KeyFocus

 KFSensor
 About
 Overview
 Screen shots
 Features
 Enterprise edition
 Compare editions
 Download trial
 Buy KFSensor
 News
 Manual
 Knowledge Base
 Links
 Extras
 Factsheet (.pdf)
 

New features in this release

KFSensor Professional version 4.5.0

3 July 2008

Vista ports

  • Added definitions for services specific to Windows Vista
  • Web Services for Devices
  • IIS version 7 simulator

WinPcap

  • KFSensor now supports the latest WinPcap version 4.1.

Memory managements

  • Improvements to the code have resulted in a smaller memory foot print, which will aid systems performance in cases of heavy load.

KFSensor Professional version 4.4.0

2 November 2007

MySql Server - Sim Std Servers

  • Handles protocol negotiation
  • Decrypts packets
  • Allows visitor to browse database schemas
See the Edit Sim Std Server - SQL Server section for more details.

WinPcap

  • KFSensor now supports WinPcap version 4.0.

Ignore broadcasts

  • The visitor rules can now take the sensor ip address as a condition
  • This allows rules to be written specific to the broadcast address.
  • e.g. ignore all UDP broadcasts on a particular port.

Other

  • Increased session limits
  • Reduced memory requirements

Upgrading from previous versions

Version 4.4 contains a number of new and updated scenario definitions.
To protect your existing configuration these are not imported automatically.

In order to update your configuration follow these steps:

  1. Select to the Scenario->Import Scenario Definitions... menu item
  2. Select and open the file kfsupdate4_4_0.xml
  3. The row named "MySQL Service" is unticked. Tick this row, so you get the new MySQL emulation
  4. Press OK, and the Yes, when asked to over-write
  5. Thats it.

KFSensor Professional version 4.3.0

11 December 2006

Vista Compatibility

  • Previous versions of KFSensor will work with Windows Vista, but require an elevated level of admin access rights.
  • The location of the KFSensor configuration files has been moved in new version to make configuration easier with Windows Vista.
  • A new setting in the Server Settings dialog called "Home Root Path" allows this directory to be changed.

WinPcap

  • KFSensor now supports WinPcap version 4.0 beta 2.

Signature Rule Flags

  • New feature to allow more complex rules to be developed.
  • Better supports rules from publicly available sources, resulting in less false positives.

Upgrading from previous versions

Unlike previous updates this version 4.3.0 requires some additional steps to be taken after the upgrade. These should take less than five minutes.

With the introduction of Windows Vista Microsoft have changed the way that file permissions are granted to certain directories, such as "Program Files". Previous versions of KFSensor stored its configuration files in a sub-directory "Program Files", which prevents a user from changing the KFSensor settings when installed in Vista, except when run elevated access rights.

To make KFSensor compatible with Windows Vista's security model we have changed the location of the KFSensor configuation directory.
This applies to all Windows versions, not just Vista.
This means after upgrading a previous installation of KFSensor the configuration will initially be reset to the default configuration.

To restore your previous configuration

  1. Stop the KFSensor service and exit the KFSensor Monitor application.
  2. Using Windows Explorer copy the original KFSensor configuration files to the new location.
    Copy all the xml files from this directory:
       C:\Program Files\KeyFocus\KFSensor\conf
    to
       C:\kfsensor\conf
    over-write the default files in that location.
  3. Start KFSensor from the Start Menu in the normal way.

Re-import External Signatures

If you have imported signature rules from external sources, in a previous version of KFSensor, then these rules may be missing some of the options that the new version of KFSensor supports.

To ensure that your external rules are converted in the optimum way you will need to re-import them into KFSensor.
As KFSensor knows not to import duplicate definitions it is necessary first to purge the existing external rules in the KFSensor rule base before re-importing the latest set of external rules.

  1. To do this select the Signatures -> Edit Signatures menu item.
  2. Then press the Purge button.
  3. Then select External from the Purge Selection control and the press OK.

KFSensor Professional version 4.2.0

16 June 2006

This point release contains a number on minor enhancements that were made from user feed back.

