Suricata

The proposed states in the ticket (Kiss-o'-Death, broadcast mode, symmetric active/passive, etc.) don't need to be separate hook states — they can all be expressed as keyword matches on the existing hooks. For example, ntp.stratum:0 at ntp:response_complete covers Kiss-o'-Death, ntp.mode:5 covers broadcast, and ntp.mode:1 covers symmetric active. Adding ntp.mode, ntp.version, and ntp.stratum as detection keywords eliminates the need for protocol-specific hook states entirely. These are the same fields that ET Pro rules already inspect via raw byte_test for NTP DDoS/amplification detection — native keywords would replace fragile byte-level matching and benefit both firewall and IDS rule authors.

ntp.stratum keyword should be a int keyword.