The KFSensor Reports module provides a range of reports and graphs that can be used analyse many different aspects of the attacks facing an organization. The reports are particularly useful in highlighting patterns of attacks the are only identifiable over time.
The sections below describe how to access the reports, what the reports do and how to customise the reports to your needs.
To access the KFSensor Reports user the 'View -> Reports' menu item, or press the graph button on the tool bar. Alternatively bookmark the web address in your browser: http://127.0.0.1:8351/
KFSensor reports are available in both Professional and Enterprise editions. In the Enterprise edition there are additional reports which allow different sensors to be compared and there is a sensor filter, to enable events from only one or more sensors to be shown.
KFSensor Reports are only accessible on the same machine that KFSensor is running on. The reason for this is that there is no security encryption or authentication built into the Reports Module. This is the first version of this module and in future releases secure means of enabling remote access will be added.
The Reports Module uses the capabilities of an SQL database to perform the calculations needed for the reports. It is therefore necessary to configure KFSensor to use a database.
The KFSensor Reports home page lists all the reports available in the system.
The reports are grouped by the main purpose and what it is that the measure.
The Top Ports reports show which ports have received the most attacks. This helps identify the biggest type of attack on your network.
The totals are calculated across the whole time period of the report and so may be misleading about what is the biggest current threat.
As with other reports the time period used for the calculations can be configured using the filter. See the section below for more information.
Out of the two reports available the 'Top ports by number of visitors' report provides the fairest comparison. This is because certain services are subject to dictionary attacks where an attacker makes repeated calls to try different passwords, generating many events. This report will record this as just one attack.
Each report contains a set of filters that control which events are selected for the report. This enables the reports to be customised to suit a specific investigation. For example by applying the domain filter to 'Events by day' report then the activity from one host can be seen over time.
|Time Period||Controls which days are included in the report. This can either be a relative period suchas the last 7 days, or can be a specified period between two given dates.|
|Protocols to include||Only events with the selected protocols will be included.|
|Ports||Filters the events based on the sensor port number. One or more port numbers may be given. Use a comma to separate them.|
|Visitor IPs||Filters the events based on the visitor's IP address. One or more IPs may be given. Use a comma to separate them.|
|Domain||Filters the events based on the visitor's domain name. Only one domain name may be specified, but the filter it assumes a wild card. e.g. '.tw' will include all visitors whose domain contains .tw|
|Sensors||In KFSensor Enterprise this allows events to be filtered by the sensor that recorded them.|
|Use local time zone||If selected the report calculates the daily totals based on the users local time zone. This will mean that different users in different time zones will receive differing totals. Also the system does not take into account historical changes to summer/winter time, which can make a small difference when showing a chronological report whose period crosses a winter/summer time change. If this option in unchecked then the report is calculated using UCT which never alters.|