KFSensor

 

Signature maintenance

In order for KFSensor's signature engine to be most effective it is best to build up and maintain a large rule base.

KFSensor can import rules written in Snort format. There are a number of different sources for Snort rules and the first stage is to download copies of different rule sets.
Unlike a network IDS, KFSensor uses signatures to provide information on an attack and not to identify attacks. It is therefore possible to use experimental and non-certified rule sets.

The official Snort and community rules sets can be obtained at:
http://www.snort.org/rules/

Another important source of rules is Bleeding Snort:
http://www.bleedingsnort.com/index.php

There are other specialised rule sets available on the Internet and it is also possible to write your own.

Importing External Signatures

Snort rules are distributed in text files with a .rules extension.
Snort rules may come with a snort.conf file that acts as a master file for the rule files.

These are often packaged in a .tar.gz format.
If the downloaded rule set is in this format then use a program such as WinZip to extract the rule files to a new directory.
N.B. If using WinZip then make sure the "Use Folder Names" option is checked.

Once the snort rules have been downloaded and unpacked on the local hard drive, they are ready to be imported into KFSensor.
  1. Select the Signatures -> Import External Signatures menu item.
  2. In the Open dialog select the type of file you are importing.
    Either an individual the rule set .rules files or a complete rule set snort.conf.
    N.B. If a snort.conf file is available it is preferable to use it.
  3. Select the file(s) you want to import and press OK.
    N.B. It is possible to select several files to import at once using the shift key.
  4. The Import Signatures dialog will now appear.
    This will list all the signatures in the file and allow you to choose which ones to import. By default all new and updated rules will already be selected.
  5. De-select any rules that you do not wish to import and then press the Import button to import the selected rules.
  6. Repeat steps 1-5 for other rule set files you want to import.
  7. Once you have completed importing all the rules you can view and edit your KFSensor rule database in the Edit Signatures dialog box, by selecting the Signature -> Edit Signatures menu option.
  8. Your rule set is now fully operational and each event that matches a rule will be marked with the rule id that it matches.

The KFSensor signature engine is very fast and should not impact on performance of the system, even with over 3,000 rules loaded.
When a large rule base is loaded there is however a performance hit when the system first starts up or is re-started. A large rule base may cause a delay of several seconds when KFSensor starts up.

Updating an existing rule base

Rule sets are frequently updated with new and revised rules.

Updating the KFSensor rule base is simply a matter of downloading the new version of the complete rule set and repeating the import process described above.

The Import Signatures dialog will automatically compare the rules in the import file with those in the rule base.
Existing rules are excluded by default, making it easy to identify and select the new and revised rules to import. When importing revised rules the previous version of a rule is automatically archived.

After several updates the number of archived rules may grow.
Purging the archived rules is not essential, but it will improve KFSensor's start up performance.
To do this use the Purge button on the Edit Signatures dialog box.

KFSensor Signature Update Automation

As public signatures are frequently updated it is a desirable to automate this process.
This page describes the tools and configuration needed to fully automate this process.

The Update Process

This table lists the stages of updating the KFSensor signature base and how they are automated.

Stage Task Automation
1 Download the latest rule sets from one
or more public or private sources		 kfrulemaster
2 Unpack the rule sets kfrulemaster
3 Update the Kfsensor signature base with new and updated rules kfsigimp
4 Reload the KFSensor server with the latest rules Automatic
5 Delete the unpacked source rules kfrulemaster

kfrulemaster is a perl script the handles the downloading and unpacking of snort rule sets.
It calls kfsigimp to perform the update of the rule base and then deletes the downloaded rules.
kfsigimp is a console based utility shipped with KFSensor.
Once the signature base has been updated the KFSensor Server detects this and reloads the rules automatically. There is no need to restart the server manually.

kfrulemaster

kfrulemaster is an open source perl script, based on the popular oinkmaster system.

In order to run kfrulemaster it is necessary to install Perl. We recommend ActiveState's ActivePerl distribution, as it is pre-configured with all the perl modules required by kfrulemaster.
http://www.activestate.com/Products/ActivePerl/

  1. You will find the kfrulemaster files as follows:
    C:\kfsensor\kfrulemaster\kfrulemaster.pl
    C:\kfsensor\kfrulemaster\kfrulemaster.conf
    C:\kfsensor\kfrulemaster\README
    C:\kfsensor\kfrulemaster\runkfrulemaster.bat
  2. The configuration file must be edited, before the script is ready to run. Edit the file kfrulemaster.conf, in a text editor.
  3. Check that the value of kfsensorimportutilpath setting points to the directory in which Kfsensor is installed.
  4. Enable one or more log settings to download the rules that you wish to use. Read the notes in the configuration file for more details.
  5. Test the script by opening a command prompt and running the batch file runkfrulemaster.bat
    If it works you will see messages telling you which rule archives have been downloaded and a message from kfsigimp indicating how many rules were imported.
  6. If any new rules have been added then you will notice a date/time change on the rule base file:
    C:\Program Files\KeyFocus\KFSensor\conf\kfsigs.xml
    Also check the update log file for more detailed information: C:\kfsensor\logs\kfsigimp.log

Scheduling a daily update

To fully automate the rule update process the script needs to be scheduled to run once every day.

This can be easily achieved by setting up a task in Windows Scheduled Tasks feature. However the Task Scheduler service will be disabled in a fully locked down Windows machine.

An alternative scheduler is needed on a locked down machine and there are several available.
We recommend the freeware nnCron LITE from nnSoft: http://www.nncron.ru/

Notes on using nnCron LITE with kfrulemaster
  1. Install nnCron LITE as a system service
  2. Change the setting AsLoggedUser to OFF in the file C:\Program Files\cron\cron.ini
  3. Add the task to the C:\Program Files\cron\cron.tab file.
    For example the following line will run the update process every day at 08:10.
    10 8 * * * perl C:\kfsensor\kfrulemaster\kfrulemaster.pl

KFSensor Signature Import Utility - kfsigimp.exe

The KFSensor Signature Import Utility is a console utility that updates a KFSensor signature file with new and revised rules in Snort format.
This utility is called as part of the kfrulemaster script, but can be invoked directly or in your own batch files.

The utility is located by default in this path:
C:\Program Files\KeyFocus\KFSensor\bin\kfsigimp.exe

Usage:
kfsigimp
    -i import
    -v verify
    -s<sigfilepath>

kfsigimp requires either -i or -v options to be specified. The verify option does everything apart from re-writing the signature file and is useful for testing.

One or more rule files/directories can be listed on the command line. If a directory is specified then the utility will search for all *.rules files in that directory and in its sub-directories and process them all. It is more efficient to run the utility once for all the rule file to be loaded. The kfrulemaster script places all unpacked files underneath a single temporary directory and calls kfsigimp to process them all.

If no sigfilepath is specified then the active KFSensor signature will be updated.

kfsigimp writes to a log file, C:\kfsensor\logs\kfsigimp.log, which details each file processed and the number of rules updated.


KFSensor On-Line Manual Contents