KFSensor Terms

There are many different terms and phrases used in describing aspects of the Internet and systems security services. This section describes the key phrases used in KFSensor and the concepts behind them.


A visitor is a general term used to refer to an entity that connects to KFSensor. Such a general term is used as the visitors could be hackers, worms, viruses or even legitimate users that have stumbled onto KFSensor by mistake. Visitors can also be referred to as the clients of the services provided by KFSensor.


An event is a record of an incident detected by the KFSensor Service. For example if a visitor attempts to connect to the simulated web server then an event detailing the connection is generated.

Events are recorded in the log file and displayed in the KFSensor monitor.

Sim Server

Sim server is short for simulated server.
It is a definition of how KFSensor should behave in order to impersonate and emulate real server software. A typical server machine runs a number of servers to provide a range of different services, such as a web or SMTP server.

There is no limit to the number of Sim Servers that can be defined. You may want to set up Sim Servers for different implementations of the same service, such as IIS and Apache web servers, or different versions of the same service.

There are two types of Sim Server available; the Sim Banner and the Sim Standard Server.

To view and edit your Sim Servers definition, select the Edit Sim Servers... menu option from the Scenario menu.

Sim Banner

A Sim Banner is the most basic type of Sim Server.
It has the ability to read and then record the data sent to it by a visitor and to send the visitor a piece of data called a banner.

A banner is a piece of text or binary data that is part of the Sim Banner definition. The banner text can contain parameters. These parameters are replaced when the banner is sent to the client with the values they represent. This enables a more realistic response to be made, such as including the present time and not a fixed piece of text.

For some simple services that is all that is required to emulate a service. For example, the purpose of the echo server is simply to return a copy of the data sent to the server. This can be easily accomplished with a Sim Banner definition.

Emulating a more complex server such as a web server works in the same way. In this case the visitor sends an HTTP request for a particular file and the Sim Server's Banner could return a standard Banner containing a standard HTTP response. An experienced hacker will not be fooled for long by such a simple emulation, but this is often enough to identify a hacking attempt.

Sim Standard Server

A Sim Standard Server is a sophisticated emulation of a real server.
The level of deception is much higher than with a Sim Banner and provides much more detailed information for analyzing an attack.

This is a list of the Sim Standard Servers that KFSensor currently supports.

Server Port Description
CMD Command console 4444 The Command console Sim Std Server emulates the Windows command shell, otherwise known as a DOS box
DHCP 67 The Dynamic Host Configuration Protocol (DHCP) is an protocol which allows for the automatic configuration of networks.
Its typical use is to assign dynamic IP address to computers on a network.
FTP 21 File Transfer Protocol
HTTP 80 An HTTP server is another name for a web server
MySql 3306 The MySql service
NBT Name Service 137 Windows File and print sharing
NBT Datagram Service 138 Windows File and print sharing
NBT Session Service 139 Windows File and print sharing
NBT SMB 445 Windows File and print sharing
POP3 110 Post Office Protocol.
A POP3 server is used to store email messages, which can be retrieved using email applications like Microsoft Outlook.
Relay   A Relay server is used to allow visitors to access a service running on another machine
SMTP 25 Simple Mail Transfer Protocol
A SMTP server is used to accept incoming email messages.
SOCKS 1080 A SOCKS proxy server is used to relay all types of TCP and UDP traffic through a proxy server.
SQL Server 1433 The main MS SQL Server service
SQL UDP Server 1434 The MS SQL Server UDP service
Telnet 23 A Telnet server is used to allow visitors to open a remote console on the server machine
Terminal Server 3389 Terminal Server is a Microsoft application that allows remote users to log on to a server
VNC 5900 VNC is a cross platform remote control application


A listen is an instruction for the KFSensor Server to open, or bind to a specific port and perform a specified action when a visitor connects to that port. The same or different actions can be performed on many different ports with listen definitions.

There are three different types of action that can be performed by a Listen when a visitor connects to the port defined by the Listen:

  • Close
    Close the connection immediately and log the event.
    If the Network Protocol Analyzer is active then the port will appear closed to a visitor.
  • Read and Close
    Wait for the visitor to send a request and close the connection without sending a response. The data received is recorded as part of the event that is logged.
  • Sim Banner
    Perform the actions specified by the selected Sim Banner definition and record any data in the event that is logged.
  • Sim Std Server
    Perform the actions specified by the selected Sim Std Server definition and record any data in the event that is logged.
  • Native
    Use this to monitor a port opened by another piece of software. This enables a native service such as the IIS web server to be used as part of the honeypot. All connections made to this services will be logged in the same was as connections made to a sim server.

Listen Icon

Each listen definition is associated with one of eight icons.
These icons help to provide a visual clue as to the type of service and are displayed in the port view and event view.

Icon Name Description
Banshee Used for miscellaneous services
Server Used for services found on a Windows server, such as Windows Terminal Server
Workstation Used for services found on all Windows machines
World Used for services that may be exposed to the Internet
Penguin Used for services found on Linux systems, but not usually on Windows systems
Radio active Used for non-standard applications such as peer to peer file sharing applications
Skull Used for worms
Hacker Used for trojans and root kits


A scenario is a collection of listen definitions, which control all the actions the KFSensor Server should perform. Many scenarios can be defined, each appropriate for different purposes. Such as detecting attacks to a workstation or a server. Only one scenario can be active at a time, but it is easy to switch between scenarios.


KFSensor uses severity to classify Events into three levels of importance; low, medium and high.

An event's severity is set by the severity of the Listen that generated it.

When an event is generated the type of alert is dependant on the severity level.

Level Icon Color Alert
Low Grey No alert warning is generated for low severity events
Medium Yellow The KFSensor monitor system tray icon will flash yellow
High Red The KFSensor monitor system tray icon will flash red

Denial Of Service (DOS) Attack

A denial of service (DOS) attack is an attempt to over load a server by sending a very large number of requests to the server with the aim of over-loading the server's resources, so that it can no longer cope with legitimate traffic.
Hackers that launch DOS attacks frequently use several machines to launch an attack at the same time to generate the maximum numbers of connections and band-width usage.

DOS attacks are the hardest kind of attacks to protect against and many big companies such as Microsoft and Yahoo have been victims of these types of attacks.

The KFSensor Server is very fast at responding to visitors. On a reasonably quick internet connection the server can easily handle several million requests per hour. This would not pose a problem for the server itself, but it would cause the logs to grow very large.

To prevent a hacker generating an excessive amount of events KFSensor implements various limits on the amount of traffic it will accept.

In event of a sustained DOS attack KFSensor will Lock Out the visitors responsible for the attack and refuse to accept any connection from them for a set period of time.

If a hacker is using numerous IP aliases to launch a sustained DOS attack the server will Lock Up and refuse to accept any connections for a set period of time.

These settings are configured using the DOS Attack Settings dialog box.

Next: How KFSensor complements other forms of security

KFSensor On-Line Manual Contents