next up previous contents index
Next: The ftp Analyzer Up: Analyzers and Events Previous: The frag Module   Contents   Index


The hot-ids Module

The hot-ids module defines a number of redefinable variables that specify usernames Bro should consider sensitive:

[forbidden_ids : set[string]] lists usernames that should never be used. If Bro detects use of one, it will attempt to terminate the corresponding connection.

Default: { "uucp", "daemon", "rewt", "nuucp", "EZsetup", "OutOfBox", "4Dgifts", "ezsetup", "outofbox", "4dgifts", "sgiweb", }. All of these correspond to accounts that some systems have enabled by default (with well-known passwords), except for "rewt", which corresponds to a username often used by (weenie) attackers.

Deficiency: The repeated definitions such as "EZsetup" and "ezsetup" reflect that this variable is a set and not a pattern. Consequently, the exact username must appear in it (with a pattern, we could use character classes to match both upper and lower case).

[forbidden_ids_if_no_password : set[string]] Same as forbidden_ids except only considered forbidden if the login succeeded with an empty password.

Default: "lp", a default passwordless IRIX account.

[forbidden_id_patterns : pattern] A pattern giving user ids that should be considered forbidden. Deficiency: This pattern is currently only used to check Telnet/Rlogin user ids, not ids seen in other contexts, such as FTP sessions.

Default: /(y[o0]u)(r|ar[e3])([o0]wn.*)/, a particularly egregious style of username of which we've observed variants in different break-ins.

[always_hot_ids : set[string]] A list of usernames that should always be considered sensitive, though not necessarily so sensitive that they should be terminated whenever used.

Default: { "lp", "warez", "demos", forbidden_ids, }. The "lp" and "demos" accounts are specified here rather than forbidden_ids because it's possible that they might be used for legitimate accounts. "warez" (for ``wares'', i.e., bootlegged software) is listed because its use likely constitutes a policy violation, not a security violation.

Note: forbidden_ids is incorporated into always_hot_ids to avoid replicating the list of particularly sensitive ids by listing it twice and risking inconsistencies.

[hot_ids : set[string]] User ids that generate alerts if the user logs in successfully.

Default: { "root", "system", always_hot_ids, }. The ones included in addition to always_hot_ids are only considered sensitive if the user logs in successfully.


next up previous contents index
Next: The ftp Analyzer Up: Analyzers and Events Previous: The frag Module   Contents   Index
Vern Paxson 2004-03-21