KFSensor

 

Visitor rules

It is possible for KFSensor to react differently depending on the IP address of a visitor and to the number of connections made each visitor.
Each scenario can contain an unlimited number of rules which define actions to take.

The rules are defined using the Visitor Rule dialog box which can be accessed by the Rules button in the Edit Scenario dialog or the Edit Active Visitor Rules menu option in the Scenario Menu.

Rule conditions

A rule is triggered if its conditions are met.
Each rule can have the following conditions defined; a host DNS name, an IP address or IP address range, the transport protocol and the sensor port number. An optional range for the number of connections made to the specified port can also be set.

When a connection occurs that meets the conditions of several rules then KFSensor will pick one rule.
The rule with the most specific conditions will be chosen according to the following priorities:

  • A rule with a host DNS name will always have priority over a rule with an IP range.
  • A rule with a single IP will always have priority over a rule with an IP range.
  • A rule with a specific port will have priority over a rule which applies to all ports.
  • A rule with a specific protocol will have priority over a rule which applies to all protocols.

Rule actions

There are three possible actions that can be taken by a rule:

1. Close

KFSensor will close a connection immediately without sending a response

2. Ignore

KFSensor will not log an event for the connection.
The Close and Ignore actions can be used together.

3. Set Severity

The severity of the event generated by the connection will be set to the one specified in the rule. This overrides the severity defined by the listen definition.

How rules can be used

The following examples show how rules can be used to achieve specific purposes.

1. Increase severity for internal attacks

Attacks originating from inside the organization can be considered more severe than those from the Internet.

Rule Conditions  
First IP 192.168.1.1
Last IP 192.168.1.255
Protocol Any
Port Any
Min Connections  
Max Connections  
Rule Action  
Close False
Ignore False
Set Severity High

2. Ignore legitimate traffic

A trusted machine may be generating SQL Server broadcast messages. Events from this machine to port 1434 can be ignored with this rule.

Rule Conditions  
First IP 192.168.2.10
Last IP  
Protocol UDP
Port 1434
Min Connections  
Max Connections  
Rule Action  
Close False
Ignore True
Set Severity No Change

3. Hide from vulnerability scanners

If vulnerability scanners are being used as part of a security audit then they will generate alerts on KFSensor and on the scanner itself. A rule can be used to get KFSensor not to respond to specified IP address.

Rule Conditions  
First IP 192.168.1.50
Last IP  
Protocol Any
Port Any
Min Connections 
Max Connections 
Rule Action  
Close True
Ignore False
Set Severity No Change

4. Only log the first three events

Some visitors can make a very large number of connections to a particular port. This practical example uses a rule to control the actions taken for a visitor that makes repeated connections to UDP port 137, the NBT name service. Only the first three connections will be logged.

In the case of UDP 137 it is also useful to specify a separate max connection limit for this port. See the Edit Listen dialog for more details.

Rule Conditions  
First IP 0.0.0.0
Last IP 255.255.255.255
Protocol UDP
Port137
Min Connections4
Max Connections 
Rule Action  
Close False
Ignore True
Set Severity No Change

Next: Signatures


KFSensor On-Line Manual Contents