KFSensor

 

New features in this release

KFSensor Enterprise version 5.4.3

26 Octoberer 2018

Automatic monitoring of opened ports

  • If another application has opened a port that KFSensor plans to open then KFSensor will automatically listen to the traffic on that port. In previous versions this had to be done manually by changing a port's setting in type 'Native' in the KFSensor scenario dialog box. The advantage to doing this automatically is it reduces the amount of configuration needed and makes it easier to use the same configuration on multiple sensors.

Scenario distribution

  • Making changes to all remote sensors at the same time is now fully automated. In previous versions it was possible to make changes to the visitor rules and signatures and have the changes automatically distributed to each of the remote sensors. In the new version changes to port definitions are also automatically distributed. This makes administration much more straight forward as changes need only be made once in the administrator installation and all remote sensors will be automatically updated to match its configuration.
  • It is still possible to have each sensor configured differently, or to only update certain sensors centrally and leave another group to be configured individually.
  • This is done using the name of the active scenario. If the remote sensor is using the same scenario name as the administrator installation then the remote sensor will be updated with any changes made to the scenarion on the administrator installation. The default scenario is 'Main Scenario', so unless this has been changed on a remote sensor then this feature will be enabled by default.
  • To enable automatic distribution of configuration changes to remote sensors then 'Full Enterprise Mode' needs to be enabled. See the Settings -> Full Enterprise Mode menu option. The check box 'Distribute Scenario' enables this feature.

Bug fixes

  • fix import into database memory issues and problems with the registration on no English keyboards.
  • fix for problems with the registration on no English keyboards.
  • fix for 'This app is preventing you from restarting' warning in Windows 10

KFSensor Enterprise version 5.3.1

12 September 2017

Qradar LEEF Format Support

  • KFSensor can be configured to forward events to IBM Qradar in LEEF format. This streamlines and simplifies the integration of KFSensor with the IBM Qradar.
  • Log Event Extended Format (LEEF) is a log format designed for entering data onto the Qradar system.
  • Setting up KFSensor to integrate with Qradar is simply a matter of opening the SysLog Alerts menu option and entering the Qradar server IP address and selecting Qradar LEEF as the altert format.

Npcap support

  • For many years KFSensor has made use of the industry standard WinPCap network packet capturing library. Unfortunately WinPCap is no longer being maintained. It is reliable for older versions of Windows, but can be difficult to install on versions of Windows 10.
  • KFSensor now supports Npcap. This is based on WinPCap, with an updated codebase to support the latest Windows APIs. It is recommend for use on Windows 10.
  • Both WinPCap and Npcap can be installed on the same machine. If both are installed on the same machine then KFSensor will pick Npcap in preference to WinPCap.
  • If WinPCap is working on an existing KFSensor host then there is no need to install Npcap. Future versions will take advantage of additional features of Npcap. So it is recommended to choose Npcap for new installations unless KFSensor is being used on an older Windows version.

Improved Sensor Synchronization

  • The event synchronization between KFSensor collator and remote sensors has been improved to cope better with errors that can arise from sensor re-installations and other issues. This results in automatic correction of problems that previously needed a manual reconfiguration.

KFSensor Enterprise version 5.2.4

1 December 2016

This release contains three new features requested by users. Considerable development work has also been done to improve the stability of the system in response to a numer of issues raised by user. This has led to a bugs being identified and fixed.

New features

Full HTTPS support

The KFSensor HTTP simulated server now supports HTTPS as well as HTTP. This allows visitors to interact with port TCP 443 using encrypted TLS traffic as they would expect on that port.

KFSensor will dynamically generate a self signed certificate for use by the HTTPS simulated service. It is also possible for the simulated server to use a real certificate that has been added to the local Windows certificate store.

To add this feature to an existing installation, follow the steps below.

Admin action logging

Actions and configuration changes made by an administrator are now recorded in the KFSensor Monitor log file for auditing purposes.

The log files can be found using this search pattern.
C:\kfsensor\logs\sensmon_*.log

The log entries start with "Configuration changed:" and provide the date, user name and the configuration setting changed.

