Hi Guys, I am trying to detect hosts that are ntp clients to verify they are not also acting as a server. I have setup the basic script as seen below using event ntp_msg(). When I run the code I see the msg code for client(3) and server(4) as expected. But what does not look correct is the orig_h is the same for both the request from the client and the response from the server. In this test the client is 172.16.1.7 and they server is 172.16.1. 41 Anyone have any ideas of what I may have missed ? or have I hit a bug ?

Regards,
Robert

Debug output:

ID:=, 1229867348
orig_h=, 172.16.1.7
resp_host=, 172.16.1.41
msg code=, 3
excess=,
ID:=, 2733850379
orig_h=, 172.16.1.7
resp_host=, 172.16.1.41
msg code=, 4
excess=,

Inline image 1822×273 11.5 KB

Code:

module NTP;

export {
redef enum Log::ID += { LOG };

redef enum Notice::Type += {
NTP_ALARM,
NTP_Monlist_Queries,
};

type ntp_record: record {
ts: time &log;
uid: string &log;
orig: addr &log;
resp: addr &log;
refid: count &default=0 &log;
code: count &default=0 &log;
stratum: count &default=0 &log;
poll: count &default=0 &log;
precision: int &default=to_int(“0”) &log;
#distance: interval;
#dispersion: interval;
reftime: time &log;
#orig: time;
#rec: time;
#xmt: time;
excess: string &default=“NULL” &log;
};

The code value maps to the NTP mode type - for now I am mostly

interested in control messages.

image.png822×273 11.5 KB

Bro “sessionizes” UDP traffic. What you are seeing is the result of that. The assumption is the first to speak is the originator of the “connection”.

  .Seth

This was the response I received

Robert Young
Senior Network Engineer/Team Lead, Terrestrial Network Engineering, Shared Services
HARRIS CAPROCK
Office: +1-832-668-2635 / Mobile: +1-281-701-9684