Suricata

NTP is a fundamental network protocol present in virtually all environments. In Suricata 8.0.4, NTP app-layer hook states are not registered for firewall mode. Attempting to use any ntp:* hook in a firewall rule fails with the error: "protocol ntp does not support hook" .

Without NTP hooks, NTP traffic on UDP port 123 can only be controlled at the packet layer. While packet-layer rules (accept:hook udp:all any any <> any 123) can accept NTP packets, the app-layer parser still engages and the flow may be subject to default_app_policy behavior. Registering NTP hooks would allow the firewall engine to make explicit accept/drop decisions at the application layer, consistent with how other protocols (DNS, TLS, HTTP1) are handled.

• Client request sent
• Server response received
• Synchronized
• Kiss-o'-Death received
• Unsynchronized
• Symmetric active/passive
• Broadcast mode

These states should be mapped to firewall hook points. At minimum, a request/response pair would enable basic firewall control. Additional hooks for Kiss-o'-Death and broadcast mode would allow more granular policy enforcement.