The proxy rules control whether or not a proxy connection or an email is actually relayed to its intended destination.
Allowing a visitor to access another system through your computer is always highly risky. However it is the only way of duping a sophisticated hacker into believing they have come across a working proxy server and thus reveal their true intentions.
The secret of a successful honeypot proxy implementation is to allow only the minimum number of connections through that are necessary to yield a successful deception.
The proxy rules need to be customized for each implementation and often new rules have to be devised to catch a particular hacker.
In order to achieve this KFSensor uses external applications to make these decisions and implement custom rules.
This works in a similar way to External Alerts and the Edit External Console App.
This method has the additional advantage in that the external applications can be used to product custom reports and report as well as to implement the proxy rules.
PERL is the perfect language to implement proxy rules.
It is simple to use and yet its pattern matching functionality enables very complex rules to be easily developed. We have included example PERL scripts that implement proxy rules. These are fully functional and we recommend you use them as the basis for you own rules.
In order to use these scripts you will need to obtain and install a copy of PERL.
When KFSensor needs to make a decision to relay a connection or email it calls the configured application and sends it the necessary information to make the decision to the applications stdin pipe.
When the application completes its execution it sets its exit code to indication whether or not the connection should be relayed. If and only if the application returns an error code of zero will the connection be relayed.
Any text written to the applications stderr pipe will be added to the sent field of the event. This is a good way of debugging the rules used in the script or for adding comments to the event.
In practice this is very straightforward and will be obvious when you view the example PERL scripts, even if you have not come across PERL before.
Use the Proxy Rules dialog box to configure the example proxy rule script:
| Field | Value | Comment |
| Application Path | C:\Perl\bin\perl.exe | Location of PERL executable |
| Arguments | "C:\Program Files\KeyFocus\KFSensor\files\scripts\kfconnectproxytest.pl" | Full path of the example script |
| Working directory | C:\kfsensor | Directory where custom reports will be generated |
The following information is passed to the application on its stdin pipe.
Each parameter is on a new line and an equals sign is used to separate the parameter name from its value.
| Parameter | Example | Comment |
| KFSENSOR | CONNECTCHECK | This value is always present to allow the script to check it is being called with the correct parameters |
| SENSORIP | 192.168.2.9 | The IP of KFSensor address |
| SENSORPORT | 8080 | The KFSensor port |
| VISITORDOMAIN | MESHCOMP | The visitor's domain if known |
| VISITORIP | 192.168.2.99 | The visitor's IP address |
| VISITORPORT | 7026 | The visitor's port |
| TARGETDOMAIN | target.com | The domain name that the visitor wants to connect to |
| TARGETIP | 192.168.2.77 | The IP address that the visitor wants to connect to |
| TARGETPORT | 25 | The port that the visitor wants to connect to |
| CONNECTIONS | 1 | The number of connections the visitor has made to KFSensor |
| REQUESTTYPE | HTTPCONNECT | Indicates the type of connection either:
|
| REQUEST | GET http:// etc. | For request types HTTPPROXY this parameter contains HTTP request. This allows decisions to be made on the basis of the URL as well as the target host. This is encoded in base64 for easy processing by the script. |
This PERL script demonstrates how the parameters are extracted and how a decision on whether to allow a connection is returned by the exit code.
If the $debugparams variable is set to non-zero then the rules triggered will be added to the event logged by KFSensor.
Use the Proxy Rules dialog box to configure the example proxy rule script:
| Field | Value | Comment |
| Application Path | C:\Perl\bin\perl.exe | Location of PERL executable |
| Arguments | "C:\Program Files\KeyFocus\KFSensor\files\scripts\kfsmtpproxytest.pl" | Full path of the example script |
| Working directory | C:\kfsensor | Directory where custom reports will be generated |
The following information is passed to the application on its stdin pipe.
Each parameter is on a new line and an equals sign is used to separate the parameter name from its value.
| Parameter | Example | Comment |
| KFSENSOR | SMTPCHECK | This value is always present to allow the script to check it is being called with the correct parameters |
| HELO | 192.168.2.9 | The HELO SMTP command that the visitor used |
| BANNER | 220 spammer.com | The SMTP banner sent to the visitor. This is encoded in base64 for easy processing by the script. |
| SENSORIP | 192.168.2.9 | The IP of KFSensor address |
| SENSORPORT | 8080 | The KFSensor port |
| VISITORDOMAIN | MESHCOMP | The visitor's domain if known |
| VISITORIP | 192.168.2.99 | The visitor's IP address |
| VISITORPORT | 7026 | The visitor's port |
| ISEMULATINGHOST | 1 | 1 = KFSensor is pretending to be a remote SMTP server 2 = KFSensor is pretending to be an open relay server |
| EMULATEDDOMAIN | spamtarget.com | The domain name of the SMTP server the visitor thinks they are using |
| EMULATEDIP | 192.168.2.44 | The IP address of the SMTP server the visitor thinks they are using |
| EMULATEDPORT | 25 | The port of the SMTP server the visitor thinks they are using |
| CONNECTIONS | 1 | The number of connections the visitor has made to KFSensor |
| TOTALSMTPCONNECTIONS | 10 | The total number of SMTP connections the visitor has made |
| TOTALRCPTS | 100 | The total number of spam destinations, i.e. rcpt to: commands the visitor has made |
| GRANDTOTALSMTPCONNECTIONS | 30 | The total number of SMTP connections all the visitors have made |
| GRANDTOTALRCPTS | 300 | The total number of spam destinations, i.e. rcpt to: commands all the visitors have made |
| FROM | <idno816336@yahoo.com> | The from email address |
| TO | <chalms_99@192.168.2.10> | The first to address. KFSensor will forward an email only to the first to email address |
| NUMTOS | 1 | The number of recipients the email is going to |
| TOS[1..n] | <chalms_99@192.168.2.10> | Each of the recipients, TOS1, TOS2, TOS3, etc. |
| MESSAGE | {encoded} | The message contents. This is encoded in base64 for easy processing by the script. |
This PERL script is similar to kfconnectproxytest.pl, but contains many more rules and also outputs reports.
The reports are tab separated text files and can be used to make a detailed complaint to the spammers ISP.
This script could be extended to make automated spam warnings to interested parties.