Add event rules for NTP events

author Pierre Chifflier <chifflier@wzdftpd.net>

Tue, 20 Jun 2017 11:57:46 +0000 (13:57 +0200)

committer Victor Julien <victor@inliniac.net>

Tue, 27 Jun 2017 14:52:23 +0000 (16:52 +0200)
author Pierre Chifflier <chifflier@wzdftpd.net>
Tue, 20 Jun 2017 11:57:46 +0000 (13:57 +0200)
committer Victor Julien <victor@inliniac.net>
Tue, 27 Jun 2017 14:52:23 +0000 (16:52 +0200)
diff --git a/rules/Makefile.am b/rules/Makefile.am

index 98a484d3a5b2659d0eefa21ada62d8a81f925a22..daa8d67e5235712bebe94e8b42f7910d2b01ff8d 100644 (file)
--- a/rules/Makefile.am
+++ b/rules/Makefile.am
@@ -8,4 +8,5 @@ tls-events.rules \
  modbus-events.rules \
  app-layer-events.rules \
  files.rules \
-dnp3-events.rules
+dnp3-events.rules \
+ntp-events.rules
diff --git a/rules/ntp-events.rules b/rules/ntp-events.rules

new file mode 100644 (file)

index 0000000..fe70337
--- /dev/null
+++ b/rules/ntp-events.rules
@@ -0,0 +1,8 @@
+# NTP app layer event rules
+#
+# SID's fall in the 2222000+ range. See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer
+#
+# These sigs fire at most once per connection.
+#
+alert ntp any any -> any any (msg:"SURICATA NTP malformed request data"; flow:to_server; app-layer-event:ntp.malformed_data; classtype:protocol-command-decode; sid:2222000; rev:1;)
+alert ntp any any -> any any (msg:"SURICATA NTP malformed response data"; flow:to_client; app-layer-event:ntp.malformed_data; classtype:protocol-command-decode; sid:2222001; rev:1;)
author	Pierre Chifflier <chifflier@wzdftpd.net>
	Tue, 20 Jun 2017 11:57:46 +0000 (13:57 +0200)
committer	Victor Julien <victor@inliniac.net>
	Tue, 27 Jun 2017 14:52:23 +0000 (16:52 +0200)
rules/Makefile.am		patch \| blob \| blame \| history
rules/ntp-events.rules	[new file with mode: 0644]	patch \| blob