Signatures - filter on description & type

The signature engine has been enhanced to enable it to match special types packets that could not be previously identified. For example scan packets that do not contain any content can now be detected. This is useful to ignore legitimate servers that can send out unexpected packets. For example web proxies.

Bug Fixes

Memory leak

A memory leak in the monitor and the collator modules resulted in an excessive amount of system resources to be allocated after a prolonged period of use. Now the issue has been fixed both modules have much lower memory requirements

Monitor dropping connections

The Enterprise collator would very occasionally drop its connection to a sensor and fail to re-establish the connection.

Faster pick up of reconfiguration

The Enterprise collator now picks up changes made to a sensors scenario settings much faster than it did in previous versions.

KFSensor Enterprise version 5.1.0

3 June 2016

Improved Stealth Scan detection

Stealth scans cover a range of techniques used by hackers and pen testers to identify hosts, fingerprint OS versions and to determine which ports are open on a host. These techniques involve sending non-standard network packets or non-standard packet sequencing gain a response from a host without establishing a full connection. These are rarely recorded in system log files and can evade detection by certain security products such as firewalls. nmap is the most popular stealth scanning tool.

KFSensor's detection of stealth scans has been improved in the following ways:

New Event type - Scan

When a network event can be positively identified as a scan then the event is assigned the event type "Scan". Previously these would have been recorded as type "Connection". An event with the type Scan is a much clearer indicator of malicious activity than a connection.

nmap Options decoded

Where possible a scan is decoded to show the nmap option that matches the scan technique. The event's Description field contains the matching nmap command line option.

The following options are individually identified:

  • nmap -sS
  • nmap -sN
  • nmap -sF
  • nmap -sX, Xmas scan
  • nmap -sM
  • nmap -sA
n.b. Other security tools and malware may implement the same techniques. The events from these will still be identified using the nmap option as that is the standard scanning tool.

Port Scan changed to Multi-port Scan

In previously versions a 'Port Scan' refereed to an attacker connecting to many different port numbers. This type of activity has been renamed a 'Multi-port Scan', to better describe it and to distinguish it from the new Scan event type.

Reports

New reports

Two new reports have been added that enable analysis of the new scan event type Top visitor by scan attacks Scan attacks by day

Better error reporting

The previous version would only show "Report Loading..." when a problem occurred. In the new version an error message wil be displayed.

Longer time outs

The report loading timeout has been increased from 10 to 60 seconds to cope with slow servers and large data sets.

Fix for missing days in charts

In the previous version chronological charts only contained data points for days that contained data and not for days that contained zero data. The lines drawn between data points would then be misleading as they would skip over the days with zero data. The new version adds data points for all days, so the lines match the data.

Updating indicator

A spinner indicator has been added to the Update button on the report filter to show that a report is being updated.

Better support for MySQL

The new version contains better handling of MySQL connection timeouts. In the previous version the service would need to be restarted after several hours.

KFSensor Enterprise version 5.0.1

18 May 2016

Reports and Graphs

KfSensor has a new reporting module that provides a variety of reports for advanced data analysis.

Sensor Status Information

To aid the management and administration of KFSensor installations each sensor now records a set of status data. This data provides useful information on the sensor itself and on its host machine. This is particularly useful when administering a large number of sensors, but is still useful with only a single installation.

A new user interface panel has been added below the port tree, in the bottom left of the window to display the sensor status information.

Examples of the Sensor Status Information are, how long the sensor has been running for; the list of the host’s IP addresses and the amount of free disk space.

Digital Signatures

All KFSensor modules and installation files are now digitally signed with a code signing certificate. This enables users to ensure that their copy of KFSensor is genuine and has not been tampered with. Our publisher name is “KeyFocus Ltd.” and that is the name used in the certificate.

Other Fixes

A number of minor fixes and improvements have been made to the system, in particular with the way the collation and logging modules handle larger data sets.

KFSensor Enterprise version 4.12

13 November 2015

More Listen definitions

24 more ports have been added to the standard configuration in this release. These have been identified as being popular targets for scanning and exploitation. They include new Trojans and new services increasingly found on networks such as Mongo and Minecraft.

