next up previous contents index
Next: The frag Module Up: Analyzers and Events Previous: The dns Module   Contents   Index

Subsections


The finger Analyzer

The finger analyzer processes traffic associated with the Finger service [RFC1288]. Bro instantiates a finger analyzer for any connection with service port 79/tcp (if you @load the finger analyzer in your script, or define your own finger_request or finger_reply handlers, of course).

The analyzer uses a capture filter of ``port finger'' (§ ).

In the past, attackers often used Finger requests to obtain information about a site's users, and sometimes to launch attacks of various forms (buffer overflows, in particular). In our experience, exploitation of the service has greatly diminished over the past years (no doubt in part to the service being increasingly turned off, or prohibited by firewalls). Now it is only rarely associated with an attack.


finger variables

The standard script defines two redefinable variables:

[hot_names : set[string]] A list of usernames that should be considered sensitive (log-worthy) if included in a Finger request.

Default: { "root", "lp", "uucp", "nuucp", "demos", "operator", "sync", "guest", "visitor", }.

[max_request_length : count] The largest reasonable request size (used to flag possible buffer overflow attacks). Bro marks a connection as ``hot'' if its request exceeds this length, and truncates its logging of the request to this many bytes, followed by "...".

Default: 80.


finger event handlers

The standard script defines one event handler:

[finger_request (c: connection, request: string, full: bool)] Invoked upon connection c having made the request request. The full flag is true if the request included the ``long format'' option (which the event engine will have removed from the request).

The standard script flags long requests and truncates them as noted above, and then checks whether the request is for a name in hot_names. It then formats the request either by placing double quotation marks around it, or, if the request was empty--indicating a request for information on all users--the request is changed to the string ALL with no quotes around it.

If the originator already made a request, then this additional request is placed in parentheses (though multiple requests violate the Finger protocol). If the request was for the full format, then the text ``(/W)'' is appended to the request. Finally, the request is appended to the connection's addl field.

The event engine generates an additional event that the predefined finger script does not handle:

[finger_reply (c: connection, reply_line: string)] Generated for each line of text sent in response to the originator's request.


next up previous contents index
Next: The frag Module Up: Analyzers and Events Previous: The dns Module   Contents   Index
Vern Paxson 2004-03-21