KFSensor has a number of different features, many of which are not enabled by default.
The default configuration verges on the side of caution which often prevents the more interesting attacks to be fully explored.
In order to get the best out of the product you will need to configure it to meet your needs.
If you have not already done so now is a good time to read the
KFSensor Concepts section.
It will provide you with a detailed
explanation of the principles behind Honeypot technology and how KFSensor works.
You may see that some ports in the Ports View are marked as being in Error.
See the Correcting Port Errors section of this guide for details on how to fix these.
Windows auditing required by KFSensor is not enabled by default and needs to be configured. See the Windows Audit configuration section for more details.
Import the latest signature rules. See the Signature Maintenance section for more details.
In order to inform you when an intrusion occurs KFSensor supports a number of different alert mechanisms.
Each of the alert mechanism is optional. You should configure the ones that are appropriate for you.
See the Alerts section of the concepts guide for more details.
There are certain circumstances in which you will want to disable KFSensor for certain visitors, such as for your organization's vulnerability scanner, or to cut down on the number of events generated.
KFSensor provides a mechanism for doing this. See the Visitor Rules section of the concepts guide for more details.
The KFSensor Server is very fast at responding to visitors.
On a reasonably quick internet connection the server can easily handle several million requests per hour.
This would not pose a problem for the server itself, but it would cause the logs to grow to be very large.
In order to prevent KFSensor suffering from a DOS attack, there is a special feature to mitigate this.
The default settings may need to be adjusted to suit your circumstances.
See the DOS Attack Settings dialog box for more details.
Each of the Sim Std Servers has a number of different possible configurations and settings.
For example:
KFSensor provides a working emulation of Microsoft's IIS web server.
By default only one web page is installed with KFSensor, the standard "Under Construction" page.
This will not keep a hacker interested for long.
Create your own dummy web site containing HTML and image files with a tool like MS Front Page and copy the files into
the directory:
C:\Program Files\KeyFocus\KFSensor\files\iis\wwwroot
This will be far more interesting to a hacker, especially if the dummy web site appears to contain confidential material.
See the Edit Sim Std Server - HTTP dialog box for more details.
The SMTP emulation is capable of relaying a limited number of email messages back to a hacker's email address. Spammers who search for open relay enabled SMTP servers to exploit tend to send themselves a test message to ensure the server is working before attempting to use it to send out spam en mass.
This is a potentially risky feature and must be purposely enabled. See the Edit Sim Std Server - SMTP dialog box for more details.
KFSensor may not contain all the functionality you require out of the box.
You may wish to emulate a custom server application developed in house, or to integrate KFSensor
alerts with your own security system.
KFSensor can be extended by calling external programs or scripts to meet any of these requirements. Scripts can be developed quite easily using languages such as PERL.
See the External Alerts and the Edit External Console App sections of the manual for more details.