WeirdActivity truncated_NTP pb ?

Hi,

Happy New Year,

I have this event :

1105106060.883849:WeirdActivity:NOTICE_ALARM_ALWAYS:::::::::::truncated_NTP x.x.x.x/32785 > 157.99.64.66/123:

but ntp request is not trunc :

$ tcpdump383 -vvnSlr bro_truncated_ntp.pcap
14:54:20.883849 IP (tos 0x0, ttl 63, id 42724, offset 0, flags [DF], length: 40) x.x.x.x.32785 > 157.99.64.66.123: [udp sum ok] [len=12]NTPv2 res1, strat 2, poll 0, prec 1 dist 0.000000, disp 0.000000 [|ntp]

$ tcpdump372 -vvnSlr bro_truncated_ntp.pcap
14:54:20.883849 x.x.x.x.32785 > 157.99.64.66.123: [udp sum ok] [len=12] v2 res1 strat 2 poll 0 prec 1 dist 0.000000 disp 0.000000 ref 0.0.0.0 [|ntp] (DF) (ttl 63, id 42724, len 40)

$ tethereal0101 -ta -nr bro_truncated_ntp.pcap
   1 14:54:20.883849 x.x.x.x -> 157.99.64.66 NTP NTP control

$ tethereal0101 -ta -Vnr bro_truncated_ntp.pcap
...
     Fragment offset: 0
     Time to live: 63
     Protocol: UDP (0x11)
     Header checksum: 0x5681 (correct)
     Source: x.x.x.x (x.x.x.x)
     Destination: 157.99.64.66 (157.99.64.66)
User Datagram Protocol, Src Port: 32785 (32785), Dst Port: 123 (123)
     Source port: 32785 (32785)
     Destination port: 123 (123)
     Length: 20
     Checksum: 0x2ad7 (correct)
Network Time Protocol
     Flags: 0x16
         00.. .... = Leap Indicator: no warning (0)
         ..01 0... = Version number: reserved (2)
         .... .110 = Mode: reserved for NTP control message (6)
     Flags 2: 0x02
         0... .... = Response bit: Request (0)
         .0.. .... = Error bit: 0
         ..0. .... = More bit: 0
         ...0 0010 = Opcode: READVAR (2)

false positive ?

Im use bro09a7 on freebsd410 with "bro.init mt"
Im use default rules/conf.

Regards

Rmkml@Wanadoo.fr

Hi,

Happy New Year,

I have this event :

1105106060.883849:WeirdActivity:NOTICE_ALARM_ALWAYS:::::::::::truncated_NTP
x.x.x.x/32785 > 157.99.64.66/123:

but ntp request is not trunc :

$ tcpdump383 -vvnSlr bro_truncated_ntp.pcap
14:54:20.883849 IP (tos 0x0, ttl 63, id 42724, offset 0, flags [DF],
length: 40) x.x.x.x.32785 > 157.99.64.66.123: [udp sum ok]
[len=12]NTPv2 res1, strat 2, poll 0, prec 1 dist 0.000000, disp 0.000000
[|ntp]

  ^^^^^^

Yes it is ... your output indicates that your trace contains truncated
NTP packets. Presumably you fed this trace to Bro...

From the tcpdump manpage: "Packets truncated because of a limited

snapshot are indicated in the output with ``[|proto]'', where proto is
the name of the protocol level at which the truncation has occurred."

Cheers,
Christian.