Softpedia >Windows >Security >Security Related >KFSensor Professional >  Changelog

KFSensor Professional Changelog

What's new in KFSensor Professional 5.7.0

Feb 23, 2022
  • Fixes:
  • Updated to work with the latest npcap 1.6.0
  • Various fixes and updates

New in KFSensor Professional 5.6.0 (Apr 26, 2021)

  • Fixes:
  • Updated to work with the latest npcap 1.3.0
  • Fixed a problem in the collator that would stop it picking up signature changes
  • New scenario port definitions

New in KFSensor Professional 5.5.0 (Dec 31, 2020)

  • Fixes:
  • Updated to work with the latest npcap 0.9984
  • New scenario port definitions

New in KFSensor Professional 5.4.5 (Dec 31, 2020)

  • Updated to new code signing certificate.
  • Code re-release with new code signing certificate.

New in KFSensor Professional 5.3.0 (Sep 17, 2017)

  • Qradar LEEF Format Support:
  • KFSensor can be configured to forward events to IBM Qradar in LEEF format. This streamlines and simplifies the integration of KFSensor with the IBM Qradar.
  • Log Event Extended Format (LEEF) is a log format designed for entering data onto the Qradar system.
  • Setting up KFSensor to integrate with Qradar is simply a matter of opening the SysLog Alerts menu option and entering the Qradar server IP address and selecting Qradar LEEF as the altert format.
  • Npcap support:
  • For many years KFSensor has made use of the industry standard WinPCap network packet capturing library. Unfortunately WinPCap is no longer being maintained. It is reliable for older versions of Windows, but can be difficult to install on versions of Windows 10.
  • KFSensor now supports Npcap. This is based on WinPCap, with an updated codebase to support the latest Windows APIs. It is recommend for use on Windows 10.
  • Both WinPCap and Npcap can be installed on the same machine. If both are installed on the same machine then KFSensor will pick Npcap in preference to WinPCap.
  • If WinPCap is working on an existing KFSensor host then there is no need to install Npcap. Future versions will take advantage of additional features of Npcap. So it is recommended to choose Npcap for new installations unless KFSensor is being used on an older Windows version.
  • Improved Sensor Synchronization:
  • The event synchronization between KFSensor collator and remote sensors has been improved to cope better with errors that can arise from sensor re-installations and other issues. This results in automatic correction of problems that previously needed a manual reconfiguration.

New in KFSensor Professional 5.2.0 (Sep 17, 2017)

  • Full HTTPS support:
  • The KFSensor HTTP simulated server now supports HTTPS as well as HTTP. This allows visitors to interact with port TCP 443 using encrypted TLS traffic as they would expect on that port.
  • KFSensor will dynamically generate a self signed certificate for use by the HTTPS simulated service. It is also possible for the simulated server to use a real certificate that has been added to the local Windows certificate store.
  • To add this feature to an existing installation, follow the steps below.
  • Admin action logging:
  • Actions and configuration changes made by an administrator are now recorded in the KFSensor Monitor log file for auditing purposes.
  • The log files can be found using this search pattern.
  • C:kfsensorlogssensmon_*.log
  • The log entries start with "Configuration changed:" and provide the date, user name and the configuration setting changed.
  • Signatures - filter on description and type:
  • The signature engine has been enhanced to enable it to match special types packets that could not be previously identified. For example scan packets that do not contain any content can now be detected. This is useful to ignore legitimate servers that can send out unexpected packets. For example web proxies.

New in KFSensor Professional 5.1.0 (Jun 11, 2016)

