mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 22:58:20 +00:00
Ran binpac_quickstart for NTP (UDP, not buffered)
This commit is contained in:
parent
232bee4096
commit
be4f6eae0e
13 changed files with 281 additions and 1 deletions
3
scripts/base/protocols/ntp/__load__.zeek
Normal file
3
scripts/base/protocols/ntp/__load__.zeek
Normal file
|
@ -0,0 +1,3 @@
|
|||
# Generated by binpac_quickstart
|
||||
@load ./main
|
||||
@load-sigs ./dpd.sig
|
14
scripts/base/protocols/ntp/dpd.sig
Normal file
14
scripts/base/protocols/ntp/dpd.sig
Normal file
|
@ -0,0 +1,14 @@
|
|||
# Generated by binpac_quickstart
|
||||
|
||||
signature dpd_ntp {
|
||||
|
||||
ip-proto == udp
|
||||
|
||||
|
||||
# ## TODO: Define the payload. When Bro sees this regex, on
|
||||
# ## any port, it will enable your analyzer on that
|
||||
# ## connection.
|
||||
# ## payload /^NTP/
|
||||
|
||||
enable "ntp"
|
||||
}
|
53
scripts/base/protocols/ntp/main.zeek
Normal file
53
scripts/base/protocols/ntp/main.zeek
Normal file
|
@ -0,0 +1,53 @@
|
|||
##! Implements base functionality for NTP analysis.
|
||||
##! Generates the Ntp.log file.
|
||||
|
||||
# Generated by binpac_quickstart
|
||||
|
||||
module Ntp;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Info: record {
|
||||
## Timestamp for when the event happened.
|
||||
ts: time &log;
|
||||
## Unique ID for the connection.
|
||||
uid: string &log;
|
||||
## The connection's 4-tuple of endpoint addresses/ports.
|
||||
id: conn_id &log;
|
||||
|
||||
# ## TODO: Add other fields here that you'd like to log.
|
||||
};
|
||||
|
||||
## Event that can be handled to access the NTP record as it is sent on
|
||||
## to the loggin framework.
|
||||
global log_ntp: event(rec: Info);
|
||||
}
|
||||
|
||||
# TODO: The recommended method to do dynamic protocol detection
|
||||
# (DPD) is with the signatures in dpd.sig. If you can't come up
|
||||
# with any signatures, then you can do port-based detection by
|
||||
# uncommenting the following and specifying the port(s):
|
||||
|
||||
# const ports = { 1234/udp, 5678/udp };
|
||||
|
||||
|
||||
# redef likely_server_ports += { ports };
|
||||
|
||||
event bro_init() &priority=5
|
||||
{
|
||||
Log::create_stream(Ntp::LOG, [$columns=Info, $ev=log_ntp, $path="ntp"]);
|
||||
|
||||
# TODO: If you're using port-based DPD, uncomment this.
|
||||
# Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
|
||||
}
|
||||
|
||||
event ntp_event(c: connection)
|
||||
{
|
||||
local info: Info;
|
||||
info$ts = network_time();
|
||||
info$uid = c$uid;
|
||||
info$id = c$id;
|
||||
|
||||
Log::write(Ntp::LOG, info);
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue