External Alerts

Use the External Alerts dialog box to configure the handling of alerts by external applications.

In addition to the other alerting mechanisms that KFSensor provides, it has the additional ability to invoke an external application to handle an alert event. This allows you to create your own custom log files or to actively respond to an attack.

How it works

The external application must be a console application.
It is handled in the same way as the External Console App feature which allows you to script your own simulated servers.
Read the section describing the Edit External Console App dialog box for more information on the types of application that can be used.

When an event is generated KFSensor checks the External Alert settings to see if there is an active definition that matches the protocol and host port of the event.
If one is found then an external application is launched according to the settings of the External Alert definition.

The Example External Alert Definitions section below provides practical examples of these settings.

To implement a script to process an event it is necessary to access all the details of the event.
KFSensor provides this information via environment variables and by substituting command line arguments with the event values.

Some of these variables are the same as those defined for the External Console App feature.

Parameter CL Argument Env. Variable Example
Sensor IP Address $ipdst KFSENSOR_ADDR and HONEYD_IP_DST
Sensor Port $dport KFSENSOR_PORT and HONEYD_DST_PORT 80
Visitor Domain   VISITOR_DOMAIN hackersrus.com
Visitor IP Address $ipsrc VISITOR_ADDR and HONEYD_IP_SRC
Visitor Port $sport VISITOR_PORT and HONEYD_SRC_PORT 3205
Number of connections
made by visitor
External Alert Name $appid KFSENSOR_APPID external log test
Start Time   KFSENSOR_STARTTIME 2003-09-25 16:13:18:468
End Time   KFSENSOR_ENDTIME 2003-09-25 16:13:27:515
Sensor Name   KFSENSOR_EVENTNAME NBT Session Service
Description   KFSENSOR_EVENTDESC Invalid Packet
Sim Server   KFSENSOR_SIMNAME NBT Session Service
Action   KFSENSOR_ACTION SimStdServer
Number of Received Bytes   KFSENSOR_RECEIVEDBYTES 7
Number of Sent Bytes   KFSENSOR_SENTBYTES 89
Signature ID   KFSENSOR_SIGID $00001000
Signature Message   KFSENSOR_SIGMESS Code Red Attack
Received and response event fields

The received and response fields in an event can be any size and are in binary format.
This data is passed to the scripts stdin pipe and is encoded in base64, allowing it to be easily decoded and assigned to a variable.

Two lines of text will be sent to the external application containing the sent and received bytes in the following format: RECEIVED=<base64>

For example: RECEIVED=Sm9rZXINCg==

is decoded from base 64 into the string:


  • Alerts
    This lists all the external alerts that are defined. Look at the Edit External Alert section for details on what the columns are.
  • Enable
    If unchecked then all External Alerts will be disabled.


Example External Alert Definitions

The example descriptions below contains the field values that need to be entered into the Edit External Alert dialog box.

Example 1 - kflogtest.pl

KFSensor ships with an example External Alert script named kflogtest.pl

The script is located in the directory:
C:\Program Files\KeyFocus\KFSensor\files\scripts

Your own scripts can be located in any directory on the local hard drive.

The example scripts is written in PERL. In order to use these scripts you will need to install a copy of PERL.

This script creates a text file for each event it processes, using the event id to create a unique file name.
It illustrates the techniques for extracting all the event information from its environment and stdin.

The following definition will run the script for every event, unless a more specific external event is defined.

Note: It is important to include the quotes in the Argument field as PERL does not like a space in a path name.

Field Value
NameExternal Log Test
Sensor Port 
Application PathC:\Perl\bin\perl.exe
Arguments"C:\Program Files\KeyFocus\KFSensor\files\scripts\kflogtest.pl" $eventid
Working directoryC:\kfsensor
Add Data to StdinChecked
First conn. onlyUnchecked

Example 2 - Scan SMTP Visitors

The second example uses a command line scanner to launch a port scan on any visitor who opens a connection to KFSensor SMTP sim server on port TCP 25.

The definition restricts the numbers of scans to one per visitor and outputs the results in a text file, which is given a unique name using the event id, to make cross referencing easier.

The scanner used in this example is ScanLine, which is provided free by FoundStone, at URL http://www.foundstone.com/.

Any other command line security tool could be used in a similar way.
If you would like to run several such tools, then write a PERL script to launch them all.

Field Value
NameScan SMTP Visitors
Sensor Port25
Application PathC:\securitytools\sl.exe
Arguments-b -o exlogscan$eventid.txt -t 1-65535 $ipsrc
Working directoryC:\kfsensor
Add Data to StdinUnchecked
First conn. onlyChecked

Related Topics

KFSensor On-Line Manual Contents