Signature
alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"NF - NTPD Kiss-o'-Death - Peer Polling Interval 10"; content:"|e4 00 0a|"; offset:0; depth:3; content:"|52 41 54 45|"; distance:5; within:15; reference:url,www.cs.bu.edu/~goldbe/NTPattack.html; reference:cve,2015-7704; reference:url,networkforensic.dk; metadata:05032016; classtype:bad-unknown; sid:5019501; rev:1;)
Recommendations/Investigative actions
Ensure that you are using the latest version of NTP software on your NTP servers and clients. Keep the software up-to-date with the latest vendor-released patches.Configure your NTP servers to only allow requests from trusted sources. Implement access control lists (ACLs) to restrict NTP traffic to authorized clients. Set up firewall rules to restrict external NTP traffic to specific NTP servers. Block NTP traffic from untrusted or unauthorized sources. Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection and investigate the file and the relevant IP address.
Relations to other alerts