Edit Sim Std Server - NBT Session Service
The Session Service is one of four services that make up the Microsoft Windows networking system.
For more information on this server and how to configure it see the
Window networking / NetBIOS / SMB / CIFS section in the KFSensor Administration Guide.
Title
- Name
Each Sim Std Server requires a unique name, which is used to identify it.
- Description
A piece of text for notes on what the Sim Std Server aims to support
- Default Port
Most services have standard ports on which visitors expect to find them.
The default port is TCP 139.
This is only used as a prompt during configuration of a Listen; a Sim Std Server can be set on
any or many different ports.
- Severity
The severity level that events generated by this Sim Std Server will be given.
This can be overridden as part of the Listen configuration.
Logging Options
These settings control how the data is logged.
- Log Detail
This controls how much detail of the decoded packets is recorded.
| Type |
Description |
| Basic |
Provides a brief summary of the main points of interest in the packet.
Use this options if you are receiving a lot of traffic and want to minimize the size of your log files.
This log level also hides duplicate requests. If message numbers are out of sequence then this indicates a duplicate message has
been hidden.
|
| Normal |
Provides details of all the parameters of each packet. |
| Debug |
Provides all the details, in normal mode, plus the complete data blocks transferred with the packet.
The log size can grow very large with this option |
- Log decoded packet
If checked then each packet will be decoded and logged in a human readable format.
- Log raw packet
If checked then the raw binary data of the packet will be logged.
If both this option and the one above are checked then each packet will be logged first in
decoded format and then as a binary value.
- Max Log Size
If set to a value greater than zero then the data recorded in the log will be truncated to the specified total number of bytes.
This option allows a large amount of NBT traffic to be exchanged, without causing the log bloat.
Options
- Time out
The time in seconds that the KFSensor server allows the session to continue for before closing the connection.
- Idle Time out
The time in seconds that the KFSensor server will wait for traffic on a connection before closing the connection.
- Receive Limit
The maximum number of bytes that will be accepted from the visitor before the connection is closed.
- Response Delay
The option allows the time taken by a connection to be slowed down by adding a delay in milliseconds, before each response is sent.
Because an NBT Session can consist of over a hundred request/response pairs, even a small timeout can make a connection last a very long time,
without triggering the timeout mechanism of the visitor.
This feature provides a good way of slowing down a worm and prevent the honeypot from being over loaded.
Note: Unlike the other time settings this one is in milliseconds, not seconds.
- Read without end
As described in the KFSensor Windows networking emulation section of the admin guide, KFSensor
has the ability to allow a visitor to read (download), a file. This file can be either a real file or one generated with random data.
If this option is selected then KFSensor tells the visitor that each file opened has a size of 1,880,092,672 bytes.
If the visitor attempts to read this file, then KFSensor will generate random data and send it to the visitor. Each read request is limited to a
maximum of 64Kb, which results in potentially over 7000 requests being made. In practice a visitor will abandon the connection long before this maximum is reached.
Note: This option should be used with care as it can lead to a large amount of traffic. This can be mitigated by using the Response Delay option.
Buttons
- NBT Settings
This button displays the NBT Settings dialog box.
This contains settings common to all four NBT services.
Related Topics
KFSensor On-Line Manual Contents