KeyFocus

 KFSensor
 About
 Overview
 Screen shots
 Features
 Enterprise edition
 Compare editions
 Download trial
 Buy KFSensor
 News
 Manual
 Knowledge Base
 Links
 Extras
 Factsheet (.pdf)
 

What to do next

KFSensor has a number of different features, many of which are not enabled by default.
The default configuration verges on the side of caution which often prevents the more interesting attacks to be fully explored.
In order to get the best out of the product you will need to configure it to meet your needs.

If you have not already done so now is a good time to read the KFSensor Concepts section.
It will provide you with a detailed explanation of the principles behind Honeypot technology and how KFSensor works.

  1. Fix Port Errors

    You may see that some ports in the Ports View are marked as being in Error.

    See the Correcting Port Errors section of this guide for details on how to fix these.

  2. Signatures

    Import the latest signature rules. See the Signature Maintenance section for more details.

  3. Database Log

    KFSensor always records events into XML files, which it stores on the local machine. It can also store events into an ODBC SQL based database. As well as improving the system's performance, it also has the advantage that you can create your own custom reports using any database tool.

    See the Database Log dialog box section of the manual for more details.

  4. Alerts

    In order to inform you when an intrusion occurs KFSensor supports a number of different alert mechanisms.
    Each of the alert mechanism is optional. You should configure the ones that are appropriate for you.

    See the Alerts section of the concepts guide for more details.

  5. Visitor Rules

    There are certain circumstances in which you will want to disable KFSensor for certain visitors, such as for your organization's vulnerability scanner, or to cut down on the number of events generated.

    KFSensor provides a mechanism for doing this. See the Visitor Rules section of the concepts guide for more details.

  6. Denial Of Service (DOS) Attack

    The KFSensor Server is very fast at responding to visitors.
    On a reasonably quick internet connection the server can easily handle several million requests per hour. This would not pose a problem for the server itself, but it would cause the logs to grow to be very large.

    In order to prevent KFSensor suffering from a DOS attack, there is a special feature to mitigate this.
    The default settings may need to be adjusted to suit your circumstances.
    See the DOS Attack Settings dialog box for more details.

  7. Sim Servers

    Each of the Sim Std Servers has a number of different possible configurations and settings.

    For example:

    1. HTTP - Sim Std Server

      KFSensor provides a working emulation of Microsoft's IIS web server.
      By default only one web page is installed with KFSensor, the standard "Under Construction" page.
      This will not keep a hacker interested for long.

      Create your own dummy web site containing HTML and image files with a tool like MS Front Page and copy the files into the directory:
      C:\Program Files\KeyFocus\KFSensor\files\iis\wwwroot

      This will be far more interesting to a hacker, especially if the dummy web site appears to contain confidential material.

      2. See the Edit Sim Std Server - HTTP dialog box for more details.

    2. SMTP - Sim Std Server

      The SMTP emulation is capable of relaying a limited number of email messages back to a hacker's email address. Spammers who search for open relay enabled SMTP servers to exploit tend to send themselves a test message to ensure the server is working before attempting to use it to send out spam en mass.

      This is a potentially risky feature and must be purposely enabled. See the Edit Sim Std Server - SMTP dialog box for more details.

    3. Window networking / NetBIOS / SMB / CIFS

      Windows networking protocols consistently receive the most attacks on the Internet.
      KFSensor provides a sophisticated emulation of SMB that not only allows these attacks to be detected but draws a hacker in and even captures the root kits and worms that they attempt to upload.

      In order to get this feature to work you will need to disable these services in the Windows Operating system. This will disable file and printer sharing on the honeypot machine, but it is strongly recommended that you do so.

      For more details on this see the next section of the Admin Guide: Window networking / NetBIOS / SMB / CIFS.

    4. KFSensor Proxy Server emulation
      Proxy servers are commonly used by hackers and spammers to mask their true identity.
      By emulating proxy servers KFSensor can capture an indirect attack on another server while preventing the attack at the same time.
      For more details of proxy server emulation and the types of attacks used on them see the KFSensor Proxy Server emulation section.

  8. Customize using scripts

    KFSensor may not contain all the functionality you require out of the box.
    You may wish to emulate a custom server application developed in house, or to integrate KFSensor alerts with your own security system.

    KFSensor can be extended by calling external programs or scripts to meet any of these requirements. Scripts can be developed quite easily using languages such as PERL.

    See the External Alerts and the Edit External Console App sections of the manual for more details.


KF Sensor On-Line Manual Contents