Ran binpac_quickstart for NTP (UDP, not buffered)

scripts/base/init-default.zeek

@@ -56,6 +56,7 @@
 @load base/protocols/modbus
 @load base/protocols/mysql
 @load base/protocols/ntlm
+@load base/protocols/ntp
 @load base/protocols/pop3
 @load base/protocols/radius
 @load base/protocols/rdp

scripts/base/protocols/ntp/__load__.zeek

@@ -0,0 +1,3 @@
+# Generated by binpac_quickstart
+@load ./main
+@load-sigs ./dpd.sig

scripts/base/protocols/ntp/dpd.sig

@@ -0,0 +1,14 @@
+# Generated by binpac_quickstart
+
+signature dpd_ntp {
+	
+	ip-proto == udp
+	
+
+	# ## TODO: Define the payload. When Bro sees this regex, on
+	# ## any port, it will enable your analyzer on that
+	# ## connection.
+	# ## payload /^NTP/
+
+	enable "ntp"
+}

scripts/base/protocols/ntp/main.zeek

@@ -0,0 +1,53 @@
+##! Implements base functionality for NTP analysis.
+##! Generates the Ntp.log file.
+
+# Generated by binpac_quickstart
+
+module Ntp;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts:     time    &log;
+		## Unique ID for the connection.
+		uid:    string  &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:     conn_id &log;
+		
+		# ## TODO: Add other fields here that you'd like to log.
+	};
+
+	## Event that can be handled to access the NTP record as it is sent on
+	## to the loggin framework.
+	global log_ntp: event(rec: Info);
+}
+
+# TODO: The recommended method to do dynamic protocol detection
+# (DPD) is with the signatures in dpd.sig. If you can't come up
+# with any signatures, then you can do port-based detection by
+# uncommenting the following and specifying the port(s):
+
+# const ports = { 1234/udp, 5678/udp };
+
+
+# redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Ntp::LOG, [$columns=Info, $ev=log_ntp, $path="ntp"]);
+
+	# TODO: If you're using port-based DPD, uncomment this.
+	# Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
+	}
+
+event ntp_event(c: connection)
+	{
+	local info: Info;
+	info$ts  = network_time();
+	info$uid = c$uid;
+	info$id  = c$id;
+
+	Log::write(Ntp::LOG, info);
+	}

src/analyzer/protocol/CMakeLists.txt

@@ -28,6 +28,7 @@ add_subdirectory(mysql)
 add_subdirectory(ncp)
 add_subdirectory(netbios)
 add_subdirectory(ntlm)
+add_subdirectory(ntp)
 add_subdirectory(pia)
 add_subdirectory(pop3)
 add_subdirectory(radius)
@@ -35,9 +36,9 @@ add_subdirectory(rdp)
 add_subdirectory(rfb)
 add_subdirectory(rpc)
 add_subdirectory(sip)
-add_subdirectory(snmp)
 add_subdirectory(smb)
 add_subdirectory(smtp)
+add_subdirectory(snmp)
 add_subdirectory(socks)
 add_subdirectory(ssh)
 add_subdirectory(ssl)

src/analyzer/protocol/ntp/CMakeLists.txt

@@ -0,0 +1,11 @@
+# Generated by binpac_quickstart
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro NTP)
+	bro_plugin_cc(NTP.cc Plugin.cc)
+	bro_plugin_bif(events.bif)
+	bro_plugin_pac(ntp.pac ntp-analyzer.pac ntp-protocol.pac)
+bro_plugin_end()

src/analyzer/protocol/ntp/NTP.cc

@@ -0,0 +1,45 @@
+// Generated by binpac_quickstart
+
+#include "NTP.h"
+
+#include "Reporter.h"
+
+#include "events.bif.h"
+
+using namespace analyzer::NTP;
+
+NTP_Analyzer::NTP_Analyzer(Connection* c)
+
+: analyzer::Analyzer("NTP", c)
+
+	{
+	interp = new binpac::NTP::NTP_Conn(this);
+	
+	}
+
+NTP_Analyzer::~NTP_Analyzer()
+	{
+	delete interp;
+	}
+
+void NTP_Analyzer::Done()
+	{
+	
+	Analyzer::Done();
+	
+	}
+
+void NTP_Analyzer::DeliverPacket(int len, const u_char* data,
+	 			  bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}