  • Improved Stealth Scan detection:
  • Stealth scans cover a range of techniques used by hackers and pen testers to identify hosts, fingerprint OS versions and to determine which ports are open on a host. These techniques involve sending non-standard network packets or non-standard packet sequencing gain a response from a host without establishing a full connection. These are rarely recorded in system log files and can evade detection by certain security products such as firewalls. nmap is the most popular stealth scanning tool.
  • KFSensor's detection of stealth scans has been improved in the following ways:
  • New Event type - Scan
  • When a network event can be positively identified as a scan then the event is assigned the event type "Scan". Previously these would have been recorded as type "Connection". An event with the type Scan is a much clearer indicator of malicious activity than a connection.
  • nmap Options decoded
  • Where possible a scan is decoded to show the nmap option that matches the scan technique. The event's Description field contains the matching nmap command line option.
  • The following options are individually identified:
  • nmap -sS
  • nmap -sN
  • nmap -sF
  • nmap -sX, Xmas scan
  • nmap -sM
  • nmap -sA
  • n.b. Other security tools and malware may implement the same techniques. The events from these will still be identified using the nmap option as that is the standard scanning tool.
  • Port Scan changed to Multi-port Scan:
  • In previously versions a 'Port Scan' refereed to an attacker connecting to many different port numbers. This type of activity has been renamed a 'Multi-port Scan', to better describe it and to distinguish it from the new Scan event type.
  • REPORTS:
  • New reports:
  • Two new reports have been added that enable analysis of the new scan event type Top visitor by scan attacks Scan attacks by day
  • Better error reporting:
  • The previous version would only show "Report Loading..." when a problem occurred. In the new version an error message wil be displayed.
  • Longer time outs:
  • The report loading timeout has been increased from 10 to 60 seconds to cope with slow servers and large data sets.
  • Fix for missing days in charts:
  • In the previous version chronological charts only contained data points for days that contained data and not for days that contained zero data. The lines drawn between data points would then be misleading as they would skip over the days with zero data. The new version adds data points for all days, so the lines match the data.
  • Updating indicator:
  • A spinner indicator has been added to the Update button on the report filter to show that a report is being updated.
  • Better support for MySQL:
  • The new version contains better handling of MySQL connection timeouts. In the previous version the service would need to be restarted after several hours.

New in KFSensor Professional 5.0.0 (Jun 11, 2016)

  • Reports and Graphs:
  • KfSensor has a new reporting module that provides a variety of reports for advanced data analysis.
  • Sensor Status Information:
  • To aid the management and administration of KFSensor installations each sensor now records a set of status data. This data provides useful information on the sensor itself and on its host machine. This is particularly useful when administering a large number of sensors, but is still useful with only a single installation.
  • A new user interface panel has been added below the port tree, in the bottom left of the window to display the sensor status information.
  • Examples of the Sensor Status Information are, how long the sensor has been running for; the list of the host’s IP addresses and the amount of free disk space.
  • Digital Signatures:
  • All KFSensor modules and installation files are now digitally signed with a code signing certificate. This enables users to ensure that their copy of KFSensor is genuine and has not been tampered with. Our publisher name is “KeyFocus Ltd.” and that is the name used in the certificate.
  • Other Fixes:
  • A number of minor fixes and improvements have been made to the system, in particular with the way the collation and logging modules handle larger data sets.

New in KFSensor Professional 4.12.0 (Dec 22, 2015)

  • More Listen definitions:
  • 24 more ports have been added to the standard configuration in this release. These have been identified as being popular targets for scanning and exploitation. They include new Trojans and new services increasingly found on networks such as Mongo and Minecraft.
  • Packet Data storage management:
  • The management of packet data storage has been improved to enable the automatic deletion of old packet data. This ensures that the total packet data stored by KFSensor will not exceed a maximum size and fill up the available disk space.
  • To enable this functionality; select the Settings -> Network Protocol Analyzer menu and set the Retention Period field to a suitable value, such as 30 or 90 days.
  • IIS 8 Emulation:
  • The Sim Server emulation of IIS now supports IIS version 8.
  • configuration should be necessary as the default setting is to select the IIS emulation automatically.
  • Better UDP Handling:
  • KFSensor attempts to identify and ignore UDP traffic that is locally initiated. Certain routers do not always translate the source IP addresses of UDP response packets. This caused KFSensor to wrongly identify these as unknown packets and therefore raise events for them. New algorithms have been added to KFSensor’s packet analyser to identify this situation and reduce the number false positive events generated.

New in KFSensor Professional 4.11.4 (Apr 6, 2015)

  • Updated signature import support:
  • Rulemaster has been updated to work with the new snort.org download format.
  • Support for importing the emergingthreats.net rule base.
  • Added support for the dsize snort rule option
  • Facility to replicate scenarios across sensors:
  • To make it easier to set up multiple installations with the same custom configuration we have added the ability to easily export a scenario from one sensor and then import it into another sensor.
  • First configure one sensor exactly as you want it.
  • Then export the selected scenario from that sensor to a file.
  • Next import the file into another sensor. The listen and sim server definitions will then be identical to the first sensor.
  • Use the Edit Scenarios dialog box to export or import scenario definitions.
  • Improved support for ArcSight CEF Format Support:
  • For HTTP traffic KFSensor now adds the URL, Host, User-Agent, and Referer fields to the event description. This makes these details available in CEF logging.
  • Bug fixes:
  • Invalid event dates/times on virtual machines. When running Windows on a virtual machine there is a rare problem where the network card reports an incorrect time stamp. This was being picked up by KFSensor and reported as the time of the event. KFSensor has now been changed so that it double checks the accuracy of time events and corrects this issue before it gets logged.
  • External Console Applications. Certain applications require their own console in order to function properly. A new option has been added that provides one.
  • It is now possible to set zero as an option for the max emails alert setting

