I would like to use the NTP analyzer and documentation says:

“Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.” (https://www.bro.org/sphinx/script-reference/proto-analyzers.html#bro-ntp)

I think a DPD signature would be preferable compared to registering a port. Before I start digging into that I thought I might ask here, whether someone has already done this.

Best regards,