KFSensor Features

KFSensor contains a wealth of both essential and sophisticated security features, many of which cannot be found in other products.

The key design philosophy was to make the product easy and quick to setup and use. The interface is totally GUI based, with the pre-configured settings making it suitable for most corporate environments, without the need for extensive and time-consuming configuration.

KFSensor is available in two editions: Professional and Enterprise.
For further information about the Enterprise edition, please view the Enterprise edition page.

Advanced Features

Monitors every port

KFSensor Professional monitors attacks on every TCP and UDP port, as well as detecting ICMP or ping messages. It also monitors all network activity of native Windows server applications; allowing these to act as part of a honeypot configuration.

Remote administration

The KFSensor Enterprise edition includes the ability to manage and monitor multiple honeypot installations. Events from different sensors across the network are concatenated in real time, allowing the immediate view of attacks as they happen.

KFSensor uses 3072-bit RSA public/private key authentication and 256-bit AES encryption to provide the unrivalled security for communication between sensors.

IDS signature engine

KFSensor is the first product to combine the benefits of signature-based IDS with a honeypot system.

Its fast signature search engine has minimal impact on system performance and can easily handle thousands of rules.

It is easy to update the rule base with new rules from different sources, and to create new rules directly from an event.

Service Emulation

KFSensor features a number of different types of emulation, both simple and complex. These can be further extended with the use of custom scripts.

Flexible configuration

KFSensor can emulate different services on multiple ports and on different host IP addresses, allowing users to run any emulation on any port.

Multiple scenarios

Different honeypot scenarios can be defined, containing different port and service configurations. KFSensor is designed to be easy and quick to switch between scenarios while the system is running.

Port listening

This is the most basic type of trap, as it holds open a port, reads the data sent to it and records the event. Most useful in detecting worms.

Banner

More sophisticated than a port listener, the Banner is able to display either a service prompt or an error message. Although limited in its capabilities, the Banner has the advantage of being very easy to configure by a novice user.

Command console

Emulates the Windows command shell, otherwise known as a DOS box. A number of worms bind CMD.EXE to a listening TCP port.

HTTP

This is a fully working web server that correctly emulates Microsoft's IIS web server. It handles more obscure commands, including range requests and client side cache controls.

HTTPS

The HTTP server supports HTTPS with either a self signed certificate, or the ability to use a custom certificate.

SMTP

The Simple Mail Transfer Protocol (SMTP) emulation is capable of acting as an open relay server, thus providing the perfect trap for hackers looking for a target to relay spam.

Window networking / NetBIOS / SMB / CIFS

KFSensor can emulate all four of Microsoft's NetBIOS and SMB/CIFS services. With insecure file shares one of the most common and potentially dangerous security vulnerabilities exploited by hackers, KFSensor decodes NBT and SMB packets and logs them in a human readable format; and even enables worms to upload malicious code to a secure area, for later analysis.

SOCKS

KFSensor supports 4/4A/5 SOCKS protocols, and can be configured with eight levels of emulation behavior. SOCKS servers are frequently used to relay spam and to launch attacks on other servers. KFSensor contains advanced deception technology that allows spammers to believe that their mail is getting through, whilst secretly blocking such mail from being successfully relayed.

MS SQL Server

KFSensor supports both TCP and UDP SQL Server ports and can capture passwords used in intrusion attempts.

MySQL

KFSensor provides sophisticated simulation that handles protocol negotiation and decrypts packets for human readable logging. It also allows visitors to log on and to browse database schemas.

FTP

File Transfer Protocol emulation.

POP3

Telnet

Terminal Server

The Terminal server is a Microsoft application that allows remote users to log on to a server.

VNC

The VNC is a cross platform remote control application. The emulation allows hackers to attempt to log on, but rejects all passwords.

Relay

A relay server is used to allow visitors to access a service running on another machine

External

It is possible to write your own simulations in a number of languages, including PERL and C. KFSensor is also compatible with scripts written for Honeyd.

Events

Event details

All the network traffic that makes up a connection is concatenated into a single event, overcoming the problem of message fragmentation. As well as recording items such as the start and end time of an attack, a visitor's IP and port addresses, all the data transferred both to and from the honeypot is also recorded.

Configurable display columns

The interactive event list can be configured using any combination of the thirty possible column types available.

View by port

KFSensor's Explorer type interface includes a port tree structure that color-codes those ports depending on how recently they have been attacked. Selecting a port automatically filters the events to show only those targeted at that particular port.

View by visitor

The port view can be altered to display a tree of visitors, allowing events to be filtered to show events from a particular visitor.

Severity

Each event is assigned a severity level. This grading allows more serious attacks to be identified, with different actions linked to different severities. For example, the system can be configured to specify that an email alert will only be sent when a high severity event is detected.

Reports

Top Attacks Reports

There are reports to shows the top ports by number of attacks, the top visitors by number of attacks, and the most persistent return visitors.

Chronological Reports

Allows for analysis of how attacks change over time.

Graphs

Each report is supplemented with a graph, to help visualise the data.

Custom Filters

Reports can be filtered on time period, attack type and the location of the visitors, allowing for detailed study and analysis of a particular threat.

Alerts

System tray alerts

KFSensor provides a visual alert, displaying an alarm icon in the system tray at the bottom right of the Windows desktop. This flashes either yellow or red when an alert is detected.

Audio alerts

KFSensor can be configured to play a customizable alert sound when an event occurs.

EMail alerts

KFSensor can also send alerts via email, using two different formats. The short format email alert provides minimal information on an event, and is best suited for sending to a portable device; while the long format email alert provides much more detailed information and is suitable for a typical email client.

SysLog alerts

KFSensor can send alerts to a UNIX Syslog server.

Event log alerts

KFSensor can send alerts to the local machine's Event Log, enabling it to be detected by third-party event monitoring software.

External application alerts

KFSensor provides the ability to invoke an external application to handle an alert event. This flexible feature has many different uses, including the creation of custom event log files; the launching of an immediate port scan on the IP address of a visitor to the honeypot; and can send alerts to a third-party application.

Other Features

Denial Of Service (DOS) attack protection

KFSensor is equipped with several mechanisms to counter DOS attacks.

SIEM Integration

KFSensor can send its events in real time to SIEM systems. KFSensor supports ArcSight and Qradar, making integration with these systems easy.

Scenario rules

It is possible for KFSensor to react differently, depending on a visitor’s IP address. For example, rules may be defined that cause the server to ignore requests from certain sources, or to increase the severity of an alert.

Database integration

KFSensor can optionally store events into an ODBC SQL based database. As well as improving the system's performance, this also allows the creation of custom reports using any database tool.

Export logs in multiple formats

Events can be exported to file in the following formats: XML, HTML, tab separated and CSV.

Systems service

KFSensor runs as a systems service, allowing it to start before a user has logged on.

Secure configuration

KFSensor has been designed using the least privilege principle. Unlike many other products, KFSensor does not require Admin or root privileges in order to function. By taking advantage of Window's native security mechanisms, the host machine can be secured against any possible compromise of the KFSensor system.

Extensive Documentation

Detailed help documentation is available for all aspects of the product, including a detailed guide on how to configure and optimize the product.