KFSensor: Sweet Windows honeypot

I’ve been a huge fan of KFSensor for many years. It has been at the top of the honeypot class for nearly a decade, and I was eager to see how it stacked up to improving competition, notably HoneyPoint Security Server, as well as free open source Honeyd.

Unlike most honeypot solutions, which eventually become neglected, KFSensor has been maintained and updated by creator Tom Wright since it was launched in 2003. It has long been the easiest honeypot program to install, with the most elegant and fuss-free GUI, and its feature set established the gold standard that other honeypot programs had to match. KFSensor is still the gold standard.

I reviewed the latest version, KFSensor Professional 4.7.0. Installation was as simple as downloading the install file, executing, and choosing Next, Next, Next. The installation routine even prompts you to accept or download WinPcap, which allows KFSensor to capture and display attacks with packet-level detail. KFSensor is a Windows-only program.

There are three main KFSensor versions: Standard, Professional, and Enterprise. You can compare features of the different KFSensor versions at the KeyFocus website. The Enterprise version includes a centralized management console and other features that make managing multiple honeypots across a larger enterprise easier to do. You can download a free trial version of KFSensor Professional. All versions can be installed as a user-mode program or system service.

KFSensor ports and services KFSensor is formed around the concept of “scenarios,” or listening port collections. You can define one or more scenarios to listen on one or more ports and services. For example, you could create a scenario to listen on all TCP and UDP ports (and ICMP traffic), maximizing the potential to detect remote probes. Another scenario might simulate a MySQL database server or IIS Web server. Administrators can easily define scenarios and quickly switch between them, although only one scenario per sensor can be active at a time.

Test Center Scorecard
	35%	25%	20%	20%
KeyFocus KFSensor 4.7.0	10	7	9	9	8.9 Very Good

A basic default scenario (called Main Scenario) is provided for new users, which helps to get new installs up and running quickly:

In addition, the user is allowed to make general category selections, which affect the ports and services activated:

By default, the KFSensor GUI shows only probed ports, with recently probed ports bolded (all of this is user configurable). Ports with a line struck through them are inactive because of an underlying host binding. Each activity alert can be assigned a different criticality and different response action.

Each simulated service and port can be configured with a Sim Banner, which merely responds to probes with some standard text or binary data (and zero real interaction), or a Sim Standard Server, which supports minimal to basic interaction. Some Sim Standard Servers are sophisticated enough to convince probing users that they have logged on to real service. KFSensor is the only honeypot software that has kept pace with the latest OS and application versions. For example, KFSensor can mimic IIS 6, 7.0, and 7.5, along with Apache, as well as preserve the basic differences among these Web servers.

A few Sim Standard Servers go even further. For example, the SMTP service can be configured as a proxy to a real SMTP server, with a configurable level of allowed relayed messages. This feature is great because it allows spammers and spambots to send a few test messages to determine that the open relay proxy is real and working. KFSensor’s NetBIOS emulation permits the administrator to configure a host of fake NetBIOS-responding workstations and other realistic responses. No other honeypot program goes this extra mile with NetBIOS.

But most of the Sim Standard Servers are quite limited. Beyond providing basic header information, much like a Sim Banner, they can exchange only basic control information. Most admins wishing to provide full interaction to probers will want to configure KFSensor to relay the requests to a real server, while allowing KFSensor to capture the activity and alert as needed.

KFSensor rules and signatures By clicking on a specific port or service in the left pane of the KFSensor GUI, you can filter the activity log in the right pane and zero in on related events:

Each event message has all the detail you could ever want, including IP, plaintext data, and packet detailed information. One of the features I love the most is the ability to create, with one click, either a Visitor Rule or an IDS Event Signature from any reported probe event. A Visitor Rule allows administrators to set severity and simulation levels on a per-event, per-visitor, and per-port basis, and to quickly filter out unnecessary data:

IDS Event Signatures allow an administrator to turn any captured probe into a new, detailed, Snort-formed, intrusion detection signature. Signatures can easily be imported into KFSensor, as well as into Snort and other compatible intrusion detection systems. KFSensor comes with hundreds of built-in signatures, and it’s easy to import more.

Each event can be ranked by severity and can trigger various actions, including ignore, alerting, and database logging. Alerting and logging can be done via local console, centralized console, email, syslog, Windows Event logging, or to local or remote databases and programs. KFSensor’s one huge hole is the absence of built-in reports. If KFSensor offered even a few useful reports, it would have earned a solid Excellent (9.0) score, instead of just missing it.

KFSensor has so many other useful features — denial-of-service detection and prevention, scanner-friendly mode (which allows legitimate scanners to be whitelisted so that they don’t trigger KFSensor’s denial of service defenses), and more — that it is impossible to describe them all within the limited space of this review. Anyone considering a honeypot — for Linux/Unix as well as Windows environments — should try KFSensor. The easy Windows-based favorite is still the best of the breed.

Read the related articles:

• Intrusion detection honeypots simplify network security
• HoneyPoint: A honeypot for Windows, Linux, or Mac OS X
• Honeyd: The open source honeypot
• Honeypots by the features: KFSensor, HoneyPoint, and Honeyd

This story, “KFSensor: Sweet Windows honeypot,” was originally published at InfoWorld.com. Follow the latest developments in network security and read Roger Grimes’ Security Adviser blog at InfoWorld.com.