Use the External Alerts dialog box to configure the handling of alerts by external applications.
In addition to the other alerting mechanisms that KFSensor provides, it has the additional ability to invoke an external application to handle an alert event. This allows you to create your own custom log files or to actively respond to an attack.
The external application must be a console application.
It is handled in the same way as the External Console App feature which allows you to script your own simulated servers.
Read the section describing the Edit External Console App dialog box for more information on the types of application that can be used.
When an event is generated KFSensor checks the External Alert settings to see if there is an active definition
that matches the protocol and host port of the event.
If one is found then an external application is launched according to the settings of the External Alert definition.
To implement a script to process an event it is necessary to access all the details of the event.
KFSensor provides this information via environment variables and by substituting command line arguments with the event values.
Some of these variables are the same as those defined for the External Console App feature.
|Parameter||CL Argument||Env. Variable||Example|
|Sensor IP Address||$ipdst||KFSENSOR_ADDR and HONEYD_IP_DST||192.168.1.10|
|Sensor Port||$dport||KFSENSOR_PORT and HONEYD_DST_PORT||80|
|Visitor IP Address||$ipsrc||VISITOR_ADDR and HONEYD_IP_SRC||192.168.1.10|
|Visitor Port||$sport||VISITOR_PORT and HONEYD_SRC_PORT||3205|
|Number of connections
made by visitor
|External Alert Name||$appid||KFSENSOR_APPID||external log test|
|Start Time||KFSENSOR_STARTTIME||2003-09-25 16:13:18:468|
|End Time||KFSENSOR_ENDTIME||2003-09-25 16:13:27:515|
|Sensor Name||KFSENSOR_EVENTNAME||NBT Session Service|
|Sim Server||KFSENSOR_SIMNAME||NBT Session Service|
|Number of Received Bytes||KFSENSOR_RECEIVEDBYTES||7|
|Number of Sent Bytes||KFSENSOR_SENTBYTES||89|
|Signature Message||KFSENSOR_SIGMESS||Code Red Attack|
The received and response fields in an event can be any size and are in binary format.
This data is passed to the scripts stdin pipe and is encoded in base64, allowing it to be easily decoded and assigned to a variable.
Two lines of text will be sent to the external application containing the sent and received bytes in the following format:
is decoded from base 64 into the string:
The example descriptions below contains the field values that need to be entered into the Edit External Alert dialog box.
KFSensor ships with an example External Alert script named kflogtest.pl
The script is located in the directory:
Your own scripts can be located in any directory on the local hard drive.
The example scripts is written in PERL. In order to use these scripts you will need to install a copy of PERL.
This script creates a text file for each event it processes, using the event id to create a unique file name.
It illustrates the techniques for extracting all the event information from its environment and stdin.
The following definition will run the script for every event, unless a more specific external event is defined.
Note: It is important to include the quotes in the Argument field as PERL does not like a space in a path name.
|Name||External Log Test|
|Arguments||"C:\Program Files\KeyFocus\KFSensor\files\scripts\kflogtest.pl" $eventid|
|Add Data to Stdin||Checked|
|First conn. only||Unchecked|
The second example uses a command line scanner to launch a port scan on any visitor who opens a connection to KFSensor SMTP sim server on port TCP 25.
The definition restricts the numbers of scans to one per visitor and outputs the results in a text file, which is given a unique name using the event id, to make cross referencing easier.
Any other command line security tool could be used in a similar way.
If you would like to run several such tools, then write a PERL script to launch them all.
|Name||Scan SMTP Visitors|
|Arguments||-b -o exlogscan$eventid.txt -t 1-65535 $ipsrc|
|Add Data to Stdin||Unchecked|
|First conn. only||Checked|