Email Event Filter

  • The Email alert filter functionality has been enhanced in version 4.2
  • It is now possible to specify how many email alters can be sent in each time period
  • There is a separate limit for each visitor and for the total

Signature Rule Event Severity Options

  • A signature rule contains the option to change the severity of an event. This may have the effect reducing the severity set by listen definition. In order to control this behavior there are three different options:

Event On (Port Scan)

  • This option is used to monitor the number of different ports in the same way as the option above. When the limit is reach for this setting then a port scan event will be logged.
  • This enables port scans to be detected without blocking the visitor.

Check For New Version Update

  • This new menu option checks with the KeyFocus web site to see if you are running the latest version.

KFSensor Professional version 4.1.0

8 May 2006

Color Coding

  • Each event in the event view is assigned a color based on its protocol and severity.
  • Port and visitors are assigned a color based on how recent their last activity is.
  • All colors are customizable through the new Event Colors dialog box.

Visitor Rules

  • Quick Create Visitor Rule option added as a right click context menu option on the events view and as a button on the Event Details dialog.
  • Visitor rules have been extended to allow a host computer's DNS name to be specified, instead of just the IP address.
    This is useful when writing a rule to exclude a host that uses dynamic IP allocation.

Multiple IPs

  • The Scenario Change All dialog has been enhanced to make it easier to set up different behaviour for each IP hosted by the machine.

Bug fix

  • Problems logging to a MS SQL Server database have been resolved

KFSensor Professional version 4.0.2

23 January 2006

Network Protocol Analyzer

  • Detects connections to all TCP and UDP ports, even closed ports
  • Detects ICMP messages

Native Listen Type

  • Monitors production software services as part of the honeypot

Improved Port Management

  • All listen definitions associated with a service class
  • Enables whole classes of services to be added or removed from a scenario

Port hiding

  • Little used ports can now be hidden, until an event occurs
  • Makes port interface more manageable

DHCP Sim Server

  • Provides protocol decoding for this important service

Import Events

  • Import events stored in a log file into an ODBC database

KFSensor Professional version 3.0.4

12 July 2005

Signature Engine

  • KFSensor is the first product to combine the benefits of signature-based IDS with a honeypot system.
  • Fast signature search engine, which has a minimal impact on system performance.
  • Handles thousands of rules
  • String, regular expressions and byte testing rules supported
  • Easy maintenance and updating of new rules from different sources
  • Create new rules directly from an event
  • Export rules in KFSensor or Snort format

New Port and Event Icons

  • Eight different icons to represent different service types
  • Easier to distinguish different types of events

New Event Details Dialog

  • Multi-tabbed Event details dialog
  • Four different information layouts
  • More details available for each event

Easy Scenario Upgrade

  • New dialog to import new sim server and listen definitions
  • Easy to update existing installation with the latest threats

Scanner cloaking

  • Vulnerability scanners attempt to interrogate every open port on a target server
  • It is now possible to specify the maximum number of ports a visitor can connect to before being locked out

CMD Command console - Sim Std Server

  • Emulates the Windows command shell, otherwise known as a DOS box
  • As used by a number of worms to install a root kit

KFSensor version 2.2.1

6 June 2004

New database format

  • Additional fields to store the accurate number of milli-seconds.
    Some database engines cannot store the milli-seconds in a data time field or round them to the nearest second.
  • New database table to allow easier future upgrades
  • Better compatibility with MySQL
  • See notes below about upgrading to the new format

DOS Attack

  • Connection limits can now be applied on a port by port basis
  • Useful for port where a high connection rate is expected
See the Edit Listen dialog section for more details.

Visitor Rules

  • Rules conditions can now specify a range on the number of connections made by a visitor
  • An example of how this could be used is to specify that only the first three connections to a particular port will be logged.
See the Edit Visitor Rule dialog and the Visitor Rules sections for more details.

Status bar improvements

  • Displays server state in status bar
  • Displays number of visitors in the status bar
  • Displays number of events currently displayed and the number of events loaded in the status bar

Database upgrade

If you use KFSensor to log to an ODBC database then the database will need to be upgraded before the new version of KFSensor can be operational.

