The ident analyzer processes traffic associated with the Identification Protocol [RFC1413], which provides a simple service whereby clients can query Ident servers to discover user information associated with an existing connection between the server's host and the client's host. Bro instantiates an ident analyzer for any connection with service port 113/tcp, providing you have loaded the ident analyzer, or defined a handler for ident_request, ident_reply, or ident_error.
The analyzer uses a capture filter of ``tcp port 113''
(§
The standard script defines the following pair of redefinable variables:
Default: always_hot_ids (§
[hot_ident_exceptions : set[string]] usernames not to consider sensitive even if they appear in hot_ident_ids.
Default: { "uucp", "nuucp", "daemon", }. These usernames are exceptions because daemons sometimes run with the given user ids and their use is often innocuous.
The standard script handles the following events:
[ident_reply (c: connection, lport: port, rport: port, user_id: string, system: string)] Invoked when a server replies to an Ident request. lport and rport are again the local and remote ports (relative to the client) of the connection being asked about. user_id is the user information returned in the Ident server's reply, and system is information regarding the operating system (the Ident specification [RFC1413] does not further standardize this information).
The handler annotates the queried connection with the user information, which it also checks against hot_ident_ids and hot_ident_exceptions as discussed above. At present, it does nothing with the system information.
[ident_error (c: connection, lport: port, rport: port, line: string)]
Invoked when the given request yielded an error reply from the Ident
server. The handler annotates the connection with
ident/<
error>
,
where error is the text given in line.