From 1ceea76ac4ed7fdb64280a550351caf158d67dfe Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 29 Apr 2026 15:24:58 +0200 Subject: [PATCH] schema: map NTP fields to keywords (cherry picked from commit 18f742fdbd4f260777402f5a3f8912524272d86c) --- etc/schema.json | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/etc/schema.json b/etc/schema.json index 081bd24fda..941893f26e 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -4443,19 +4443,39 @@ "properties": { "mode": { "type": "integer", - "description": "The mode of the NTP message" + "description": "The mode of the NTP message", + "suricata": { + "keywords": [ + "ntp.mode" + ] + } }, "reference_id": { "type": "string", - "description": "Identifies specific server or reference clock as a colon-separated 4-byte hex string" + "description": "Identifies specific server or reference clock as a colon-separated 4-byte hex string", + "suricata": { + "keywords": [ + "ntp.reference_id" + ] + } }, "stratum": { "type": "integer", - "description": "Indicates distance from the reference clock" + "description": "Indicates distance from the reference clock", + "suricata": { + "keywords": [ + "ntp.stratum" + ] + } }, "version": { "type": "integer", - "description": "The NTP version number, typically 3 or 4" + "description": "The NTP version number, typically 3 or 4", + "suricata": { + "keywords": [ + "ntp.version" + ] + } } } },