Cisco Support Community
Community Member

6202-Ident Improper Request

Does anyone have a good definition of what the IDENT daemon is used for as well as how it can be exploited? NSDB doesn't go into much detail about this vulnerability. This signature was trigger by traffic coming from a NT box running Sendmail Single Switch email software with only port 25 open. Anyone aware of any benign triggers?


Re: 6202-Ident Improper Request

Ident is a protocol used to determine the owner of a process on a remote client attempting to make a connection to a local server. The server sends an Ident request to the remote client with a message containing the source port of the client connection attempt. The client's Ident server should respond with the username of the account making the connection request. Some programs, like Sendmail and IRC servers, use this as a security mechanism to verify the source of the connection. Siganture 6202 looks for an Ident request longer than 20 bytes. A request longer than this might indicate a buffer overflow attack on the remote client. But, this appears unlikely in your situation. I would need a traffic sample to determine the cause. Feel free to send traffic samples to We'd be happy to look at them for you.

CreatePlease to create content