Merge remote-tracking branch 'origin/topic/seth/506-fix-ntp-analyzer-fields-missing'

* origin/topic/seth/506-fix-ntp-analyzer-fields-missing:
  Tiny tweaks to try and address ticket #506

CHANGES

@@ -1,4 +1,8 @@
 
+2.6-725 | 2019-07-31 10:44:05 -0700
+
+  * GH-506: fix NTP script errors (Seth Hall, Corelight)
+
 2.6-723 | 2019-07-30 19:36:56 -0700
 
   * Add LogAscii::enable_utf_8 option (Dev Bali, Corelight)

VERSION

@@ -1 +1 @@
-2.6-723
+2.6-725

scripts/base/protocols/ntp/main.zeek

@@ -56,6 +56,12 @@ redef record connection += {
 const ports = { 123/udp };
 redef likely_server_ports += { ports };
 
+event zeek_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
+	Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
+	}
+
 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
 	{
 	local info: Info;
@@ -65,7 +71,7 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
 	info$version = msg$version;
 	info$mode = msg$mode;
 
-	if ( msg$mode < 6 )
+	if ( msg?$std_msg )
 		{
 		info$stratum = msg$std_msg$stratum;
 		info$poll = msg$std_msg$poll;
@@ -96,12 +102,7 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
 
 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=-5
 	{
-	if ( msg$mode < 6 )
+	if ( c?$ntp && msg$mode <= 5 )
 		Log::write(NTP::LOG, c$ntp);
 	}
 
-event zeek_init() &priority=5
-	{
-	Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
-	Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
-	}

src/analyzer/protocol/ntp/ntp-analyzer.pac

@@ -140,7 +140,7 @@ refine flow NTP_Flow += {
 		rv->Assign(1, val_mgr->GetCount(${msg.mode}));
 
 		// The standard record
-		if ( ${msg.mode} > 0 && ${msg.mode} < 6 )
+		if ( ${msg.mode} >=1 && ${msg.mode} <= 5 )
 			rv->Assign(2, BuildNTPStdMsg(${msg.std}));
 		else if ( ${msg.mode} == 6 )
 			rv->Assign(3, BuildNTPControlMsg(${msg.control}));