Packet Data storage management

The management of packet data storage has been improved to enable the automatic deletion of old packet data. This ensures that the total packet data stored by KFSensor will not exceed a maximum size and fill up the available disk space. To enable this functionality; select the Settings -> Network Protocol Analyzer menu and set the Retention Period field to a suitable value, such as 30 or 90 days.

IIS 8 Emulation

The Sim Server emulation of IIS now supports IIS version 8. No reconfiguration should be necessary as the default setting is to select the IIS emulation automatically.

Better UDP Handling

KFSensor attempts to identify and ignore UDP traffic that is locally initiated. Certain routers do not always translate the source IP addresses of UDP response packets. This caused KFSensor to wrongly identify these as unknown packets and therefore raise events for them. New algorithms have been added to KFSensor’s packet analyser to identify this situation and reduce the number false positive events generated.

KFSensor Enterprise version 4.11.4

3 April 2015

Updated signature import support

  • Rulemaster has been updated to work with the new snort.org download format.
  • Support for importing the emergingthreats.net rule base.
  • Added support for the dsize snort rule option

Facility to replicate scenarios across sensors

  • To make it easier to set up multiple installations with the same custom configuration we have added the ability to easily export a scenario from one sensor and then import it into another sensor.
  • First configure one sensor exactly as you want it.
  • Then export the selected scenario from that sensor to a file.
  • Next import the file into another sensor. The listen and sim server definitions will then be identical to the first sensor.
  • Use the Edit Scenarios dialog box to export or import scenario definitions.

Improved support for ArcSight CEF Format Support

  • For HTTP traffic KFSensor now adds the URL, Host, User-Agent, and Referer fields to the event description. This makes these details available in CEF logging.

Bug fixes

  • Invalid event dates/times on virtual machines. When running Windows on a virtual machine there is a rare problem where the network card reports an incorrect time stamp. This was being picked up by KFSensor and reported as the time of the event. KFSensor has now been changed so that it double checks the accuracy of time events and corrects this issue before it gets logged.
  • External Console Applications. Certain applications require their own console in order to function properly. A new option has been added that provides one.
  • It is now possible to set zero as an option for the max emails alert setting.

KFSensor Enterprise version 4.10.0

16 June 2014

UDP Handling

The big change in this release is how KFSensor handles UDP traffic. In previous versions UDP was treated in much the same way as TCP. Both shared the same DOS limit and port scan settings. This worked reasonably well in the past, but the way UDP is being used has changed in recent years. This has resulted in much more UDP traffic being sent across local networks and led to a large number of unnecessary events being logged by KFSensor.

We have made many changes to the way KFSensor handles UDP traffic and the result of this is a big reduction in the number of UDP events generated. Fewer events make it easier to identify the important and unusual events that can indicate attacks on your network.

Recent Trends in UDP usage
Continual broadcast: Applications like Dropbox, send out UDP broadcast messages every few seconds as a way of announcing their presence on the local network and discovering other machines running the same application. In the past this behaviour was restricted to DHCP.

Multicast: New Microsoft protocols such as Link-Local Multicast Name Resolution, cause multiple machines to respond by broadcasting UDP packets to the entire sub-net, instead of sending them direct to the requester.

UDP System Improvements

UDP Specific DOS Settings
The DOS Settings dialog has been changed from a single page to a dialog with multiple tabs, one for each protocol. The UDP and TCP protocols now have their own settings and limits. This enables a greater degree of control and allows for differences in the way protocols work to be reflected in how they are handled.
Port specific limits
Each UDP port now has its own limits. This means that when the limit is reached then only traffic on that UDP port will be ignored from a host. For example this means only 3 dropbox broadcasts will be recorded for each machine and this will not affect the recording of any other types of UDP traffic from those machines.

In previous version it was possible to port specific limits for specified ports. In the new version all ports are given their own limit automatically.

