Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
0
Helpful
1
Replies

6202-Ident Improper Request

SCOTT MCINTIRE
Level 1
Level 1

‎03-26-2002 05:12 PM - edited ‎03-08-2019 10:10 PM

Does anyone have a good definition of what the IDENT daemon is used for as well as how it can be exploited? NSDB doesn't go into much detail about this vulnerability. This signature was trigger by traffic coming from a NT box running Sendmail Single Switch email software with only port 25 open. Anyone aware of any benign triggers?

Labels:
0 Helpful
1 Reply 1

mcerha
Level 3
Level 3

‎03-29-2002 09:50 AM

Ident is a protocol used to determine the owner of a process on a remote client attempting to make a connection to a local server. The server sends an Ident request to the remote client with a message containing the source port of the client connection attempt. The client's Ident server should respond with the username of the account making the connection request. Some programs, like Sendmail and IRC servers, use this as a security mechanism to verify the source of the connection. Siganture 6202 looks for an Ident request longer than 20 bytes. A request longer than this might indicate a buffer overflow attack on the remote client. But, this appears unlikely in your situation. I would need a traffic sample to determine the cause. Feel free to send traffic samples to mcerha@cisco.com. We'd be happy to look at them for you.

0 Helpful
Customers Also Viewed These Support Documents