diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 6cfddfeb65..3f469ab340 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -1113,9 +1113,6 @@ const table_expire_delay = 0.01 secs &redef; ## Time to wait before timing out a DNS request. const dns_session_timeout = 10 sec &redef; -## Time to wait before timing out an NTP request. -const ntp_session_timeout = 300 sec &redef; - ## Time to wait before timing out an RPC request. const rpc_timeout = 24 sec &redef; @@ -2529,26 +2526,6 @@ export { }; } -module GLOBAL; - -## An NTP message. -## -## .. zeek:see:: ntp_message -type ntp_msg: record { - id: count; ##< Message ID. - code: count; ##< Message code. - stratum: count; ##< Stratum. - poll: count; ##< Poll. - precision: int; ##< Precision. - distance: interval; ##< Distance. - dispersion: interval; ##< Dispersion. - ref_t: time; ##< Reference time. - originate_t: time; ##< Originating time. - receive_t: time; ##< Receive time. - xmit_t: time; ##< Send time. -}; - - module NTLM; export { diff --git a/src/NetVar.cc b/src/NetVar.cc index 3717f0c90f..b9230bece7 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -77,7 +77,6 @@ bool udp_content_deliver_all_orig; bool udp_content_deliver_all_resp; double dns_session_timeout; -double ntp_session_timeout; double rpc_timeout; ListVal* skip_authentication; @@ -103,8 +102,6 @@ TableType* pm_mappings; RecordType* pm_port_request; RecordType* pm_callit_request; -RecordType* ntp_msg; - RecordType* geo_location; RecordType* entropy_test_result; @@ -360,7 +357,6 @@ void init_net_var() bool(internal_val("udp_content_deliver_all_resp")->AsBool()); dns_session_timeout = opt_internal_double("dns_session_timeout"); - ntp_session_timeout = opt_internal_double("ntp_session_timeout"); rpc_timeout = opt_internal_double("rpc_timeout"); watchdog_interval = int(opt_internal_double("watchdog_interval")); @@ -390,8 +386,6 @@ void init_net_var() pm_port_request = internal_type("pm_port_request")->AsRecordType(); pm_callit_request = internal_type("pm_callit_request")->AsRecordType(); - ntp_msg = internal_type("ntp_msg")->AsRecordType(); - geo_location = internal_type("geo_location")->AsRecordType(); entropy_test_result = internal_type("entropy_test_result")->AsRecordType(); diff --git a/src/NetVar.h b/src/NetVar.h index 30c9003dc4..9fa4d75fa6 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -80,7 +80,6 @@ extern bool udp_content_deliver_all_orig; extern bool udp_content_deliver_all_resp; extern double dns_session_timeout; -extern double ntp_session_timeout; extern double rpc_timeout; extern ListVal* skip_authentication; @@ -106,8 +105,6 @@ extern TableType* pm_mappings; extern RecordType* pm_port_request; extern RecordType* pm_callit_request; -extern RecordType* ntp_msg; - extern RecordType* geo_location; extern RecordType* entropy_test_result; diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index 882ba23da9..30a86ea740 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -28,7 +28,6 @@ add_subdirectory(mysql) add_subdirectory(ncp) add_subdirectory(netbios) add_subdirectory(ntlm) -add_subdirectory(ntp) add_subdirectory(pia) add_subdirectory(pop3) add_subdirectory(radius) diff --git a/src/analyzer/protocol/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt deleted file mode 100644 index a8b8bb1872..0000000000 --- a/src/analyzer/protocol/ntp/CMakeLists.txt +++ /dev/null @@ -1,9 +0,0 @@ - -include(BroPlugin) - -include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) - -bro_plugin_begin(Bro NTP) -bro_plugin_cc(NTP.cc Plugin.cc) -bro_plugin_bif(events.bif) -bro_plugin_end() diff --git a/src/analyzer/protocol/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc deleted file mode 100644 index 61fd92ee84..0000000000 --- a/src/analyzer/protocol/ntp/NTP.cc +++ /dev/null @@ -1,114 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "zeek-config.h" - -#include "NetVar.h" -#include "NTP.h" -#include "Sessions.h" -#include "Event.h" - -#include "events.bif.h" - -using namespace analyzer::ntp; - -NTP_Analyzer::NTP_Analyzer(Connection* conn) - : Analyzer("NTP", conn) - { - ADD_ANALYZER_TIMER(&NTP_Analyzer::ExpireTimer, - network_time + ntp_session_timeout, 1, - TIMER_NTP_EXPIRE); - } - -void NTP_Analyzer::Done() - { - Analyzer::Done(); - Event(udp_session_done); - } - -void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen) - { - Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); - - // Actually we could just get rid of the Request/Reply and simply use - // the code of Message(). But for now we use it as an example of how - // to convert an old-style UDP analyzer. - if ( is_orig ) - Request(data, len); - else - Reply(data, len); - } - -int NTP_Analyzer::Request(const u_char* data, int len) - { - Message(data, len); - return 1; - } - -int NTP_Analyzer::Reply(const u_char* data, int len) - { - Message(data, len); - return 1; - } - -void NTP_Analyzer::Message(const u_char* data, int len) - { - if ( (unsigned) len < sizeof(struct ntpdata) ) - { - Weird("truncated_NTP"); - return; - } - - struct ntpdata* ntp_data = (struct ntpdata *) data; - len -= sizeof *ntp_data; - data += sizeof *ntp_data; - - if ( ! ntp_message ) - return; - - RecordVal* msg = new RecordVal(ntp_msg); - - unsigned int code = ntp_data->status & 0x7; - - msg->Assign(0, val_mgr->GetCount((unsigned int) (ntohl(ntp_data->refid)))); - msg->Assign(1, val_mgr->GetCount(code)); - msg->Assign(2, val_mgr->GetCount((unsigned int) ntp_data->stratum)); - msg->Assign(3, val_mgr->GetCount((unsigned int) ntp_data->ppoll)); - msg->Assign(4, val_mgr->GetInt((unsigned int) ntp_data->precision)); - msg->Assign(5, new Val(ShortFloat(ntp_data->distance), TYPE_INTERVAL)); - msg->Assign(6, new Val(ShortFloat(ntp_data->dispersion), TYPE_INTERVAL)); - msg->Assign(7, new Val(LongFloat(ntp_data->reftime), TYPE_TIME)); - msg->Assign(8, new Val(LongFloat(ntp_data->org), TYPE_TIME)); - msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME)); - msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME)); - - ConnectionEventFast(ntp_message, { - BuildConnVal(), - msg, - new StringVal(new BroString(data, len, 0)), - }); - } - -double NTP_Analyzer::ShortFloat(struct s_fixedpt fp) - { - return ConvertToDouble(ntohs(fp.int_part), ntohs(fp.fraction), 65536.0); - } - -double NTP_Analyzer::LongFloat(struct l_fixedpt fp) - { - double t = ConvertToDouble(ntohl(fp.int_part), ntohl(fp.fraction), - 4294967296.0); - - return t ? t - JAN_1970 : 0.0; - } - -double NTP_Analyzer::ConvertToDouble(unsigned int int_part, - unsigned int fraction, double frac_base) - { - return double(int_part) + double(fraction) / frac_base; - } - -void NTP_Analyzer::ExpireTimer(double /* t */) - { - Event(connection_timeout); - sessions->Remove(Conn()); - } diff --git a/src/analyzer/protocol/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h deleted file mode 100644 index 5b5d3d7baa..0000000000 --- a/src/analyzer/protocol/ntp/NTP.h +++ /dev/null @@ -1,69 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#ifndef ANALYZER_PROTOCOL_NTP_NTP_H -#define ANALYZER_PROTOCOL_NTP_NTP_H - -#include "analyzer/protocol/udp/UDP.h" - -// The following are from the tcpdump distribution, credited there -// to the U of MD implementation. - -#define JAN_1970 2208988800.0 /* 1970 - 1900 in seconds */ - -namespace analyzer { namespace ntp { - -struct l_fixedpt { - unsigned int int_part; - unsigned int fraction; -}; - -struct s_fixedpt { - unsigned short int_part; - unsigned short fraction; -}; - -struct ntpdata { - unsigned char status; /* status of local clock and leap info */ - unsigned char stratum; /* Stratum level */ - unsigned char ppoll; /* poll value */ - int precision:8; - struct s_fixedpt distance; - struct s_fixedpt dispersion; - unsigned int refid; - struct l_fixedpt reftime; - struct l_fixedpt org; - struct l_fixedpt rec; - struct l_fixedpt xmt; -}; - -class NTP_Analyzer : public analyzer::Analyzer { -public: - explicit NTP_Analyzer(Connection* conn); - - static analyzer::Analyzer* Instantiate(Connection* conn) - { return new NTP_Analyzer(conn); } - -protected: - void Done() override; - void DeliverPacket(int len, const u_char* data, bool orig, - uint64 seq, const IP_Hdr* ip, int caplen) override; - - int Request(const u_char* data, int len); - int Reply(const u_char* data, int len); - - // NTP is a unidirectional protocol, so no notion of "requests" - // as separate from "replies". - void Message(const u_char* data, int len); - - double ShortFloat(struct s_fixedpt fp); - double LongFloat(struct l_fixedpt fp); - double ConvertToDouble(unsigned int int_part, unsigned int fraction, - double frac_base); - - friend class ConnectionTimer; - void ExpireTimer(double t); -}; - -} } // namespace analyzer::* - -#endif diff --git a/src/analyzer/protocol/ntp/Plugin.cc b/src/analyzer/protocol/ntp/Plugin.cc deleted file mode 100644 index 3399fbb867..0000000000 --- a/src/analyzer/protocol/ntp/Plugin.cc +++ /dev/null @@ -1,25 +0,0 @@ -// See the file in the main distribution directory for copyright. - - -#include "plugin/Plugin.h" - -#include "NTP.h" - -namespace plugin { -namespace Bro_NTP { - -class Plugin : public plugin::Plugin { -public: - plugin::Configuration Configure() - { - AddComponent(new ::analyzer::Component("NTP", ::analyzer::ntp::NTP_Analyzer::Instantiate)); - - plugin::Configuration config; - config.name = "Bro::NTP"; - config.description = "NTP analyzer"; - return config; - } -} plugin; - -} -} diff --git a/src/analyzer/protocol/ntp/events.bif b/src/analyzer/protocol/ntp/events.bif deleted file mode 100644 index d32d680799..0000000000 --- a/src/analyzer/protocol/ntp/events.bif +++ /dev/null @@ -1,21 +0,0 @@ -## Generated for all NTP messages. Different from many other of Bro's events, -## this one is generated for both client-side and server-side messages. -## -## See `Wikipedia `__ for -## more information about the NTP protocol. -## -## u: The connection record describing the corresponding UDP flow. -## -## msg: The parsed NTP message. -## -## excess: The raw bytes of any optional parts of the NTP packet. Bro does not -## further parse any optional fields. -## -## .. zeek:see:: ntp_session_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ntp_message%(u: connection, msg: ntp_msg, excess: string%); -