Ignore expires
In previous versions a traffic that had triggered an ignore rule would keep that ignore state until the sensor was restarted. Now the ignore status can be set to expire, the default for this is 24 hours.
Better matching of outgoing and incoming UDP
KFSensor is now better at matching UDP traffic received in response to a request sent from the KFSensor host itself. This enables it to ignore such traffic, while still able to generate events for unexpected traffic.
IP fragmentation
KFSensor now handles IP fragmented packets in a better way, stopping the occasional event being mis-recorded because of malformed packets.

Better HTML reports

The layout of exported events has been improved, by adding styling to the HTML output.

The File->Export->Event List option not default to HTML as the default output.

If required, the report styling can be configured by editing the C:\kfsensor\conf\reportstyle.css configuration file.

KFSensor Enterprise version 4.9.2

20 May 2013

Support for 64-bit Windows

KFSensor has always worked on 32-bit versions of Windows. It has also worked on 64-bit Windows, but there were limitations on certain features and there were a few stability problems with the network packet captures module. This meant we did not claim to support 64-bit versions of Windows.

With version 4.9 we have done extensive testing on 64-bit versions and identified and fixed known issues on that environment.

So we now officially support 64-bit versions of the following Windows versions:

  • Windows 7
  • Windows 8
  • Windows Server 2008 R2

Windows audit monitoring

The best way for a honeypot to maximize the information on an attack is to give as realistic a service response as possible to an attacker. The ideal is to use the real service, however this has not been practical due to the risks of compromise involved.

In the past KFSensor has attempted to replace every Windows service with a simulated service to allow safe detection of threats. Windows services such as IIS and RPC were notoriously vulnerable to attack, especially on machines connected directly to the public Internet.

Microsoft have made huge improvements to the security of Windows in recent years and a properly patched modern version of Windows is safe enough to use on an internal network, without taking special measures to lock it down. Such machines are still a target for attack though weak passwords on RDP and open file shares are exploited.

KFSensor has long been able to monitor the network traffic of other services and log events in the same way as its own simulated services. This has been improved upon in version 4.9 by enabling KFSensor to monitor the auditing features of Windows itself to get more information on an attack.

This approach enables the use of Windows share folders to be set up and monitored by KFSensor. Extra information, such as the domain user account and windows machine name of an attacker can now be captured as well as the machine?s IP address.

Events logged as a result of information from Windows services are identified by the new ?WIN? protocol, which is used to distinguish them from events derived from the standard networking protocols such as TCP and UDP.

This functionality is enabled by default in KFSensor, but there is extra configuration work required to enable the correct Windows audit settings to be configured. A new section ?Windows Audit configuration? has been added to the manual giving a detailed guide to what needs to be done.

MySQL support

Recent versions of MySQL introduced new reserved words that meant KFSensor was no longer compatible with it. The new version of KFSensor now supports MySQL.

These changes require an existing KFSensor database to be updated, even if it is running on SQL Server.

To perform the database update, after upgrading to version 4.9, go to the Settings -> Log Database? menu and press the Configure button.

KFSensor Enterprise version 4.8.0

10 August 2012

ArcSight CEF Format Support

  • KFSensor can be configured to forward events to ArcSight in CEF format. This streamlines and simplifies the integration of KFSensor with the Arcsight Enterprise Threat and Risk Management (ETRM) platform.
  • The Common Event Format (CEF) is an open log management standard that improves the interoperability of security-related information from different security and network devices and applications. CEF is the first log management standard to support a broad range of device types. CEF enables technology companies and customers to use a common event log format so that data can easily be collected and aggregated for analysis by an enterprise management system.
  • Setting up KFSensor to integrate with ArcSight is simply a matter of opening the SysLog Alerts menu option and entering the ArcSight server IP address and selecting CEF as the alter format.

Visitor Rule Distribution

  • Centrally defined visitor rules can now be distributed to all sensors automatically. This makes it faster and easier to reduce false positive results consistently across all sensors.
  • To make use of this facility define a new rule on the local sensor on the KFSensor administrator machine. The collator service will then distribute this rule to all sensors.
  • The full enterprise configuration must be enabled for this to work.

