mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
53 lines
No EOL
1.3 KiB
Text
53 lines
No EOL
1.3 KiB
Text
##! Implements base functionality for NTP analysis.
|
|
##! Generates the Ntp.log file.
|
|
|
|
# Generated by binpac_quickstart
|
|
|
|
module Ntp;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
type Info: record {
|
|
## Timestamp for when the event happened.
|
|
ts: time &log;
|
|
## Unique ID for the connection.
|
|
uid: string &log;
|
|
## The connection's 4-tuple of endpoint addresses/ports.
|
|
id: conn_id &log;
|
|
|
|
# ## TODO: Add other fields here that you'd like to log.
|
|
};
|
|
|
|
## Event that can be handled to access the NTP record as it is sent on
|
|
## to the loggin framework.
|
|
global log_ntp: event(rec: Info);
|
|
}
|
|
|
|
# TODO: The recommended method to do dynamic protocol detection
|
|
# (DPD) is with the signatures in dpd.sig. If you can't come up
|
|
# with any signatures, then you can do port-based detection by
|
|
# uncommenting the following and specifying the port(s):
|
|
|
|
# const ports = { 1234/udp, 5678/udp };
|
|
|
|
|
|
# redef likely_server_ports += { ports };
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(Ntp::LOG, [$columns=Info, $ev=log_ntp, $path="ntp"]);
|
|
|
|
# TODO: If you're using port-based DPD, uncomment this.
|
|
# Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
|
|
}
|
|
|
|
event ntp_event(c: connection)
|
|
{
|
|
local info: Info;
|
|
info$ts = network_time();
|
|
info$uid = c$uid;
|
|
info$id = c$id;
|
|
|
|
Log::write(Ntp::LOG, info);
|
|
} |