KFSensor Professional 4.9.2

Here are some key features of "KFSensor Professional":

Monitors every port:
· KFSensor Professional monitors attacks on every TCP and UDP port, as well as detecting ICMP or ping messages. It also monitors all network activity of native Windows server applications. Allowing these to act as part of a honeypot configuration.

Remote administration:
· KFSensor Enterprise Edition contains the ability to manage and monitor multiple honeypot installations. Events from different sensors across the network are concatenated in real time allowing an immediate view of attacks as they happen.
· KFSensor uses 3072 bit RSA public/private key authentication and 256 bit AES encryption to provide the top of the range security for communication between sensors.

IDS signature engine:
· KFSensor is the first product to combine the benefits of signature-based IDS with a honeypot system.
· Its fast signature search engine, has a minimal impact on system performance and can handle thousands of rules.
· It is easy to update the rulebase with new rules from different sources and to create new rules directly from an event.

Service Emulation:

· KFSensor, the Windows honeypot server system, features a number of different types of emulation, both simple and complex. These can even be extended by the use of custom scripts.

Flexible configuration:
· KFSensor can emulate different services on multiple ports and on different host IP addresses. It is possible to run any emulation on any port.

Multiple scenarios:
· Different honeypot scenarios can be defined, containing different port and service configurations. It is easy and quick to switch between scenarios while the system is running.

Port listening:
· The most basic type of trap, it holds open a port; reads the data sent to it and records the event. Most useful in detecting worms.

Banner:
· More sophisticated than a port listener, the Banner is able to display either a service prompt or error message message. Although limited in its capabilities, the Banner has the advantage of being very easy to configure by a novice user.

Command console:
· Emulates the Windows command shell, otherwise known as a DOS box. A number of worms bind CMD.EXE to a listening TCP port.

HTTP:
· This is a fully working web server that correctly emulates Microsoft's IIS web server. It handles the more obscure aspects such as range requests and client side cache controls.

SMTP:
· The Simple Mail Transfer Protocol emulation is capable of acting as a open relay server, the perfect trap for hackers looking for a target to relay spam.

Window networking / NetBIOS / SMB / CIFS:
· KFSensor can emulate all four of Microsoft's NetBIOS and SMB/CIFS services. Insecure file shares are one of the most common and potentially dangerous security vulnerabilities exploited. KFSensor decodes NBT and SMB packets and logs them in a human readable format and even enables worms to upload malicious code to a secure area, for later analysis.

SOCKS:
· KFSensor supports 4/4A/5 SOCKS protocols and can be configured with eight levels of emulation behaviour. SOCKS servers are frequently used to relay spam and to launch attacks on other servers. KFSensor contains advanced depception technology that allows spammers to believe their mail is getting through whilst secretly blocking mail from being relayed.

MS SQL Server:
· Supports both TCP and UDP SQL Server ports and can capture passwords used in intrusion attempts.

FTP:
· File Transfer Protocol emulation.

POP3:
· Post Office Protocol emulation.

Telnet:
· Telnet server emulation.

Terminal Server:
· Terminal Server is a Microsoft application that allows remote users to log on to a server.

Event details:
· All the network traffic that makes up a connection is concatonated into a single event, countering the problem of message fragmentation. As well as recording items such as the start and end time of an attack, the visitor's IP and port addresses, all the data transfered both to and from the honeypot is recorded.

Configurable display columns:
· The interactive event list can be configured from any combination of the thirty possible columns types available.

View by port:
· KFSensors Explorer type interface includes a port tree structure that color codes those ports depending on how recently the have been attacked. Selecting a port automatically filters the events to show only those targeted at that port.

View by visitor:
· The port view can be exchanged to a tree of visitors. This allows the events to be filtered to just show those events from a particular visitor.

Severity:
· Each event is assigned a severity. The severity allows more serious attacks to be identified by color coding and different actions can be link to different serverities. For example an email alert may only be sent based on a high severity event.

Alerts:
· In order to inform you when an intrusion occurs KFSensor supports a number of different mechanisms to alert you. These can be configured to only activate when a specified severity is detected.

System tray alerts:
· KFSensor provides a visual alert by displaying an alarm icon in the system tray at the bottom right of the Window's desktop.
· This flashes either yellow or red when an alert is detected.

Audio alerts:
· KFSensor can play an customizable alert sound when an event occurs.

External application alerts:
KFSensor provides the ability to invoke an external application to handle an alert event. This flexible feature can have many different uses such as:
· Creating your own custom event log file
· Launch an immediate port scan on the IP address of a visitor to the honeypot
· Send alerts to a third part application

Export logs in multiple formats:
· Events can be exported to file in the following formats; XML, HTML, tab separated and CSV.

Systems service:
· KFSensor runs as a systems service, allowing it to start before a user has logged on.

Secure configuration:
· KFSensor has been designed according to the least privilege principle. Unlike most other products KFSensor does not need Admin or root privaledges to function. By taking advantage of Window's native security mechanisms the host machine can be secured against any possible compromise of the KFSensor system.

High integrity version:
· KFSensor is available in a special high integrity version, which has the potentialy most risky honeypot features compiled out. This makes it suitable for use in the most security sensitive areas of an organisation.

Extensive Documentation:
· Detailed help documentation is available for all aspects of the product and there is a detailed guide on how to configure and get the best out of product.

Requirements:

· Processor 1.5Ghz or greater
· 500mb hard disk space
· 2Gb RAM
· 1 LAN card or more