Common Configuration file

  • To make it easier to set up new sensors with a standard configuration a new local configuration file is now created that contains the machine specific information. This allows the main configuration file to be replaced without loosing the machine specific settings.
  • This is how to configure a new sensor with an identical configuration to another one.
    1. Run the set up program
    2. Configure the new sensor with a unique sensor id and install the public and private key.
    3. Copy the kfsensor.xml file from the config folder of an existing sensor and replace the one on the new sensor. The scenarios, rules and other settings will then be identical.
  • The third step can be repeated at any time in the future, to standardise on a new configuration.

Upgrading from previous versions

Version 4.8 contains a number of new and updated scenario definitions.
To protect your existing configuration these are not imported automatically.

In order to update your configuration follow these steps:

  1. Select to the Scenario->Import Scenario Definitions... menu item
  2. Select and open the file kfsupdate4_8_0.xml
  3. Press OK, and the Yes, when asked to over-write
  4. Thats it.

KFSensor Enterprise version 4.7.0

1 March 2010

Windows 7 Compatibility

  • The simulated servers such as IIS, FTP and shell have been updated to be able to simulate Windows 7
  • Various internal compatibility updates to support Windows 7.

Automatic simulation selection

  • Simulated servers such as IIS can simulate several different versions.
  • The selection of the version is now set to automatic, which enables the appropriate simulation to be selected for the base operating system.
  • Specific simulation version selection can still be made in the configuration

WinPcap

  • KFSensor now supports WinPcap version WinPcap 4.1.1 (This is now the preferred KFSensor version)

Message Queuing Service

  • Added definitions for services specific to the Message Queuing Service

New Scanner Friendly DOS Setting

  • The default DOS Attack settings detect scanners, such as NMAP and block them after a few scans
  • A new 'Scanner Fiendly' button has been added to the 'DOS Attack Settings' dialog box.
  • The Scanner Friendly setting massively increases the DOS settings allowing a full scan of the KFSensor machine to be run

Upgrading from previous versions

Version 4.7 contains a number of new and updated scenario definitions.
To protect your existing configuration these are not imported automatically.

In order to update your configuration follow these steps:

  1. Select to the Scenario->Import Scenario Definitions... menu item
  2. Select and open the file kfsupdate4_7_0.xml
  3. Press OK, and the Yes, when asked to over-write
  4. Thats it.

KFSensor Enterprise version 4.5.0

3 July 2008

Full Enterprise Mode

This version introduces major enhancements to the way in which KFSensor Enterprise operates. Together these enhancements have been named Full Enterprise Mode.

In the Full Enterprise Mode events from each sensor are inserted into a central database and copies of each sensor's event log files are additionally made on the Administration installation. This is done automatically by a background service on the Administration machine.

The Full Enterprise Mode provides these benefits:
  • Improved performance
    The Administration console has faster local access to each sensor's events.
  • Central store of events
    Making a central copy of all events from each Sensor means there is less need to make regular backup of the Sensor machines disks drives. Storing all events on a central database also makes it easier to develop custom reports of all the activity on the entire network.
  • Easier signature rule base management
    Simply update the signatures on the Administration machine and have it deployed to each sensor automatically and securely.
  • Central alerts
    Each Sensor can be configured to send alerts, for example by email. In the Full Enterprise Mode there is the option of sending the alerts from the Administration machine instead of the Sensor machine. Handling the sending of alerts from all sensors in one location makes configuration easier. It also gets around common problems, such as a Sensor located in a DMZ not having access to the internal SMTP server to send an email alert.
  • Runs in the background
    These benefits are provided by a systems service, so it works without the need for a user to be logged on.

Enabling Full Enterprise Mode requires additional but straight forward configuration that is fully described in the KFSensor Administration Guide. This is an optional feature and can be enabled or disabled at ant time. So there is no need to postpone upgrading to the new version.

Vista ports

  • Added definitions for services specific to Windows Vista
  • Web Services for Devices
  • IIS version 7 simulator

WinPcap

  • KFSensor now supports the latest WinPcap version 4.1.

