Alerts
KFSensor constantly monitors the machine and responds to intrusions in real time. The events these intrusions generate are recorded in its log.
KFSensor supports a number of different mechanisms to alert the administrator when events occur.
Each of the alert methods is optional. The appropriate ones for each installation should be configured.
These are the six different alert types supported by KFSensor:
System Tray alerts
When KFSensor is running it places a siren icon in the Windows System Tray in the bottom right of the screen.
If there are no alerts then a green icon is displayed.
When an event occurs the icon begins to flash according to the severity of the event.
If the KFSensor monitor screen is minimized then the icon will flash until the monitor screen is visible again and
will continue flash for a number of seconds.
The flashing on the system tray icon can be disabled and the duration of the flashing can be set in the Customize dialog box.
| Icon | Event Severity | Description |
 |
Low Severity | Low severity events do not generate a visual alert. The icon remains a constant green |
 |
Medium Severity | Medium severity events cause the icon to flash yellow and orange |
 |
High Severity | High severity events cause the icon to flash red and orange |
Audio alerts
KFSensor can play an alert sound when an event occurs.
The event sound is only played once and will not be played again until the system icon returns to green.
The playing of an alert sound and the sound played can be configured in the Customize dialog box.
EMail alerts
KFSensor can send alerts via email.
This has a number of advantages. It enables alerts to be sent outside the local network, even to a hand held device.
EMail alerts are disabled by default and need to be configured via the EMail Alerts dialog box
There are two different formats of email alert messages; short and long.
The short format provides minimal information on an event and is suitable for sending to a portable device or to redirect
to an SMS message.
The long format provides much more detailed information and is suitable for a normal email client.
Short message format example
| KFSensor Alert 127.0.0.1:4354 |
|
07/07/2015 12:39:06.875 IIS, port: 80 visitor: localhost, 127.0.0.1:4278 |
Long message format example
| KFSensor Alert, id:11508, visitor:127.0.0.1:4369, Severity: High |
|
KFSensor Event id: 11508 ===================== Start:07/07/2015 12:57:52.578 End: 07/07/2015 12:58:05.609 Type: Connection Severity: High Protocol: TCP Host: 127.0.0.1:110 Visitor: localhost, 127.0.0.1:4369 POP3 Action: SimStdServer Sim Server: POP3 Connection closed by Visitor Received: 25 bytes ----------------------------------------------------------- user admin pass secret ----------------------------------------------------------- Response: 107 bytes ----------------------------------------------------------- >>>>+OK Microsoft Windows POP3 Service Version 2.0 <1361955@networksforu.com> ready. user admin >>>>+OK pass secret >>>>-ERR Logon Failure ----------------------------------------------------------- |
SysLog alerts
KFSensor can send alerts to a SysLog server.
SysLog is the standard way of recording events on UNIX machines.
Syslog alerts are disabled by default and need to be configured via the SysLog Alerts dialog box
SysLog message example
| <84>Jul 7 13:34:35 192.168.2.9 kfsensor id: 11510, sensor: TCP 127.0.0.1:110, visitor: localhost, 127.0.0.1:4484, recbytes: 25 |
Event Log alerts
KFSensor can send alerts to a local machine's Event Log.
There are two advantages to recording intrusion events to the Event log:
- The Event Log may be viewed from another computer, providing a user has the correct permissions.
- There are applications that monitor the Event Logs on a network to provide a unified reporting of events.
Event Log alerts are disabled by default and need to be configured via the Event Log Alerts dialog box
Event Log Alert example
External alerts
In addition to the other alerting mechanisms that KFSensor provides, it has the additional ability to invoke an external application to handle an alert event.
This flexible feature can have many different uses such as:
- Create a custom event log file
- Launch an immediate port scan on the IP address of a visitor to the honeypot
- Send alerts to a third party application
External alerts work by launching a console application in the same way that the External Console App service works.
The External Alert application is launched immediately after an event is completed.
External alerts are disabled by default and need to be configured via the External Alerts dialog box.
The section of the manual that describes this dialog box, contains more detailed information and examples.
Next: Event Interpretation