Signatures

KFSensor is the first product to combine the benefits of signature-based IDS with a honeypot system.

KFSensor has a fully featured and fast signature engine implementation, comparable with that found conventional network intrusion detection systems.

In KFSensor the signature recognition complements the honeypot emulations by providing additional information on events.

KFSensor can import signature rules written in Snort format, the de-facto industry standard. This allows KFSensor to be configured with signatures from many different sources.

Features

• Fast signature search engine, which has a minimal impact on system performance.
• Handles thousands of rules
• String, regular expressions and byte testing rules supported
• Easy maintenance and updating of new rules from different sources
• Create new rules directly from an event
• Export rules in KFSensor or Snort format

How it works

A signature rule defines a set of conditions that must be met in order for the rule to be matched.
There are many different types of condition that can be defined, such as a specified service port or a piece of text to be found.

When KFSensor receives a connection from a visitor it passes information on the connection and the data received from the visitor to the Signature Engine.
The Signature Engine then compares this data with each Signature Rule stored in its Signature Base.
If a match is found the signature ID is stored with the event in the event log.

The signature rule's message is then made available to the user along with the rest of the event details, through the user interface and email alerts.

More detailed information on how to edit and configure signature rules may be found later in this manual.

The KFSensor Administration Guide contains a Signature Maintenance section on how to set up a rule base for the first time.

KF Sensor On-Line Manual Contents