1# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030 2# Pattern attributes: good fast fast overmatch 3# Protocol groups: time_synchronization ietf_draft_standard 4# Wiki: http://www.protocolinfo.org/wiki/NTP 5# 6# This pattern is tested and is believed to work. 7 8# client|server 9# Requires the server's timestamp to be in the present or future (of 2005). 10# Tested with ntpdate on Linux. 11# Assumes version 2, 3 or 4. 12 13# Note that ntp packets are always 48 bytes, so you should match on that too. 14 15ntp 16^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff]) 17