Memory managements

  • Improvements to the code have resulted in a smaller memory foot print, which will aid systems performance in cases of heavy load.

KFSensor Enterprise version 4.4.0

2 November 2007

MySql Server - Sim Std Servers

  • Handles protocol negotiation
  • Decrypts packets
  • Allows visitor to browse database schemas
See the Edit Sim Std Server - SQL Server section for more details.

WinPcap

  • KFSensor now supports WinPcap version 4.0.

Ignore broadcasts

  • The visitor rules can now take the sensor ip address as a condition
  • This allows rules to be written specific to the broadcast address.
  • e.g. ignore all UDP broadcasts on a particular port.

Other

  • Increased session limits
  • Reduced memory requirements

Upgrading from previous versions

Version 4.4 contains a number of new and updated scenario definitions.
To protect your existing configuration these are not imported automatically.

In order to update your configuration follow these steps:

  1. Select to the Scenario->Import Scenario Definitions... menu item
  2. Select and open the file kfsupdate4_4_0.xml
  3. The row named "MySQL Service" is unticked. Tick this row, so you get the new MySQL emulation
  4. Press OK, and the Yes, when asked to over-write
  5. Thats it.

KFSensor Enterprise version 4.3.0

11 December 2006

Vista Compatibility

  • Previous versions of KFSensor will work with Windows Vista, but require an elevated level of admin access rights.
  • The location of the KFSensor configuration files has been moved in new version to make configuration easier with Windows Vista.
  • A new setting in the Server Settings dialog called "Home Root Path" allows this directory to be changed.

WinPcap

  • KFSensor now supports WinPcap version 4.0 beta 2.

Signature Rule Flags

  • New feature to allow more complex rules to be developed.
  • Better supports rules from publicly available sources, resulting in less false positives.

Upgrading from previous versions

Unlike previous updates this version 4.3.0 requires some additional steps to be taken after the upgrade. These should take less than five minutes.

With the introduction of Windows Vista Microsoft have changed the way that file permissions are granted to certain directories, such as "Program Files". Previous versions of KFSensor stored its configuration files in a sub-directory "Program Files", which prevents a user from changing the KFSensor settings when installed in Vista, except when run elevated access rights.

To make KFSensor compatible with Windows Vista's security model we have changed the location of the KFSensor configuration directory.
This applies to all Windows versions, not just Vista.
This means after upgrading a previous installation of KFSensor the configuration will initially be reset to the default configuration.

To restore your previous configuration

  1. Stop the KFSensor service and exit the KFSensor Monitor application.
  2. Using Windows Explorer copy the original KFSensor configuration files to the new location.
    Copy all the xml files from this directory:
       C:\Program Files\KeyFocus\KFSensor\conf
    to
       C:\kfsensor\conf
    over-write the default files in that location.
  3. Start KFSensor from the Start Menu in the normal way.

Re-import External Signatures

If you have imported signature rules from external sources, in a previous version of KFSensor, then these rules may be missing some of the options that the new version of KFSensor supports.

To ensure that your external rules are converted in the optimum way you will need to re-import them into KFSensor.
As KFSensor knows not to import duplicate definitions it is necessary first to purge the existing external rules in the KFSensor rule base before re-importing the latest set of external rules.

  1. To do this select the Signatures -> Edit Signatures menu item.
  2. Then press the Purge button.
  3. Then select External from the Purge Selection control and the press OK.

KFSensor Enterprise version 4.2.0

16 June 2006

This point release contains a number on minor enhancements that were made from user feed back.

Email Event Filter

  • The Email alert filter functionality has been enhanced in version 4.2
  • It is now possible to specify how many email alters can be sent in each time period
  • There is a separate limit for each visitor and for the total

Signature Rule Event Severity Options

  • A signature rule contains the option to change the severity of an event. This may have the effect reducing the severity set by listen definition. In order to control this behavior there are three different options:

Event On (Port Scan)

  • This option is used to monitor the number of different ports in the same way as the option above. When the limit is reach for this setting then a port scan event will be logged.
  • This enables port scans to be detected without blocking the visitor.

