hot-ids
ModuleThe hot-ids
module defines a number of redefinable variables
that specify usernames Bro should consider sensitive:
forbidden_ids set[string]
Default: { "uucp", "daemon", "rewt", "nuucp", "EZsetup", "OutOfBox", "4Dgifts", "ezsetup", "outofbox", "4dgifts", "sgiweb", }
.
All of these
correspond to accounts that some systems have enabled by default
(with well-known passwords), except for "rewt"
, which corresponds
to a username often used by (weenie) attackers.
Deficiency: The repeated definitions such as "EZsetup"
and "ezsetup"
reflect that this variable is a set
and not a pattern
. Consequently, the exact username must appear in it (with a pattern, we could use character classes to match both upper and lower case).
forbidden_ids_if_no_password : set[string]
forbidden_ids
except only considered forbidden if
the login succeeded with an empty password.
Default: "lp"
, a default passwordless IRIX account.
forbidden_id_patterns : pattern
Default: /(y[o0]u)(r|ar[e3])([o0]wn.*)/
, a particularly
egregious style of username of which we've observed variants
in different break-ins.
always_hot_ids : set[string]
Default: { "lp", "warez", "demos", forbidden_ids, }
. The
"lp"
and "demos"
accounts are specified here rather
than forbidden_ids
because it's possible that they might be
used for legitimate accounts. "warez"
(for "wares", i.e.,
bootlegged software) is listed because its use likely constitutes
a policy violation, not a security violation.
Note: forbidden_ids
is incorporated into always_hot_ids
to avoid replicating the list of particularly sensitive ids by listing
it twice and risking inconsistencies.
hot_ids set[string]
Default: { "root", "system", always_hot_ids, }
. The
ones included in addition to always_hot_ids
are only considered
sensitive if the user logs in successfully.