next up previous contents index
Next: The login Analyzer Up: Analyzers and Events Previous: The http Analyzer   Contents   Index

Subsections


The ident Analyzer

The ident analyzer processes traffic associated with the Identification Protocol [RFC1413], which provides a simple service whereby clients can query Ident servers to discover user information associated with an existing connection between the server's host and the client's host. Bro instantiates an ident analyzer for any connection with service port 113/tcp, providing you have loaded the ident analyzer, or defined a handler for ident_request, ident_reply, or ident_error.

The analyzer uses a capture filter of ``tcp port 113'' (§ ). The ident_reply handler annotates the addl field of the connection for which the Ident client made its query with the user information returned in the reply. It also checks the user information against sensitive usernames, because a match indicates that the connection in the Ident query was initiated by a possibly-compromised account.


ident variables

The standard script defines the following pair of redefinable variables:

[hot_ident_ids : set[string]] usernames to flag as sensitive if they appear in an Ident reply.

Default: always_hot_ids (§ ).

[hot_ident_exceptions : set[string]] usernames not to consider sensitive even if they appear in hot_ident_ids.

Default: { "uucp", "nuucp", "daemon", }. These usernames are exceptions because daemons sometimes run with the given user ids and their use is often innocuous.


ident event handlers

The standard script handles the following events:

[ident_request (c: connection, lport: port, rport: port)] Invoked when a client request arrives on connection c, querying about the connection from local port lport to remote port rport, where local and remote are relative to the client.

[ident_reply (c: connection, lport: port, rport: port, user_id: string, system: string)] Invoked when a server replies to an Ident request. lport and rport are again the local and remote ports (relative to the client) of the connection being asked about. user_id is the user information returned in the Ident server's reply, and system is information regarding the operating system (the Ident specification [RFC1413] does not further standardize this information).

The handler annotates the queried connection with the user information, which it also checks against hot_ident_ids and hot_ident_exceptions as discussed above. At present, it does nothing with the system information.

[ident_error (c: connection, lport: port, rport: port, line: string)] Invoked when the given request yielded an error reply from the Ident server. The handler annotates the connection with ident/<error>, where error is the text given in line.


next up previous contents index
Next: The login Analyzer Up: Analyzers and Events Previous: The http Analyzer   Contents   Index
Vern Paxson 2004-03-21