KFSensor - Advanced Windows Honeypot System


KFSensor is a Windows based honeypot Intrusion Detection System (IDS).

It acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and trojans.
By acting as a decoy server it can divert attacks from critical systems and provide a higher level of information than can be achieved by using firewalls and NIDS alone.
KFSensor is designed for use in a Windows based corporate environment and contains many innovative and unique features such as remote management, a Snort compatible signature engine and emulations of Windows networking protocols.
With its GUI based management console, extensive documentation and low maintenance, KFSensor provides a cost effective way of improving an organization's network security.

KFSensor Benefits

Signature attack identification
KFSensor's rule base signature engine can identify known attack patterns, which greatly helps in analyzing the nature of a event. Rules can be imported from external sources in Snort format giving access to a huge amount of security knowledge.
Detects Windows networking attacks
KFSensor contains the world's only Windows networking/ NetBIOS / SMB / CIFS emulation honeypot. This unique feature enables it to detect the nature of attacks on file shares and Windows administrative services, currently the most prevalent and damaging on the Internet.
Firewalls can detect port scans, but not the nature of an attack. NIDS can identify certain attacks but not without the risk of compromising security. Only KFSensor can provide the maximum information on an attack, without risk of compromise.
Extendable architecture
The already comprehensive emulation and reporting features of KFSensor can be further extended by writing your own scripts and database queries.
No false positives
Firewalls and network based IDS are often overwhelmed by the amount of network traffic and often generate false alarms by misinterpreting legitimate network traffic. KFSensor's honeypot model has no legitimate uses, so all connections to them are suspect.
Low overheads
KFSensor lies dormant until attacked, consuming very little processor time or network resources. Sensors can be installed on users’ machines without affecting their normal use, eliminating the need for additional hardware.
Full converage
All TCP, UDP and ICMP traffic is monitored for all ports.
Remote Administration
Protect different locations in the corporate network with multiple KFSensor installations and manage the process from one location. KFSensor Enterprise Edition provides remote configuration and real time concatenation of events from a single administrator machine using top of the range encryption and authentication.
Simplicity
The concepts behind KFSensor are easy to understand. Its configuration and operation is straightforward, requiring minimal training and maintenance.
Advanced server simulation
KFSensor emulates real servers, such as FTP, SMB, POP3, HTTP, Telnet, SMTP and SOCKS to improve deception and gain more valuable information on a hacker's motives.
Real time detection
Attacks are detected, analyzed and reported immediately allowing response to an attack while still in progress.
Detects unknown threats
Unlike other products KFSensor does not rely on signatures of known attacks and can therefore detect new or 0 day threats, such as new worms, viruses and elite hackers. KFSensor is just as effective at detecting internal threats.
Security in-depth
KFSensor complements other types of security products, such as firewalls, anti-virus and network based IDS systems, to provide an additional layer of protection.
Designed for a corporate environment
KFSensor's secure design and its ability to work both inside a LAN and in front of a firewall make it suitable for organizations that demand the highest security requirements.

16 August 2012
KFSensor version 4.8.0 released
ArcSight CEF Format Support
  • KFSensor can be configured to forward events to ArcSight in CEF format. This streamlines and simplifies the integration of KFSensor with the Arcsight Enterprise Threat and Risk Management (ETRM) platform.
  • The Common Event Format (CEF) is an open log management standard that improves the interoperability of security-related information from different security and network devices and applications. CEF is the first log management standard to support a broad range of device types. CEF enables technology companies and customers to use a common event log format so that data can easily be collected and aggregated for analysis by an enterprise management system.
  • Setting up KFSensor to integrate with ArcSight is simply a matter of opening the SysLog Alerts menu option and entering the ArcSight server IP address and selecting CEF as the alter format.
Visitor Rule Distribution
  • Centrally defined visitor rules can now be distributed to all sensors automatically. This makes it faster and easier to reduce false positive results consistently across all sensors.
  • To make use of this facility define a new rule on the local sensor on the KFSensor administrator machine. The collator service will then distribute this rule to all sensors.
  • The full enterprise configuration must be enabled for this to work.
Common Configuration file
  • To make it easier to set up new sensors with a standard configuration a new local configuration file is now created that contains the machine specific information. This allows the main configuration file to be replaced without loosing the machine specific settings.

Source-