KFSensor Terms
There are many different terms and phrases used in describing aspects of the Internet and systems security services. This section describes the key phrases used in KFSensor and the concepts behind them.
Visitor
A visitor is a general term used to refer to an entity that connects to KFSensor. Such a general term is used as the visitors could be hackers, worms, viruses or even legitimate users that have stumbled onto KFSensor by mistake. Visitors can also be referred to as the clients of the services provided by KFSensor.Event
An event is a record of an incident detected by the KFSensor Service. For example if a visitor attempts to connect to the simulated web server then an event detailing the connection is generated.
Events are recorded in the log file and displayed in the KFSensor monitor.
Sim Server
Sim server is short for simulated server.It is a definition of how KFSensor should behave in order to impersonate and emulate real server software. A typical server machine runs a number of servers to provide a range of different services, such as a web or SMTP server.
There is no limit to the number of Sim Servers that can be defined. You may want to set up Sim Servers for different implementations of the same service, such as IIS and Apache web servers, or different versions of the same service.
There are two types of Sim Server available; the Sim Banner and the Sim Standard Server.
To view and edit your Sim Servers definition, select the Edit Sim Servers... menu option from the Scenario menu.
Sim Banner
A Sim Banner is the most basic type of Sim Server.
It has the ability to read and then record the data sent to it by a visitor and to send the visitor a piece of data called a banner.
A banner is a piece of text or binary data that is part of the Sim Banner definition. The banner text can contain parameters. These parameters are replaced when the banner is sent to the client with the values they represent. This enables a more realistic response to be made, such as including the present time and not a fixed piece of text.
For some simple services that is all that is required to emulate a service. For example, the purpose of the echo server is simply to return a copy of the data sent to the server. This can be easily accomplished with a Sim Banner definition.
Emulating a more complex server such as a web server works in the same way. In this case the visitor sends an HTTP request for a particular file and the Sim Server's Banner could return a standard Banner containing a standard HTTP response. An experienced hacker will not be fooled for long by such a simple emulation, but this is often enough to identify a hacking attempt.
Sim Standard Server
A Sim Standard Server is a sophisticated emulation of a real server.
The level of deception is much higher than with a Sim Banner and provides much more detailed information
for analyzing an attack.
This is a list of the Sim Standard Servers that KFSensor currently supports.
| Server | Port | Description |
| CMD Command console | 4444 | The Command console Sim Std Server emulates the Windows command shell, otherwise known as a DOS box |
| DHCP | 67 |
The Dynamic Host Configuration Protocol (DHCP) is an protocol which allows for the automatic configuration of networks. Its typical use is to assign dynamic IP address to computers on a network. |
| FTP | 21 | File Transfer Protocol |
| HTTP | 80 | An HTTP server is another name for a web server |
| MySql | 3306 | The MySql service |
| NBT Name Service | 137 | Windows File and print sharing |
| NBT Datagram Service | 138 | Windows File and print sharing |
| NBT Session Service | 139 | Windows File and print sharing |
| NBT SMB | 445 | Windows File and print sharing |
| POP3 | 110 | Post Office Protocol. A POP3 server is used to store email messages, which can be retrieved using email applications like Microsoft Outlook. |
| Relay | A Relay server is used to allow visitors to access a service running on another machine | |
| SMTP | 25 | Simple Mail Transfer Protocol A SMTP server is used to accept incoming email messages. |
| SOCKS | 1080 | A SOCKS proxy server is used to relay all types of TCP and UDP traffic through a proxy server. |
| SQL Server | 1433 | The main MS SQL Server service |
| SQL UDP Server | 1434 | The MS SQL Server UDP service |
| Telnet | 23 | A Telnet server is used to allow visitors to open a remote console on the server machine |
| Terminal Server | 3389 | Terminal Server is a Microsoft application that allows remote users to log on to a server |
| VNC | 5900 | VNC is a cross platform remote control application |
Listen
A listen is an instruction for the KFSensor Server to open, or bind to a specific port and perform a specified action when a visitor connects to that port. The same or different actions can be performed on many different ports with listen definitions.
There are three different types of action that can be performed by a Listen when a visitor connects to the port defined by the Listen:
- Close
Close the connection immediately and log the event.
If the Network Protocol Analyzer is active then the port will appear closed to a visitor. - Read and Close
Wait for the visitor to send a request and close the connection without sending a response. The data received is recorded as part of the event that is logged. - Sim Banner
Perform the actions specified by the selected Sim Banner definition and record any data in the event that is logged. - Sim Std Server
Perform the actions specified by the selected Sim Std Server definition and record any data in the event that is logged. - Native
Use this to monitor a port opened by another piece of software. This enables a native service such as the IIS web server to be used as part of the honeypot. All connections made to this services will be logged in the same was as connections made to a sim server.
Listen Icon
Each listen definition is associated with one of eight icons.
These icons help to provide a visual clue as to the type of service and are displayed in the
port view
and event view.
| Icon | Name | Description |
|
Banshee | Used for miscellaneous services |
|
Server | Used for services found on a Windows server, such as Windows Terminal Server |
|
Workstation | Used for services found on all Windows machines |
|
World | Used for services that may be exposed to the Internet |
|
Penguin | Used for services found on Linux systems, but not usually on Windows systems |
|
Radio active | Used for non-standard applications such as peer to peer file sharing applications |
|
Skull | Used for worms |
|
Hacker | Used for trojans and root kits |
Scenario
A scenario is a collection of listen definitions, which control all the actions the KFSensor Server should perform. Many scenarios can be defined, each appropriate for different purposes. Such as detecting attacks to a workstation or a server. Only one scenario can be active at a time, but it is easy to switch between scenarios.
Severity
KFSensor uses severity to classify Events into three levels of importance; low, medium and high.
An event's severity is set by the severity of the Listen that generated it.
When an event is generated the type of alert is dependant on the severity level.
| Level | Icon | Color | Alert |
| Low |
 |
Grey | No alert warning is generated for low severity events |
| Medium |
 |
Yellow | The KFSensor monitor system tray icon will flash yellow |
| High |
 |
Red | The KFSensor monitor system tray icon will flash red |
Denial Of Service (DOS) Attack
A denial of service (DOS) attack is an attempt to over load a server by sending a very large number of requests to
the server with the aim of over-loading the server's resources, so that it can no longer cope with legitimate traffic.
Hackers that launch DOS attacks frequently use several machines to launch an attack at the same time to generate the
maximum numbers of connections and band-width usage.
DOS attacks are the hardest kind of attacks to protect against and many big companies such as Microsoft and Yahoo have been victims of these types of attacks.
The KFSensor Server is very fast at responding to visitors. On a reasonably quick internet connection the server can easily handle several million requests per hour. This would not pose a problem for the server itself, but it would cause the logs to grow very large.
To prevent a hacker generating an excessive amount of events KFSensor implements various limits on the amount of traffic it will accept.
In event of a sustained DOS attack KFSensor will Lock Out the visitors responsible for the attack and refuse to accept any connection from them for a set period of time.
If a hacker is using numerous IP aliases to launch a sustained DOS attack the server will Lock Up and refuse to accept any connections for a set period of time.
These settings are configured using the DOS Attack Settings dialog box.