Remove old NTP analyzer.

scripts/base/init-bare.zeek

@@ -1113,9 +1113,6 @@ const table_expire_delay = 0.01 secs &redef;
 ## Time to wait before timing out a DNS request.
 const dns_session_timeout = 10 sec &redef;
 
-## Time to wait before timing out an NTP request.
-const ntp_session_timeout = 300 sec &redef;
-
 ## Time to wait before timing out an RPC request.
 const rpc_timeout = 24 sec &redef;
 
@@ -2529,26 +2526,6 @@ export {
 	};
 }
 
-module GLOBAL;
-
-## An NTP message.
-##
-## .. zeek:see:: ntp_message
-type ntp_msg: record {
-	id: count;	##< Message ID.
-	code: count;	##< Message code.
-	stratum: count;	##< Stratum.
-	poll: count;	##< Poll.
-	precision: int;	##< Precision.
-	distance: interval;	##< Distance.
-	dispersion: interval;	##< Dispersion.
-	ref_t: time;	##< Reference time.
-	originate_t: time;	##< Originating time.
-	receive_t: time;	##< Receive time.
-	xmit_t: time;	##< Send time.
-};
-
-
 module NTLM;
 
 export {

src/NetVar.cc

@@ -77,7 +77,6 @@ bool udp_content_deliver_all_orig;
 bool udp_content_deliver_all_resp;
 
 double dns_session_timeout;
-double ntp_session_timeout;
 double rpc_timeout;
 
 ListVal* skip_authentication;
@@ -103,8 +102,6 @@ TableType* pm_mappings;
 RecordType* pm_port_request;
 RecordType* pm_callit_request;
 
-RecordType* ntp_msg;
-
 RecordType* geo_location;
 
 RecordType* entropy_test_result;
@@ -360,7 +357,6 @@ void init_net_var()
 		bool(internal_val("udp_content_deliver_all_resp")->AsBool());
 
 	dns_session_timeout = opt_internal_double("dns_session_timeout");
-	ntp_session_timeout = opt_internal_double("ntp_session_timeout");
 	rpc_timeout = opt_internal_double("rpc_timeout");
 
 	watchdog_interval = int(opt_internal_double("watchdog_interval"));
@@ -390,8 +386,6 @@ void init_net_var()
 	pm_port_request = internal_type("pm_port_request")->AsRecordType();
 	pm_callit_request = internal_type("pm_callit_request")->AsRecordType();
 
-	ntp_msg = internal_type("ntp_msg")->AsRecordType();
-
 	geo_location = internal_type("geo_location")->AsRecordType();
 
 	entropy_test_result = internal_type("entropy_test_result")->AsRecordType();

src/NetVar.h

@@ -80,7 +80,6 @@ extern bool udp_content_deliver_all_orig;
 extern bool udp_content_deliver_all_resp;
 
 extern double dns_session_timeout;
-extern double ntp_session_timeout;
 extern double rpc_timeout;
 
 extern ListVal* skip_authentication;
@@ -106,8 +105,6 @@ extern TableType* pm_mappings;
 extern RecordType* pm_port_request;
 extern RecordType* pm_callit_request;
 
-extern RecordType* ntp_msg;
-
 extern RecordType* geo_location;
 
 extern RecordType* entropy_test_result;

src/analyzer/protocol/CMakeLists.txt

@@ -28,7 +28,6 @@ add_subdirectory(mysql)
 add_subdirectory(ncp)
 add_subdirectory(netbios)
 add_subdirectory(ntlm)
-add_subdirectory(ntp)
 add_subdirectory(pia)
 add_subdirectory(pop3)
 add_subdirectory(radius)

src/analyzer/protocol/ntp/CMakeLists.txt

@@ -1,9 +0,0 @@
-
-include(BroPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-bro_plugin_begin(Bro NTP)
-bro_plugin_cc(NTP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()

