| KFSensor |
| About |
| Overview |
| Screen shots |
| Features |
| Enterprise edition |
| Compare editions |
Download trial  |
| Buy KFSensor |
| News |
| Manual |
| Knowledge Base |
| Links |
| Extras |
Factsheet (.pdf)  |
Visitor rules
It is possible for KFSensor to react differently depending on the IP address of a visitor and to the number
of connections made each visitor.
Each scenario can contain an unlimited number of rules which define actions to take.
The rules are defined using the Visitor Rule dialog box which can be accessed by the Rules button in the Edit Scenario dialog or the Edit Active Visitor Rules menu option in the Scenario Menu.
Rule conditions
A rule is triggered if its conditions are met.
Each rule can have the following conditions defined; a host DNS name, an IP address or IP address range,
the transport protocol and the sensor port number. An optional range for the number of connections made to
the specified port can also be set.
When a connection occurs that meets the conditions of several rules then KFSensor will pick one rule.
The rule with the most specific conditions will be chosen according to the following priorities:
- A rule with a host DNS name will always have priority over a rule with an IP range.
- A rule with a single IP will always have priority over a rule with an IP range.
- A rule with a specific port will have priority over a rule which applies to all ports.
- A rule with a specific protocol will have priority over a rule which applies to all protocols.
Rule actions
There are three possible actions that can be taken by a rule:1. Close
KFSensor will close a connection immediately without sending a response2. Ignore
KFSensor will not log an event for the connection.The Close and Ignore actions can be used together.
3. Set Severity
The severity of the event generated by the connection will be set to the one specified in the rule. This overrides the severity defined by the listen definition.How rules can be used
The following examples show how rules can be used to achieve specific purposes.1. Increase severity for internal attacks
Attacks originating from inside the organization can be considered more severe than those from the Internet.
| Rule Conditions | |
| First IP | 192.168.1.1 |
| Last IP | 192.168.1.255 |
| Protocol | Any |
| Port | Any |
| Min Connections | |
| Max Connections | |
| Rule Action | |
| Close | False |
| Ignore | False |
| Set Severity | High |
2. Ignore legitimate traffic
A trusted machine may be generating SQL Server broadcast messages. Events from this machine to port 1434 can be ignored with this rule.
| Rule Conditions | |
| First IP | 192.168.2.10 |
| Last IP | |
| Protocol | UDP |
| Port | 1434 |
| Min Connections | |
| Max Connections | |
| Rule Action | |
| Close | False |
| Ignore | True |
| Set Severity | No Change |
3. Hide from vulnerability scanners
If vulnerability scanners are being used as part of a security audit then they will generate alerts on KFSensor and on the scanner itself. A rule can be used to get KFSensor not to respond to specified IP address.
| Rule Conditions | |
| First IP | 192.168.1.50 |
| Last IP | |
| Protocol | Any |
| Port | Any |
| Min Connections | |
| Max Connections | |
| Rule Action | |
| Close | True |
| Ignore | False |
| Set Severity | No Change |
4. Only log the first three events
Some visitors can make a very large number of connections to a particular port. This practical example uses a rule to control the actions taken for a visitor that makes repeated connections to UDP port 137, the NBT name service. Only the first three connections will be logged.
In the case of UDP 137 it is also useful to specify a separate max connection limit for this port. See the Edit Listen dialog for more details.
| Rule Conditions | |
| First IP | 0.0.0.0 |
| Last IP | 255.255.255.255 |
| Protocol | UDP |
| Port | 137 |
| Min Connections | 4 |
| Max Connections | |
| Rule Action | |
| Close | False |
| Ignore | True |
| Set Severity | No Change |
Next: Signatures