diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac index af42ddf9d1..654e6b11f6 100644 --- a/src/analyzer/protocol/ntp/ntp-analyzer.pac +++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac @@ -65,10 +65,13 @@ refine flow NTP_Flow += { rv->Assign(11, proc_ntp_timestamp(${nsm.receive_ts})); rv->Assign(12, proc_ntp_timestamp(${nsm.transmit_ts})); - if (${nsm.has_mac}) { + if (${nsm.mac_len}==20) { rv->Assign(13, val_mgr->GetCount(${nsm.mac.key_id})); rv->Assign(14, bytestring_to_val(${nsm.mac.digest})); - } + } else if (${nsm.mac_len}==24) { + rv->Assign(13, val_mgr->GetCount(${nsm.mac_ext.key_id})); + rv->Assign(14, bytestring_to_val(${nsm.mac_ext.digest})); + } // TODO: add extension fields //rv->Assign(15, val_mgr->GetCount((uint32) ${nsm.extensions}->size())); diff --git a/src/analyzer/protocol/ntp/ntp-protocol.pac b/src/analyzer/protocol/ntp/ntp-protocol.pac index fd3a43f9c9..499cd1398c 100644 --- a/src/analyzer/protocol/ntp/ntp-protocol.pac +++ b/src/analyzer/protocol/ntp/ntp-protocol.pac @@ -40,13 +40,14 @@ type NTP_std_msg = record { receive_ts : NTP_Time; transmit_ts : NTP_Time; #extensions : Extension_Field[] &until($input.length() == 20); #TODO: this need to be properly parsed - mac_fields : case (has_mac) of { - true -> mac : NTP_MAC; + mac_fields : case (mac_len) of { + 20 -> mac : NTP_MAC; + 24 -> mac_ext : NTP_MAC_ext; false -> nil : empty; - } &requires(has_mac); + } &requires(mac_len); } &let { length = sourcedata.length(); - has_mac: bool = (length - offsetof(mac_fields)) == 20; + mac_len: uint32 = (length - offsetof(mac_fields)); } &byteorder=bigendian &exportsourcedata; # This format is for mode==6, control msg @@ -78,6 +79,12 @@ type NTP_MAC = record { digest: bytestring &length=16; } &length=20; +# As in RFC 5906, same as NTP_MAC but with a 160 bit digest +type NTP_MAC_ext = record { + key_id: uint32; + digest: bytestring &length=20; +} &length=24; + # As in RFC 1119 type NTP_CONTROL_MAC = record { key_id: uint32;