| KFSensor |
| About |
| Overview |
| Screen shots |
| Features |
| Compare editions |
Download trial  |
| Buy KFSensor |
| News |
| Manual |
| Knowledge Base |
| Links |
| Extras |
Factsheet (.pdf)  |
Edit Sim Std Server - SQL Server
Use the Edit Sim Std Server - SQL Server dialog box to add or edit a SQL Server definition.
You will find a description of what are Sim Std Servers here.
This Sim Std Server emulates Microsoft's SQL Server database system.
The emulation is limited to enabling a visitor to attempt to log onto a database.
The visitor sends their user name and password, which will never be accepted.
MS SQL Server also has an additional USP service for providing information on SQL Severs on a network.
See the Edit Sim Std Server - SQL UDP Server section for more details.
The decoded login packet provides a number of interesting fields that can reveal a lot of information about an attacker.
| Field | Example | Description |
| TDS version | x71000001 | The version of the TDS protocol being used. TDS is the protocol used by SQL Server |
| Client version | x07000000 | The version of the SQL protocol being used by the visitor |
| Time zone | -60 | The time zone of the visitor. This is relative to GMT and gives a good indication of the location of the visitor |
| MAC | 00 E0 7D DC E4 22 | The physical network address of the visitor |
| Host | CALI | The NetBIOS name of the visitor's machine |
| User | sa | The SQL Server account the visitor is attempting to log on as. 'sa' is the standard admin account. |
| Password | secret | The decrypted password the visitor is using to log on with. Multiple attacks to this server may be due to a password dictionary attack |
| App | osql | The name of the application being used to attack the server |
| Library | ODBC | The name of the underlying library being used by the visitor |
| Language | This will usually be blank to indicate the default language | |
| Database | The name of the database the visitor is attempting to log on to. This will be blank unless the visitor has used the SQL UDP Server to obtain the database name. |
There are a number of different tools that can be used to automate different attacks on SQL Servers.
Examples are: sqlpoke, sqlbf and sqldict.
You can find these and more on these web sites:
http://packetstormsecurity.nl/Crackers/indexdate.shtml
http://www.sqlsecurity.com/scripts.asp
Title
- Name
Each Sim Std Server requires a unique name, which is used to identify it. - Description
A piece of text for notes on what the Sim Std Server aims to support - Default Port
Most services have standard ports on which visitors expect to find them.
The default port is TCP 1433.
This is only used as a prompt during configuration of a Listen; a Sim Std Server can be set on any or many different ports. - Severity
The severity level that events generated by this Sim Std Server will be given. This can be overridden as part of the Listen configuration.
Options
These settings control how the data is logged.- Log Detail
This controls how much detail of the decoded packets is recorded.
Type Description Basic Provides a brief summary of the main points of interest in the packet. Normal Provides more details of the packet. Debug Provides all the details of the packet - Log decoded packet
If checked then each packet will be decoded and logged in a human readable format. - Log raw packet
If checked then the raw binary data of the packet will be logged. If both this option and the one above are checked then each packet will be logged first in decoded format and then as a binary value. - Response Delay
The option allows the time taken by a connection to be slowed down by adding a delay in milliseconds, before each response is sent.
This feature provides a good way of slowing down an attack and preventing the honeypot from being over loaded.
Note: Unlike the other time settings this one is in milliseconds, not seconds.