-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathntp-audit.bro
84 lines (71 loc) · 2.77 KB
/
ntp-audit.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# Written by Jon Schipp, 01-10-2013
#
# Detects when hosts send NTP messages to NTP servers not defined in time_servers.
# To use:
# 1. Enable the NTP analyzer:
#
# If running Bro 2.1 add lines to local.bro:
#
# global ports = set(123/udp);
# redef dpd_config += { [ANALYZER_NTP] = [$ports = ports]
# };
#
# If running Bro 2.2 add lines to local.bro:
#
# event bro_init()
# {
# local ports = set(123/udp);
# Analyzer::register_for_ports(Analyzer::ANALYZER_NTP,
# ports);
# }
#
# 2. Copy ntp-audit.bro script to $BROPREFIX/share/bro/site
# 3. Place the following line into local.bro and put above code from step 1:
# @load ntp-audit.bro
# 4. Run commands to validate the script, install it, and put into production:
# $ broctl check && broctl install && broctl restart
#
# If you would like to receive e-mails when a notice event is generated add to emailed_types in local.bro:
# e.g.
# redef Notice::emailed_types += {
# MyScripts::Query_Sent_To_Wrong_Server,
# };
@load base/frameworks/notice
# Use namespace so variables don't conflict with those in other scripts
module MyScripts;
# Export sets and types so that they can be redefined outside of this script
export {
redef enum Notice::Type += {
Query_Sent_To_Wrong_Server
};
# List your NTP servers here
const time_servers: set[addr] = {
192.168.1.250,
192.168.1.251,
} &redef;
const subnet_exclude: set[subnet] = {
192.168.2.0/24, # Exclude mobile network
} &redef;
# List any source addresses that should be excluded
const time_exclude: set[addr] = {
192.168.1.250,
192.168.1.251,
192.168.1.1, # Gateway/NAT/WAN uses external source for time
} &redef;
}
event ntp_message(u: connection, msg: ntp_msg, excess: string)
{
# Exit event handler if originator is not in networks.cfg
if (! Site::is_local_addr(u$id$orig_h) )
return;
if ( u$id$orig_h in subnet_exclude )
return;
if ( u$id$orig_h !in time_exclude && u$id$resp_h !in time_servers )
{
NOTICE([$note=Query_Sent_To_Wrong_Server,
$msg="NTP query destined to non-defined NTP servers", $conn=u,
$identifier=cat(u$id$orig_h),
$suppress_for=1day]);
}
}
~