A Windows based honeypot Intrusion Detection System (IDS)
KFSensor acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and trojans.
By acting as a decoy server it can divert attacks from critical systems and provide a higher level of information than can be achieved by using firewalls and NIDS alone.
KFSensor is designed for use in a Windows based corporate environment and contains many innovative and unique features such as remote management, a Snort compatible signature engine and emulations of Windows networking protocols.
With its GUI based management console, extensive documentation and low maintenance, KFSensor provides a cost effective way of improving an organization’s network security.
KFSensor is an easy to configure and install application. It takes just five minutes to set up and become operational. No special hardware is required and its efficient design enables it to run even on low specification Windows machines.
Its straightforward Windows interface controls all functionality. There is no need to edit complex configuration files and it comes pre-configured with all the major systems services required.
KFSensor works by simulating systems services at the highest level of the OSI Network Model – the application layer. This enables it to make full use of Windows security mechanisms and networks libraries, reducing the risk of detection and compromise by not introducing additional drivers and custom IP stacks. A machine running KFSensor can be treated as just another server on the network, without the need to make complex changes to routers and firewalls.
KFSensor provides immediate benefits in revealing the nature and quantity of attacks on a network. By consolidating all the network traffic of an attack into a single alert KFSensor makes it easy to explain a security threat to non-specialist staff.
The information KFSensor generates can be used to refine firewall rules and produce new signatures for network intrusion detection systems.
KFSensor is an extremely cost effective way of enhancing network security infrastructure.
Here are some key features of “KFSensor”:
Advanced Features
· Monitors every port
KFSensor Professional monitors attacks on every TCP and UDP port, as well as detecting ICMP or ping messages. It also monitors all network activity of native Windows server applications. Allowing these to act as part of a honeypot configuration.
· Remote administration
KFSensor Enterprise Edition contains the ability to manage and monitor multiple honeypot installations. Events from different sensors across the network are concatenated in real time allowing an immediate view of attacks as they happen.
KFSensor uses 3072 bit RSA public/private key authentication and 256 bit AES encryption to provide the top of the range security for communication between sensors.
· IDS signature engine
KFSensor is the first product to combine the benefits of signature-based IDS with a honeypot system.
Its fast signature search engine, has a minimal impact on system performance and can handle thousands of rules.
It is easy to update the rulebase with new rules from different sources and to create new rules directly from an event.
Service Emulation
KFSensor, the Windows honeypot server system, features a number of different types of emulation, both simple and complex. These can even be extended by the use of custom scripts.
· Flexible configuration
KFSensor can emulate different services on multiple ports and on different host IP addresses. It is possible to run any emulation on any port.
· Multiple scenarios
Different honeypot scenarios can be defined, containing different port and service configurations. It is easy and quick to switch between scenarios while the system is running.
· Port listening
The most basic type of trap, it holds open a port; reads the data sent to it and records the event. Most useful in detecting worms.
· Banner
More sophisticated than a port listener, the Banner is able to display either a service prompt or error message message. Although limited in its capabilities, the Banner has the advantage of being very easy to configure by a novice user.
· Command console
Emulates the Windows command shell, otherwise known as a DOS box. A number of worms bind CMD.EXE to a listening TCP port.
· HTTP
This is a fully working web server that correctly emulates Microsoft’s IIS web server. It handles the more obscure aspects such as range requests and client side cache controls.
· SMTP
The Simple Mail Transfer Protocol emulation is capable of acting as a open relay server, the perfect trap for hackers looking for a target to relay spam.
· Window networking / NetBIOS / SMB / CIFS
KFSensor can emulate all four of Microsoft’s NetBIOS and SMB/CIFS services. Insecure file shares are one of the most common and potentially dangerous security vulnerabilities exploited. KFSensor decodes NBT and SMB packets and logs them in a human readable format and even enables worms to upload malicious code to a secure area, for later analysis.
· SOCKS
KFSensor supports 4/4A/5 SOCKS protocols and can be configured with eight levels of emulation behaviour. SOCKS servers are frequently used to relay spam and to launch attacks on other servers. KFSensor contains advanced depception technology that allows spammers to believe their mail is getting through whilst secretly blocking mail from being relayed.
· MS SQL Server
Supports both TCP and UDP SQL Server ports and can capture passwords used in intrusion attempts.
· FTP
File Transfer Protocol emulation.
· POP3
Post Office Protocol emulation.
· Telnet
Telnet server emulation.
· Terminal Server
Terminal Server is a Microsoft application that allows remote users to log on to a server.
· VNC
VNC is a cross platform remote control application. The emulation allows hackers to attempt to log on, but rejects all passwords.