src/analyzer/protocol/ntp/NTP.cc

@@ -1,114 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "zeek-config.h"
-
-#include "NetVar.h"
-#include "NTP.h"
-#include "Sessions.h"
-#include "Event.h"
-
-#include "events.bif.h"
-
-using namespace analyzer::ntp;
-
-NTP_Analyzer::NTP_Analyzer(Connection* conn)
-	: Analyzer("NTP", conn)
-	{
-	ADD_ANALYZER_TIMER(&NTP_Analyzer::ExpireTimer,
-				network_time + ntp_session_timeout, 1,
-				TIMER_NTP_EXPIRE);
-	}
-
-void NTP_Analyzer::Done()
-	{
-	Analyzer::Done();
-	Event(udp_session_done);
-	}
-
-void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
-	{
-	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
-
-	// Actually we could just get rid of the Request/Reply and simply use
-	// the code of Message().  But for now we use it as an example of how
-	// to convert an old-style UDP analyzer.
-	if ( is_orig )
-		Request(data, len);
-	else
-		Reply(data, len);
-	}
-
-int NTP_Analyzer::Request(const u_char* data, int len)
-	{
-	Message(data, len);
-	return 1;
-	}
-
-int NTP_Analyzer::Reply(const u_char* data, int len)
-	{
-	Message(data, len);
-	return 1;
-	}
-
-void NTP_Analyzer::Message(const u_char* data, int len)
-	{
-	if ( (unsigned) len < sizeof(struct ntpdata) )
-		{
-		Weird("truncated_NTP");
-		return;
-		}
-
-	struct ntpdata* ntp_data = (struct ntpdata *) data;
-	len -= sizeof *ntp_data;
-	data += sizeof *ntp_data;
-
-	if ( ! ntp_message )
-		return;
-
-	RecordVal* msg = new RecordVal(ntp_msg);
-
-	unsigned int code = ntp_data->status & 0x7;
-
-	msg->Assign(0, val_mgr->GetCount((unsigned int) (ntohl(ntp_data->refid))));
-	msg->Assign(1, val_mgr->GetCount(code));
-	msg->Assign(2, val_mgr->GetCount((unsigned int) ntp_data->stratum));
-	msg->Assign(3, val_mgr->GetCount((unsigned int) ntp_data->ppoll));
-	msg->Assign(4, val_mgr->GetInt((unsigned int) ntp_data->precision));
-	msg->Assign(5, new Val(ShortFloat(ntp_data->distance), TYPE_INTERVAL));
-	msg->Assign(6, new Val(ShortFloat(ntp_data->dispersion), TYPE_INTERVAL));
-	msg->Assign(7, new Val(LongFloat(ntp_data->reftime), TYPE_TIME));
-	msg->Assign(8, new Val(LongFloat(ntp_data->org), TYPE_TIME));
-	msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME));
-	msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME));
-
-	ConnectionEventFast(ntp_message, {
-		BuildConnVal(),
-		msg,
-		new StringVal(new BroString(data, len, 0)),
-	});
-	}
-
-double NTP_Analyzer::ShortFloat(struct s_fixedpt fp)
-	{
-	return ConvertToDouble(ntohs(fp.int_part), ntohs(fp.fraction), 65536.0);
-	}
-
-double NTP_Analyzer::LongFloat(struct l_fixedpt fp)
-	{
-	double t = ConvertToDouble(ntohl(fp.int_part), ntohl(fp.fraction),
-				   4294967296.0);
-
-	return t ? t - JAN_1970 : 0.0;
-	}
-
-double NTP_Analyzer::ConvertToDouble(unsigned int int_part,
-				    unsigned int fraction, double frac_base)
-	{
-	return double(int_part) + double(fraction) / frac_base;
-	}
-
-void NTP_Analyzer::ExpireTimer(double /* t */)
-	{
-	Event(connection_timeout);
-	sessions->Remove(Conn());
-	}

src/analyzer/protocol/ntp/NTP.h

@@ -1,69 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#ifndef ANALYZER_PROTOCOL_NTP_NTP_H
-#define ANALYZER_PROTOCOL_NTP_NTP_H
-
-#include "analyzer/protocol/udp/UDP.h"
-
-// The following are from the tcpdump distribution, credited there
-// to the U of MD implementation.
-
-#define JAN_1970	2208988800.0	/* 1970 - 1900 in seconds */
-
-namespace analyzer { namespace ntp {
-
-struct l_fixedpt {
-	unsigned int int_part;
-	unsigned int fraction;
-};
-
-struct s_fixedpt {
-	unsigned short int_part;
-	unsigned short fraction;
-};
-
-struct ntpdata {
-	unsigned char status;	/* status of local clock and leap info */
-	unsigned char stratum;	/* Stratum level */
-	unsigned char ppoll;	/* poll value */
-	int precision:8;
-	struct s_fixedpt distance;
-	struct s_fixedpt dispersion;
-	unsigned int refid;
-	struct l_fixedpt reftime;
-	struct l_fixedpt org;
-	struct l_fixedpt rec;
-	struct l_fixedpt xmt;
-};
-
-class NTP_Analyzer : public analyzer::Analyzer {
-public:
-	explicit NTP_Analyzer(Connection* conn);
-
-	static analyzer::Analyzer* Instantiate(Connection* conn)
-		{ return new NTP_Analyzer(conn); }
-
-protected:
-	void Done() override;
-	void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen) override;
-
-	int Request(const u_char* data, int len);
-	int Reply(const u_char* data, int len);
-
-	// NTP is a unidirectional protocol, so no notion of "requests"
-	// as separate from "replies".
-	void Message(const u_char* data, int len);
-
-	double ShortFloat(struct s_fixedpt fp);
-	double LongFloat(struct l_fixedpt fp);
-	double ConvertToDouble(unsigned int int_part, unsigned int fraction,
-				double frac_base);
-
-	friend class ConnectionTimer;
-	void ExpireTimer(double t);
-};
-
-} } // namespace analyzer::* 
-
-#endif

src/analyzer/protocol/ntp/Plugin.cc

@@ -1,25 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-
-#include "plugin/Plugin.h"
-
-#include "NTP.h"
-
-namespace plugin {
-namespace Bro_NTP {
-
-class Plugin : public plugin::Plugin {
-public:
-	plugin::Configuration Configure()
-		{
-		AddComponent(new ::analyzer::Component("NTP", ::analyzer::ntp::NTP_Analyzer::Instantiate));
-
-		plugin::Configuration config;
-		config.name = "Bro::NTP";
-		config.description = "NTP analyzer";
-		return config;
-		}
-} plugin;
-
-}
-}

src/analyzer/protocol/ntp/events.bif

@@ -1,21 +0,0 @@
-## Generated for all NTP messages. Different from many other of Bro's events,
-## this one is generated for both client-side and server-side messages.
-##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
-## more information about the NTP protocol.
-##
-## u: The connection record describing the corresponding UDP flow.
-##
-## msg: The parsed NTP message.
-##
-## excess: The raw bytes of any optional parts of the NTP packet. Bro does not
-##         further parse any optional fields.
-##
-## .. zeek:see:: ntp_session_timeout
-##
-## .. todo:: Bro's current default configuration does not activate the protocol
-##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
-##    register a port for it or add a DPD payload signature.
-event ntp_message%(u: connection, msg: ntp_msg, excess: string%);
-