Pull request #3653: appid: NTP detection improvements

Merge in SNORT/snort3 from ~OSTEPANO/snort3:ntp_detection_fix to master

Squashed commit of the following:

commit 8830778cda84c976cbb27c5e146d6833eb6238ef
Author: Oleksandr Stepanov <ostepano@cisco.com>
Date:   Fri Nov 4 05:43:33 2022 -0400

    appid: NTP detection improvements

diff --git a/src/network_inspectors/appid/service_plugins/service_ntp.cc b/src/network_inspectors/appid/service_plugins/service_ntp.cc
index 1add4dca66e65fc9815ac89d0a960e93c205b64c..b4d5146ff0de91844dc59a1c0092264456ac038b 100644 (file)
--- a/src/network_inspectors/appid/service_plugins/service_ntp.cc
+++ b/src/network_inspectors/appid/service_plugins/service_ntp.cc
@@ -61,7 +61,7 @@ NtpServiceDetector::NtpServiceDetector(ServiceDiscovery* sd)
 {
     handler = sd;
     name = "ntp";
-    proto = IpProtocol::TCP;
+    proto = IpProtocol::UDP;
     detectorType = DETECTOR_TYPE_DECODER;
 
     appid_registry =
@@ -71,8 +71,7 @@ NtpServiceDetector::NtpServiceDetector(ServiceDiscovery* sd)
 
     service_ports =
     {
-        { 123, IpProtocol::UDP, false },
-        { 123, IpProtocol::TCP, false }
+        { 123, IpProtocol::UDP, false }
     };
 
     handler->register_detector(name, this, proto);
@@ -112,9 +111,9 @@ int NtpServiceDetector::validate(AppIdDiscoveryArgs& args)
 
         if (nh->stratum > 15)
             goto fail;
-        if (nh->poll && (nh->poll < 4 || nh->poll > 14))
+        if (nh->poll && (nh->poll < 3 || nh->poll > 17))
             goto fail;
-        if (nh->precision > -6 || nh->precision < -20)
+        if (nh->precision > -6 || nh->precision < -24)
             goto fail;
     }
     else