· Relay
A Relay server is used to allow visitors to access a service running on another machine
· External
It is possible to write your own simulations in languages such as PERL or C. KFSensor is also compatible with scripts written for Honeyd.
Events
Sophisticated emulations of services are not in themselves enough to make a honeypot into a useful security tool. Detailed logging of all attacks is required and in this KFSensor excels.
· Event details
All the network traffic that makes up a connection is concatonated into a single event, countering the problem of message fragmentation. As well as recording items such as the start and end time of an attack, the visitor’s IP and port addresses, all the data transfered both to and from the honeypot is recorded.
· Configurable display columns
The interactive event list can be configured from any combination of the thirty possible columns types available.
· View by port
KFSensors Explorer type interface includes a port tree structure that color codes those ports depending on how recently the have been attacked. Selecting a port automatically filters the events to show only those targeted at that port.
· View by visitor
The port view can be exchanged to a tree of visitors. This allows the events to be filtered to just show those events from a particular visitor.
· Severity
Each event is assigned a severity. The severity allows more serious attacks to be identified by color coding and different actions can be link to different serverities. For example an email alert may only be sent based on a high severity event.
· Alerts
In order to inform you when an intrusion occurs KFSensor supports a number of different mechanisms to alert you. These can be configured to only activate when a specified severity is detected.
· System tray alerts
KFSensor provides a visual alert by displaying an alarm icon in the system tray at the bottom right of the Window’s desktop.
This flashes either yellow or red when an alert is detected.
· Audio alerts
KFSensor can play an customizable alert sound when an event occurs.
· EMail alerts
KFSensor can send alerts via email. There are two different formats of email alert messages; short and long. The short format provides minimal information on an event and is suitable for sending to a portable device, while the long format provides much more detailed information and is suitable for a normal email client.
· SysLog alerts
KFSensor can send alerts to a UNIX SysLog server.
· Event log alerts
KFSensor can send alerts to the local machine’s Event Log, enabling it to be detected by third party event monitoring software.
· External application alerts
KFSensor provides the ability to invoke an external application to handle an alert event. This flexible feature can have many different uses such as:
1. Creating your own custom event log file
2. Launch an immediate port scan on the IP address of a visitor to the honeypot
3. Send alerts to a third part application
Other Features
· Denial Of Service (DOS) attack protection
KFSensor is equipted with several mechanisms to counter DOS attacks.
· Scenario rules
It is possible for KFSensor to react differently depending on the IP address of a visitor. For example rules can be defined which cause the server to ignore requests from certain sources or to increase the severity of an alert.
· Database integration
KFSensor can optionally store events into an ODBC SQL based database. As well as improving the system’s performance, it also has the advantage that you can create your own custom reports using any database tool.
· Export logs in multiple formats
Events can be exported to file in the following formats; XML, HTML, tab separated and CSV.
· Systems service
KFSensor runs as a systems service, allowing it to start before a user has logged on.
· Secure configuration
KFSensor has been designed according to the least privilege principle. Unlike most other products KFSensor does not need Admin or root privaledges to function. By taking advantage of Window’s native security mechanisms the host machine can be secured against any possible compromise of the KFSensor system.
· High integrity version
KFSensor is available in a special high integrity version, which has the potentialy most risky honeypot features compiled out. This makes it suitable for use in the most security sensitive areas of an organisation.
· Extensive Documentation
Detailed help documentation is available for all aspects of the product and there is a detailed guide on how to configure and get the best out of product.
Requirements:
Minimum requirements
· Suitable for use on an internal network.
· Processor 1Ghz
· 30mb hard disk space
· 128mb RAM
· 1 LAN card
· Western European language keyboard
Recomended requirements
· Suitable for an system exposed to the Internet.
· Processor 1.5Ghz or greater
· 500mb hard disk space
· 512mb RAM
· SQL Database, e.g. MS SQL Server, MySQL
· 1 LAN card and/or direct internet connection
· Western European language keyboard
Limitations:
· 14-day trial
What’s New in This Release: [ read full changelog ]
· MySql Server – Sim Std Servers: Handles protocol negotiation
· MySql Server – Sim Std Servers: Decrypts packets
· MySql Server – Sim Std Servers: Allows visitor to browse database schemas
· WinPcap: KFSensor now supports WinPcap version 4.0.
· Ignore broadcasts: The visitor rules can now take the sensor ip address as a condition
· Ignore broadcasts: This allows rules to be written specific to the broadcast address.
· Ignore broadcasts: e.g. ignore all UDP broadcasts on a particular port.
· Increased session limits
· Reduced memory requirements
See Demo – Download – Visit Author Site
Please comments and give ratings. You may also report of broken or incorrect link using comments box below. Thanks!