Next: , Previous: http Analyzer, Up: Analyzers and Events



7.18 The ident Analyzer

The ident analyzer processes traffic associated with the Identification Protocol [RFC-1413], which provides a simple service whereby clients can query Ident servers to discover user information associated with an existing connection between the server's host and the client's host. Bro instantiates an ident analyzer for any connection with service port 113/tcp, providing you have loaded the ident analyzer, or defined a handler for ident_request, ident_reply, or ident_error.

The analyzer uses a capture filter of “tcp port 113” (See: Filtering). The ident_reply handler annotates the addl field of the connection for which the Ident client made its query with the user information returned in the reply. It also checks the user information against sensitive usernames, because a match indicates that the connection in the Ident query was initiated by a possibly-compromised account.