New in KFSensor Professional 4.10.0 (Aug 26, 2014)

  • UDP Handling
  • The big change in this release is how KFSensor handles UDP traffic. In previous versions UDP was treated in much the same way as TCP. Both shared the same DOS limit and port scan settings. This worked reasonably well in the past, but the way UDP is being used has changed in recent years. This has resulted in much more UDP traffic being sent across local networks and led to a large number of unnecessary events being logged by KFSensor.
  • We have made many changes to the way KFSensor handles UDP traffic and the result of this is a big reduction in the number of UDP events generated. Fewer events make it easier to identify the important and unusual events that can indicate attacks on your network.
  • Recent Trends in UDP usage Continual broadcast: Applications like Dropbox, send out UDP broadcast messages every few seconds as a way of announcing their presence on the local network and discovering other machines running the same application. In the past this behaviour was restricted to DHCP.
  • Multicast: New Microsoft protocols such as Link-Local Multicast Name Resolution, cause multiple machines to respond by broadcasting UDP packets to the entire sub-net, instead of sending them direct to the requester.
  • UDP System Improvements
  • UDP Specific DOS Settings
  • The DOS Settings dialog has been changed from a single page to a dialog with multiple tabs, one for each protocol. The UDP and TCP protocols now have their own settings and limits. This enables a greater degree of control and allows for differences in the way protocols work to be reflected in how they are handled.
  • Port specific limits
  • Each UDP port now has its own limits. This means that when the limit is reached then only traffic on that UDP port will be ignored from a host. For example this means only 3 dropbox broadcasts will be recorded for each machine and this will not affect the recording of any other types of UDP traffic from those machines.
  • In previous version it was possible to port specific limits for specified ports. In the new version all ports are given their own limit automatically.
  • Ignore expires
  • In previous versions a traffic that had triggered an ignore rule would keep that ignore state until the sensor was restarted. Now the ignore status can be set to expire, the default for this is 24 hours.
  • Better matching of outgoing and incoming UDP
  • KFSensor is now better at matching UDP traffic received in response to a request sent from the KFSensor host itself. This enables it to ignore such traffic, while still able to generate events for unexpected traffic.
  • IP fragmentation
  • KFSensor now handles IP fragmented packets in a better way, stopping the occasional event being mis-recorded because of malformed packets. Better HTML reports
  • The layout of exported events has been improved, by adding styling to the HTML output.
  • The File->Export->Event List option not default to HTML as the default output.
  • If required, the report styling can be configured by editing the C:\kfsensor\conf eportstyle.css configuration file.

New in KFSensor Professional 4.9.2 (May 22, 2013)

  • Windows audit monitoring:
  • The best way for a honeypot to maximize the information on an attack is to give as realistic a service response as possible to an attacker. The ideal is to use the real service, however this has not been practical due to the risks of compromise involved.
  • In the past KFSensor has attempted to replace every Windows service with a simulated service to allow safe detection of threats. Windows services such as IIS and RPC were notoriously vulnerable to attack, especially on machines connected directly to the public Internet.
  • Microsoft have made huge improvements to the security of Windows in recent years and a properly patched modern version of Windows is safe enough to use on an internal network, without taking special measures to lock it down. Such machines are still a target for attack though weak passwords on RDP and open file shares are exploited.
  • KFSensor has long been able to monitor the network traffic of other services and log events in the same way as its own simulated services. This has been improved upon in version 4.9 by enabling KFSensor to monitor the auditing features of Windows itself to get more information on an attack.
  • This approach enables the use of Windows share folders to be set up and monitored by KFSensor. Extra information, such as the domain user account and windows machine name of an attacker can now be captured as well as the machine?s IP address.
  • Events logged as a result of information from Windows services are identified by the new ?WIN? protocol, which is used to distinguish them from events derived from the standard networking protocols such as TCP and UDP.
  • This functionality is enabled by default in KFSensor, but there is extra configuration work required to enable the correct Windows audit settings to be configured. A new section ?Windows Audit configuration? has been added to the manual giving a detailed guide to what needs to be done.
  • MySQL support:
  • Recent versions of MySQL introduced new reserved words that meant KFSensor was no longer compatible with it. The new version of KFSensor now supports MySQL.
  • These changes require an existing KFSensor database to be updated, even if it is running on SQL Server.
  • To perform the database update, after upgrading to version 4.9, go to the Settings -> Log Database? menu and press the Configure button.

New in KFSensor Professional 4.8.0 (Oct 2, 2012)

  • Full Enterprise Mode:
  • This version introduces major enhancements to the way in which KFSensor Enterprise operates. Together these enhancements have been named Full Enterprise Mode.
  • In the Full Enterprise Mode events from each sensor are inserted into a central database and copies of each sensor's event log files are additionally made on the Administration installation. This is done automatically by a background service on the Administration machine.
  • The Full Enterprise Mode provides these benefits:
  • Improved performance
  • The Administration console has faster local access to each sensor's events.
  • Central store of events
  • Making a central copy of all events from each Sensor means there is less need to make regular backup of the Sensor machines disks drives. Storing all events on a central database also makes it easier to develop custom reports of all the activity on the entire network.
  • Easier signature rule base management
  • Simply update the signatures on the Administration machine and have it deployed to each sensor automatically and securely.
  • Central alerts
  • Each Sensor can be configured to send alerts, for example by email. In the Full Enterprise Mode there is the option of sending the alerts from the Administration machine instead of the Sensor machine. Handling the sending of alerts from all sensors in one location makes configuration easier. It also gets around common problems, such as a Sensor located in a DMZ not having access to the internal SMTP server to send an email alert.
  • Runs in the background
  • These benefits are provided by a systems service, so it works without the need for a user to be logged on.
  • Enabling Full Enterprise Mode requires additional but straight forward configuration that is fully described in the KFSensor Administration Guide. This is an optional feature and can be enabled or disabled at ant time. So there is no need to postpone upgrading to the new version.
  • Vista ports:
  • Added definitions for services specific to Windows Vista
  • Web Services for Devices
  • IIS version 7 simulator
  • WinPcap
  • KFSensor now supports the latest WinPcap version 4.1.
  • Memory managements
  • Improvements to the code have resulted in a smaller memory foot print, which will aid systems performance in cases of heavy load.

New in KFSensor Professional 4.7.0 (Oct 2, 2012)

  • Windows 7 Compatibility
  • The simulated servers such as IIS, FTP and shell have been updated to be able to simulate Windows 7
  • Various internal compatibility updates to support Windows 7.
  • Automatic simulation selection
  • Simulated servers such as IIS can simulate several different versions.
  • The selection of the version is now set to automatic, which enables the appropriate simulation to be selected for the base operating system.
  • Specific simulation version selection can still be made in the configuration
  • WinPcap
  • KFSensor now supports WinPcap version WinPcap 4.1.1 (This is now the preferred KFSensor version)
  • Message Queuing Service
  • Added definitions for services specific to the Message Queuing Service
  • New Scanner Friendly DOS Setting
  • The default DOS Attack settings detect scanners, such as NMAP and block them after a few scans
  • A new 'Scanner Fiendly' button has been added to the 'DOS Attack Settings' dialog box.
  • The Scanner Friendly setting massively increases the DOS settings allowing a full scan of the KFSensor machine to be run

New in KFSensor Professional 4.5.0 (Oct 2, 2012)

  • Improved performance
  • The Administration console has faster local access to each sensor's events.
  • Central store of events
  • Making a central copy of all events from each Sensor means there is less need to make regular backup of the Sensor machines disks drives. Storing all events on a central database also makes it easier to develop custom reports of all the activity on the entire network.
  • Easier signature rule base management
  • Simply update the signatures on the Administration machine and have it deployed to each sensor automatically and securely.
  • Central alerts
  • Each Sensor can be configured to send alerts, for example by email. In the Full Enterprise Mode there is the option of sending the alerts from the Administration machine instead of the Sensor machine. Handling the sending of alerts from all sensors in one location makes configuration easier. It also gets around common problems, such as a Sensor located in a DMZ not having access to the internal SMTP server to send an email alert.
  • Runs in the background
  • These benefits are provided by a systems service, so it works without the need for a user to be logged on.

New in KFSensor Professional 4.4.0 (Dec 7, 2007)

  • MySql Server - Sim Std Servers: Handles protocol negotiation
  • MySql Server - Sim Std Servers: Decrypts packets
  • MySql Server - Sim Std Servers: Allows visitor to browse database schemas
  • WinPcap: KFSensor now supports WinPcap version 4.0.
  • Ignore broadcasts: The visitor rules can now take the sensor ip address as a condition
  • Ignore broadcasts: This allows rules to be written specific to the broadcast address.
  • Ignore broadcasts: e.g. ignore all UDP broadcasts on a particular port.
  • Increased session limits
  • Reduced memory requirements