src/analyzer/protocol/ntp/NTP.h

@@ -0,0 +1,40 @@
+// Generated by binpac_quickstart
+
+#ifndef ANALYZER_PROTOCOL_NTP_NTP_H
+#define ANALYZER_PROTOCOL_NTP_NTP_H
+
+#include "events.bif.h"
+
+
+#include "analyzer/protocol/udp/UDP.h"
+
+#include "ntp_pac.h"
+
+namespace analyzer { namespace NTP {
+
+class NTP_Analyzer
+
+: public analyzer::Analyzer {
+
+public:
+	NTP_Analyzer(Connection* conn);
+	virtual ~NTP_Analyzer();
+
+	// Overriden from Analyzer.
+	virtual void Done();
+	
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen);
+	
+
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new NTP_Analyzer(conn); }
+
+protected:
+	binpac::NTP::NTP_Conn* interp;
+	
+};
+
+} } // namespace analyzer::* 
+
+#endif

src/analyzer/protocol/ntp/Plugin.cc

@@ -0,0 +1,25 @@
+// Generated by binpac_quickstart
+
+#include "plugin/Plugin.h"
+
+#include "NTP.h"
+
+namespace plugin {
+namespace Bro_NTP {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::analyzer::Component("NTP",
+		             ::analyzer::NTP::NTP_Analyzer::InstantiateAnalyzer));
+
+		plugin::Configuration config;
+		config.name = "Bro::NTP";
+		config.description = "Network Time Protocol analyzer";
+		return config;
+		}
+} plugin;
+
+}
+}

src/analyzer/protocol/ntp/events.bif

@@ -0,0 +1,14 @@
+# Generated by binpac_quickstart
+
+# In this file, you'll define the events that your analyzer will
+# generate. A sample event is included.
+
+# ## TODO: Edit the sample event, and add more events.
+
+## Generated for NTP connections
+##
+## See `Google <http://lmgtfy.com/?q=NTP>`__ for more information about NTP
+##
+## c: The connection
+##
+event ntp_event%(c: connection%);

src/analyzer/protocol/ntp/ntp-analyzer.pac

@@ -0,0 +1,13 @@
+# Generated by binpac_quickstart
+
+refine flow NTP_Flow += {
+	function proc_ntp_message(msg: NTP_PDU): bool
+		%{
+		BifEvent::generate_ntp_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn());
+		return true;
+		%}
+};
+
+refine typeattr NTP_PDU += &let {
+	proc: bool = $context.flow.proc_ntp_message(this);
+};

src/analyzer/protocol/ntp/ntp-protocol.pac

@@ -0,0 +1,19 @@
+# Generated by binpac_quickstart
+
+# ## TODO: Add your protocol structures in here.
+# ## some examples:
+
+# Types are your basic building blocks.
+# There are some builtins, or you can define your own.
+# Here's a definition for a regular expression:
+# type NTP_WHITESPACE = RE/[ \t]*/;
+
+# A record is a collection of types.
+# Here's one with the built-in types
+# type example = record {
+# 	
+# };
+
+type NTP_PDU(is_orig: bool) = record {
+	data: bytestring &restofdata;
+} &byteorder=bigendian;

src/analyzer/protocol/ntp/ntp.pac

@@ -0,0 +1,41 @@
+# Generated by binpac_quickstart
+
+# Analyzer for Network Time Protocol
+#  - ntp-protocol.pac: describes the NTP protocol messages
+#  - ntp-analyzer.pac: describes the NTP analyzer code
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+	#include "events.bif.h"
+%}
+
+analyzer NTP withcontext {
+	connection: NTP_Conn;
+	flow:       NTP_Flow;
+};
+
+# Our connection consists of two flows, one in each direction.
+connection NTP_Conn(bro_analyzer: BroAnalyzer) {
+	upflow   = NTP_Flow(true);
+	downflow = NTP_Flow(false);
+};
+
+%include ntp-protocol.pac
+
+# Now we define the flow:
+flow NTP_Flow(is_orig: bool) {
+
+	# ## TODO: Determine if you want flowunit or datagram parsing:
+
+	# Using flowunit will cause the anlayzer to buffer incremental input.
+	# This is needed for &oneline and &length. If you don't need this, you'll
+	# get better performance with datagram.
+
+	# flowunit = NTP_PDU(is_orig) withcontext(connection, this);
+	datagram = NTP_PDU(is_orig) withcontext(connection, this);
+
+};
+
+%include ntp-analyzer.pac