Before installing the new version of KFSensor be sure to make a back up of you KFSensor database.
Also ensure the database engine has plenty of free space on its devices or disk drives as the database upgrade process makes temporary copies of the existing data.

After installing the new version, KFSensor will display an error message when the monitor window is displayed.

Select the Log Database menu item from the Settings menu.

Press the configure button.

This will upgrade you database to the new version.
This may take some time.

KFSensor version 2.1.4

15 February 2004

SOCKS - Sim Std Server

  • Handles protocol negotiation
  • Supports SOCKS 4/4A/5
  • Handles proxy chaining requests
  • Redirects proxy connections to internal emulations
  • Various tricks to fool proxy testing scripts
  • Eight different configuration levels

HTTP Proxy

  • Extension of HTTP emulation to cover HTTP and CONNECT proxying
  • Eight different configuration levels
See the KFSensor Proxy Server Emulation section for more details.

Proxy rules

  • Use an external script to provide logic to determine if a proxy connection should be allowed
  • Process captured spam to produce custom reports
  • Works for all proxy types; SOCKS, HTTP and SMTP relay

New DOS Attack Options

  • Options to enable KFSensor to accept a large number of connections with locking out a visitor, or generating too many events
See the DOS Attack Settings section for more details.

MS SQL Server - Sim Std Servers

  • Handles protocol negotiation
  • Decrypts login packets
  • Correctly refuses login requests
  • Handles SQL Server UDP information requests
See the Edit Sim Std Server - SQL Server and Edit Sim Std Server - SQL UDP Server sections for more details.

Load events

  • New option to filter loading of events by port and/or visitor IP.
  • Allows the complete history for a port or visitor to be loaded with loading all events.

Memory conservation

  • KFSensor Monitor has a new option to reduce the amount of RAM its uses
  • Useful when dealing with a large number of attacks

Idle timeout

  • Additional option added to sim std servers to terminate a connection based on time since last activity

Duration

  • New column available in the Events View that displays the total duration of a connection

File selection

  • File browse buttons have been added to all dialogs that request a file or directory name to make selection easier.

Tool bar

  • New buttons for more functionality.

Mail alerts

  • Previous version would only attempt to send an email alert once and five up in the SMTP server was down or too bust to accept a connection
  • Now KFSensor will keep attempting to send an email for up to 6 hours.
  • Various bug fixes to the SMTP client engine to fix problems when accessing certain SMTP servers.

Event Details Viewer

  • New Export button to save contents to file
  • This is especially useful it you want to process the contents with another application, such as a virus checker

SubSeven Trojan emulation

  • External application which simulates SubSeven trojan horse
  • Now included with the KFSensor installation
See KFSensor Extras for more information.

New license keys

  • Keys extended from 128 to 192 bits.
  • More secure anti-cracking protection

KFSensor version 2.0.1

30 October 2003

Improved Manual

External Console Applications

  • Use languages like C, PERL and Python
  • Operation and logging compatible with the built in Sim Servers
  • Compatible with scripts written for Honeyd
  • Sample scripts included
See the Edit External Console App dialog box for more details.

External Alerts

  • Process all or selected alerts using a custom external application
  • Launch an immediate port scan on the IP address of a visitor to the honeypot
  • Create you own custom event log file
  • Send alerts to a third part application
  • Use languages like C, PERL and Python
See the External Alerts dialog box for more details.

NBT Sim Std Servers

  • KFSensor can emulate Microsoft's NetBIOS and SMB/CIFS services
  • Insecure file shares are one of the most common and potentially dangerous security vulnerabilities exploited
  • Decodes NBT and SMB packets and logs them in a human readable form
  • Allows worms to upload malicious code to a secure area, for analysis
  • All four NBT services emulated
    • NBT Name Service - UDP 137
    • NBT Datagram Service - UDP 138
    • NBT Session Service - TCP 139
    • NBT SMB Raw - TCP 445
See the Window networking / NetBIOS / SMB / CIFS section of the Admin Guide for more details.

Database Log Enhancement

  • KFSensor not has the option to save binary data, encoded as text into a long char, or Memo field in the database, which can make for easier external analysis of the database.
See the Database Log dialog box for more details.


KF Sensor On-Line Manual Contents