Check For New Version Update

  • This new menu option checks with the KeyFocus web site to see if you are running the latest version.

KFSensor Enterprise version 4.1.0

8 May 2006

Color Coding

  • Each event in the event view is assigned a color based on its protocol and severity.
  • Port and visitors are assigned a color based on how recent their last activity is.
  • All colors are customizable through the new Event Colors dialog box.

Visitor Rules

  • Quick Create Visitor Rule option added as a right click context menu option on the events view and as a button on the Event Details dialog.
  • Visitor rules have been extended to allow a host computer's DNS name to be specified, instead of just the IP address.
    This is useful when writing a rule to exclude a host that uses dynamic IP allocation.

Multiple IPs

  • The Scenario Change All dialog has been enhanced to make it easier to set up different behaviour for each IP hosted by the machine.

Bug fix

  • Problems logging to a MS SQL Server database have been resolved

KFSensor Enterprise version 4.0.2

23 January 2006

Network Protocol Analyzer

  • Detects connections to all TCP and UDP ports, even closed ports
  • Detects ICMP messages

Native Listen Type

  • Monitors production software services as part of the honeypot

Improved Port Management

  • All listen definitions associated with a service class
  • Enables whole classes of services to be added or removed from a scenario

Port hiding

  • Little used ports can now be hidden, until an event occurs
  • Makes port interface more manageable

DHCP Sim Server

  • Provides protocol decoding for this important service

Import Events

  • Import events stored in a log file into an ODBC database

KFSensor Enterprise version 3.0.4

12 July 2005

KFSensor Enterprise

Remote Administration

  • Ability to control multiple sensors from one monitor.
  • Ability to view events from multiple sensors from one monitor.

High Security Communications

  • Both client and server authentication with 3072 bit RSA public/private keys
  • 256 bit AES encrypted data traffic
  • Randomized data contents and data sizes to avoid all signatures

Signature Engine

  • KFSensor is the first product to combine the benefits of signature-based IDS with a honeypot system.
  • Fast signature search engine, which has a minimal impact on system performance.
  • Handles thousands of rules
  • String, regular expressions and byte testing rules supported
  • Easy maintenance and updating of new rules from different sources
  • Create new rules directly from an event
  • Export rules in KFSensor or Snort format

New Port and Event Icons

  • Eight different icons to represent different service types
  • Easier to distinguish different types of events

New Event Details Dialog

  • Multi-tabbed Event details dialog
  • Four different information layouts
  • More details available for each event

Easy Scenario Upgrade

  • New dialog to import new sim server and listen definitions
  • Easy to update existing installation with the latest threats

Scanner cloaking

  • Vulnerability scanners attempt to interrogate every open port on a target server
  • It is now possible to specify the maximum number of ports a visitor can connect to before being locked out

CMD Command console - Sim Std Server

  • Emulates the Windows command shell, otherwise known as a DOS box
  • As used by a number of worms to install a root kit

KFSensor version 2.2.1

6 June 2004

New database format

  • Additional fields to store the accurate number of milli-seconds.
    Some database engines cannot store the milli-seconds in a data time field or round them to the nearest second.
  • New database table to allow easier future upgrades
  • Better compatibility with MySQL
  • See notes below about upgrading to the new format

DOS Attack

  • Connection limits can now be applied on a port by port basis
  • Useful for port where a high connection rate is expected
See the Edit Listen dialog section for more details.

Scenario Rules

  • Rules conditions can now specify a range on the number of connections made by a visitor
  • An example of how this could be used is to specify that only the first three connections to a particular port will be logged.
See the Edit Visitor Rule dialog and the Visitor Rules sections for more details.

Status bar improvements

  • Displays server state in status bar
  • Displays number of visitors in the status bar
  • Displays number of events currently displayed and the number of events loaded in the status bar

Database upgrade

If you use KFSensor to log to an ODBC database then the database will need to be upgraded before the new version of KFSensor can be operational.

Before installing the new version of KFSensor be sure to make a back up of you KFSensor database.
Also ensure the database engine has plenty of free space on its devices or disk drives as the database upgrade process makes temporary copies of the existing data.

