ident
Analyzer
The ident
analyzer processes traffic associated with
the Identification Protocol [RFC-1413], which provides a simple
service whereby clients can query Ident servers to discover user information
associated with an existing connection between the server's host and
the client's host. Bro instantiates an ident
analyzer for
any connection with service port 113/tcp
, providing you have loaded
the ident
analyzer, or defined a handler for ident_request
,
ident_reply
, or ident_error
.
The analyzer uses a capture filter of “tcp port 113
”
(See: Filtering).
The ident_reply
handler annotates the addl
field of the connection for which the Ident client made its query with the
user information returned in the reply. It also checks the user information
against sensitive usernames, because a match indicates that the connection
in the Ident query was initiated by a possibly-compromised account.