Ran binpac_quickstart for NTP (UDP, not buffered)

This commit is contained in:
Vlad Grigorescu 2019-05-29 09:04:48 -05:00
parent 232bee4096
commit be4f6eae0e
13 changed files with 281 additions and 1 deletions

View file

@ -0,0 +1,3 @@
# Generated by binpac_quickstart
@load ./main
@load-sigs ./dpd.sig

View file

@ -0,0 +1,14 @@
# Generated by binpac_quickstart
signature dpd_ntp {
ip-proto == udp
# ## TODO: Define the payload. When Bro sees this regex, on
# ## any port, it will enable your analyzer on that
# ## connection.
# ## payload /^NTP/
enable "ntp"
}

View file

@ -0,0 +1,53 @@
##! Implements base functionality for NTP analysis.
##! Generates the Ntp.log file.
# Generated by binpac_quickstart
module Ntp;
export {
redef enum Log::ID += { LOG };
type Info: record {
## Timestamp for when the event happened.
ts: time &log;
## Unique ID for the connection.
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
# ## TODO: Add other fields here that you'd like to log.
};
## Event that can be handled to access the NTP record as it is sent on
## to the loggin framework.
global log_ntp: event(rec: Info);
}
# TODO: The recommended method to do dynamic protocol detection
# (DPD) is with the signatures in dpd.sig. If you can't come up
# with any signatures, then you can do port-based detection by
# uncommenting the following and specifying the port(s):
# const ports = { 1234/udp, 5678/udp };
# redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(Ntp::LOG, [$columns=Info, $ev=log_ntp, $path="ntp"]);
# TODO: If you're using port-based DPD, uncomment this.
# Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
}
event ntp_event(c: connection)
{
local info: Info;
info$ts = network_time();
info$uid = c$uid;
info$id = c$id;
Log::write(Ntp::LOG, info);
}