msg.control})); rv->Assign(3, BuildNTPControlMsg(${msg.control}));