After installing the new version, KFSensor will display an error message when the monitor window is displayed.

Select the Log Database menu item from the Settings menu.

Press the configure button.

This will upgrade you database to the new version.
This may take some time.

KFSensor version 2.1.4

15 February 2004

SOCKS - Sim Std Server

  • Handles protocol negotiation
  • Supports SOCKS 4/4A/5
  • Handles proxy chaining requests
  • Redirects proxy connections to internal emulations
  • Various tricks to fool proxy testing scripts
  • Eight different configuration levels

HTTP Proxy

  • Extension of HTTP emulation to cover HTTP and CONNECT proxying
  • Eight different configuration levels
See the KFSensor Proxy Server Emulation section for more details.

Proxy rules

  • Use an external script to provide logic to determine if a proxy connection should be allowed
  • Process captured spam to produce custom reports
  • Works for all proxy types; SOCKS, HTTP and SMTP relay

New DOS Attack Options

  • Options to enable KFSensor to accept a large number of connections with locking out a visitor, or generating too many events
See the DOS Attack Settings section for more details.

MS SQL Server - Sim Std Servers

  • Handles protocol negotiation
  • Decrypts login packets
  • Correctly refuses login requests
  • Handles SQL Server UDP information requests
See the Edit Sim Std Server - SQL Server and Edit Sim Std Server - SQL UDP Server sections for more details.

Load events

  • New option to filter loading of events by port and/or visitor IP.
  • Allows the complete history for a port or visitor to be loaded with loading all events.

Memory conservation

  • KFSensor Monitor has a new option to reduce the amount of RAM its uses
  • Useful when dealing with a large number of attacks

Idle timeout

  • Additional option added to sim std servers to terminate a connection based on time since last activity

Duration

  • New column available in the Events View that displays the total duration of a connection

File selection

  • File browse buttons have been added to all dialogs that request a file or directory name to make selection easier.

Tool bar

  • New buttons for more functionality.

Mail alerts

  • Previous version would only attempt to send an email alert once and five up in the SMTP server was down or too bust to accept a connection
  • Now KFSensor will keep attempting to send an email for up to 6 hours.
  • Various bug fixes to the SMTP client engine to fix problems when accessing certain SMTP servers.

Event Details Viewer

  • New Export button to save contents to file
  • This is especially useful it you want to process the contents with another application, such as a virus checker

SubSeven Trojan emulation

  • External application which simulates SubSeven trojan horse
  • Now included with the KFSensor installation
See KFSensor Extras for more information.

New license keys

  • Keys extended from 128 to 192 bits.
  • More secure anti-cracking protection

KFSensor version 2.0.1

30 October 2003

Improved Manual

External Console Applications

  • Use languages like C, PERL and Python
  • Operation and logging compatible with the built in Sim Servers
  • Compatible with scripts written for Honeyd
  • Sample scripts included
See the Edit External Console App dialog box for more details.

External Alerts

  • Process all or selected alerts using a custom external application
  • Launch an immediate port scan on the IP address of a visitor to the honeypot
  • Create you own custom event log file
  • Send alerts to a third part application
  • Use languages like C, PERL and Python
See the External Alerts dialog box for more details.

NBT Sim Std Servers

  • KFSensor can emulate Microsoft's NetBIOS and SMB/CIFS services
  • Insecure file shares are one of the most common and potentially dangerous security vulnerabilities exploited
  • Decodes NBT and SMB packets and logs them in a human readable form
  • Allows worms to upload malicious code to a secure area, for analysis
  • All four NBT services emulated
    • NBT Name Service - UDP 137
    • NBT Datagram Service - UDP 138
    • NBT Session Service - TCP 139
    • NBT SMB Raw - TCP 445
See the Window networking / NetBIOS / SMB / CIFS section of the Admin Guide for more details.

Database Log Enhancement

  • KFSensor not has the option to save binary data, encoded as text into a long char, or Memo field in the database, which can make for easier external analysis of the database.
See the Database Log dialog box for more details.


KFSensor On-Line Manual Contents