Proxy Rule configuration

The proxy rules control whether or not a proxy connection or an email is actually relayed to its intended destination.

Allowing a visitor to access another system through your computer is always highly risky. However it is the only way of duping a sophisticated hacker into believing they have come across a working proxy server and thus reveal their true intentions.

The secret of a successful honeypot proxy implementation is to allow only the minimum number of connections through that are necessary to yield a successful deception.

Proxy Rule Implementation

The proxy rules need to be customized for each implementation and often new rules have to be devised to catch a particular hacker.

In order to achieve this KFSensor uses external applications to make these decisions and implement custom rules.

This works in a similar way to External Alerts and the Edit External Console App.

This method has the additional advantage in that the external applications can be used to product custom reports and report as well as to implement the proxy rules.

PERL Scripts

PERL is the perfect language to implement proxy rules.

It is simple to use and yet its pattern matching functionality enables very complex rules to be easily developed. We have included example PERL scripts that implement proxy rules. These are fully functional and we recommend you use them as the basis for you own rules.

In order to use these scripts you will need to obtain and install a copy of PERL.

How the rules work

When KFSensor needs to make a decision to relay a connection or email it calls the configured application and sends it the necessary information to make the decision to the applications stdin pipe.

When the application completes its execution it sets its exit code to indication whether or not the connection should be relayed. If and only if the application returns an error code of zero will the connection be relayed.

Any text written to the applications stderr pipe will be added to the sent field of the event. This is a good way of debugging the rules used in the script or for adding comments to the event.

In practice this is very straightforward and will be obvious when you view the example PERL scripts, even if you have not come across PERL before.

SOCKS/HTTP Connect Proxy Rule

Configuration

Use the Proxy Rules dialog box to configure the example proxy rule script:

Field Value Comment
Application PathC:\Perl\bin\perl.exe Location of PERL executable
Arguments"C:\Program Files\KeyFocus\KFSensor\files\scripts\kfconnectproxytest.pl" Full path of the example script
Working directoryC:\kfsensor Directory where custom reports will be generated
Parameters

The following information is passed to the application on its stdin pipe.
Each parameter is on a new line and an equals sign is used to separate the parameter name from its value.

Parameter Example Comment
KFSENSOR CONNECTCHECK This value is always present to allow the script to check it is being called with the correct parameters
SENSORIP 192.168.2.9 The IP of KFSensor address
SENSORPORT 8080 The KFSensor port
VISITORDOMAIN MESHCOMP The visitor's domain if known
VISITORIP 192.168.2.99 The visitor's IP address
VISITORPORT 7026 The visitor's port
TARGETDOMAIN target.com The domain name that the visitor wants to connect to
TARGETIP 192.168.2.77 The IP address that the visitor wants to connect to
TARGETPORT 25 The port that the visitor wants to connect to
CONNECTIONS 1 The number of connections the visitor has made to KFSensor
REQUESTTYPE HTTPCONNECT Indicates the type of connection either:
  • HTTPPROXY
  • HTTPCONNECT
  • SOCKS
REQUEST GET http:// etc. For request types HTTPPROXY this parameter contains HTTP request.
This allows decisions to be made on the basis of the URL as well as the target host.
This is encoded in base64 for easy processing by the script.
Example script - kfconnectproxytest.pl

This PERL script demonstrates how the parameters are extracted and how a decision on whether to allow a connection is returned by the exit code.
If the $debugparams variable is set to non-zero then the rules triggered will be added to the event logged by KFSensor.

SMTP Proxy Rule

Configuration

Use the Proxy Rules dialog box to configure the example proxy rule script:

Field Value Comment
Application PathC:\Perl\bin\perl.exe Location of PERL executable
Arguments"C:\Program Files\KeyFocus\KFSensor\files\scripts\kfsmtpproxytest.pl" Full path of the example script
Working directoryC:\kfsensor Directory where custom reports will be generated
Parameters

The following information is passed to the application on its stdin pipe.
Each parameter is on a new line and an equals sign is used to separate the parameter name from its value.

Parameter Example Comment
KFSENSOR SMTPCHECK This value is always present to allow the script to check it is being called with the correct parameters
HELO 192.168.2.9 The HELO SMTP command that the visitor used
BANNER 220 spammer.com The SMTP banner sent to the visitor. This is encoded in base64 for easy processing by the script.
SENSORIP 192.168.2.9 The IP of KFSensor address
SENSORPORT 8080 The KFSensor port
VISITORDOMAIN MESHCOMP The visitor's domain if known
VISITORIP 192.168.2.99 The visitor's IP address
VISITORPORT 7026 The visitor's port
ISEMULATINGHOST 1 1 = KFSensor is pretending to be a remote SMTP server
2 = KFSensor is pretending to be an open relay server
EMULATEDDOMAIN spamtarget.com The domain name of the SMTP server the visitor thinks they are using
EMULATEDIP 192.168.2.44 The IP address of the SMTP server the visitor thinks they are using
EMULATEDPORT 25 The port of the SMTP server the visitor thinks they are using
CONNECTIONS 1 The number of connections the visitor has made to KFSensor
TOTALSMTPCONNECTIONS 10 The total number of SMTP connections the visitor has made
TOTALRCPTS 100 The total number of spam destinations, i.e. rcpt to: commands the visitor has made
GRANDTOTALSMTPCONNECTIONS 30 The total number of SMTP connections all the visitors have made
GRANDTOTALRCPTS 300 The total number of spam destinations, i.e. rcpt to: commands all the visitors have made
FROM <idno816336@yahoo.com> The from email address
TO <chalms_99@192.168.2.10> The first to address. KFSensor will forward an email only to the first to email address
NUMTOS 1 The number of recipients the email is going to
TOS[1..n] <chalms_99@192.168.2.10> Each of the recipients, TOS1, TOS2, TOS3, etc.
MESSAGE {encoded} The message contents. This is encoded in base64 for easy processing by the script.
Example script - kfsmtpproxytest.pl

This PERL script is similar to kfconnectproxytest.pl, but contains many more rules and also outputs reports.
The reports are tab separated text files and can be used to make a detailed complaint to the spammers ISP.
This script could be extended to make automated spam warnings to interested parties.

Related Topics


KF Sensor On-Line Manual Contents