Use the Edit External Console App dialog box to add or edit an external console application definition.
In addition to the internal sim servers KFSensor provides, it has the additional the ability to invoke an external application to simulate a service.
This allows you to develop your own simulated services or use those written by a third party.
The external application must be a console application. That is it must have no user interface and read its input from stdin and write its output to stdout.
KFSensor handles all the socket communications with the visitor. Data received from the visitor is written to the external application's stdin pipe and data is read from the application's stdout pipe and sent to the visitor.
KFSensor monitors the connection to ensure that the visitor does not send more data than permitted and that the visitor does not keep the connection open too long.
KFSensor also logs the traffic in the same way as the internal sim servers so the events are recorded in the same way in the log.
This all makes it very easy to develop a sim server, as there is no need to implement logging or timeout facilities.
However, KFSensor has no control over how the external console processes the data it receives. If there is a buffer overflow vulnerability in the external application then there is the possibility of a security breach.
It is possible to write an external console application in a low level language such a C, but it easier to use a scripting language such as PERL or Python.
It is strongly recommended that the external console application should exit when it detects its stdin pipe has closed.
It can of course exit before that.
If the application does not exit then KFSensor will terminate its process. This should be avoided as Windows does not effectively close all the resources held by a terminated application.
KFSensor contains sample scripts which implement simple services.
You can find descriptions of these scripts and how to configure them and other scripts in the Example External Console Scripts section.
To implement certain services it is necessary to know information such as the visitor's IP address.
KFSensor provides this information via environment variables and by substituting the following command line arguments with the current values.
|Parameter||CL Argument||Env. Variable||Example|
|Sensor IP Address||$ipdst||KFSENSOR_ADDR and HONEYD_IP_DST||192.168.1.10|
|Sensor Port||$dport||KFSENSOR_PORT and HONEYD_DST_PORT||80|
|Visitor IP Address||$ipsrc||VISITOR_ADDR and HONEYD_IP_SRC||192.168.1.10|
|Visitor Port||$sport||VISITOR_PORT and HONEYD_SRC_PORT||3205|
|Number of connections
made by visitor
The simplest way to debug an external console application is to run it directly from a DOS box and type in the input.
To track down problems that only occur when an external console application is used within KFSensor the following feature is provided. When the server's Log Level is set to "7 Debug" in the Server Configuration dialog box, all output the external console sends to the stderr pipe is added to the response field in the event log. N.B. this data is never sent to the visitor.
This is especially useful for debugging a PERL compilation problem as the compiler errors are sent to the stderr pipe.