Using a mental retardation tool to play with "black and black" ------- KFSENSOR (IDS) Introduction

Original: demonalex

EMAIL: demonalex@163.com

QQ: 17627441

 

This is a shared IDS + HONEYPOT software named KFSENSOR.

This is a very powerful IDS, but unfortunately it is a shared version .................:(

If you have any mistakes in this article, contact me by EMAIL or go to http://dark2s.org/bbs/leoboard.cgitan to publish your suggestions and suggestions :)

Bytes ---------------------------------------------------------------------------------------------

Once again, let God repeat some basic concepts for everyone! (MASTER can be omitted: P)

IDS: the Intrusion Detection System (Intrusion Detection System) is used to respond to suspicious behaviors on the network or operating System, cut off data Intrusion sources and records in a timely manner, and notify the network administrator through various channels, it maximizes system security and is a reasonable supplement to the firewall. It helps the system deal with network attacks and extends the security management capabilities of System Administrators (including security auditing, monitoring, attack identification, and response ), improve the integrity of the information security infrastructure. It is considered the second security gate after the firewall. It can monitor the network without affecting network performance, this provides real-time protection for internal attacks, external attacks, and misoperations to maximize system security. It plays an irreplaceable role in network security technology and is an important part of the security defense system.

HONEYPOT: Honeypot is a system designed to be defective. It is usually used to alert or trick intruders.

Bytes ----------------------------------------------------------------------------------------------

Advantages of KFSENSOR:

1) The accuracy is relatively strong. firewalls and other IDS are often "confused" by "legitimate" network communication, and thus "misinterpreted" by RULE ", KFSENSOR does not distinguish who is legal in all connections and who is illegal.

2) at a low cost, KFSENSOR "deceives" attackers in the form of false sleep when they are attacked, and uses only a small amount of processing time and network resources. It does not affect the normal operation of other programs when installed on your computer, and does not require additional hardware.

3) easy to use. When you use KFSENSOR, you will soon find this point. Its Configuration and operations are carried out in a straight line. You only need to check the instructions and modify the settings to make it ready for use.

4) Real-Time Detection. As long as the program is running, the attack reporting and analysis results will be completed in a short time.

5) detect unknown data attacks. Unlike other products, KFSENSOR does not rely on known attack type data for detection. It can dynamically detect other new types of attacks.

6) Secure "penetration ". KFSENSOR can complement other security products and provide additional levels of security.

7) as long as an administrator monitors and manages the entire Organization's HONEYPOT monitor through configuration.

Bytes ----------------------------------------------------------------------------------------------

Company homepage: http://www.keyfocus.net/suitable environment: Windows 2000, XP, Windows Server 2003 Windows 98, ME,

UPDATE: http://www.keyfocus.net/kfsensor/download/hhupd.exe

: Http://www.keyfocus.net/kfsensor/download/kfsens10.exe

Lab environment: PWIN2000PRO + kfsensor ver 1.1.0

Note: This is a shared version, which may have the following "disadvantages": after the program is installed, it can only be used for 30 days. After 30 days, You Need To UNINSTALL it and then reinstall it. In WIN98 & WINME, we recommend that you do not enable the main process to open more than 20 Ports.

Bytes ----------------------------------------------------------------------------------------------

TOOLBAR: (start the TOOLBAR: "VIEW" --- "TOOLBAR ")

The first item in the toolbar is (the red speaker) displayed as PORTS (Port display ).

The second option is displayed in "guest" mode.

The third item is to start HONEYPOT,

The fourth option is to stop HONEYPOT, And the last option is to restart HONEYPOT.

Bytes ----------------------------------------------------------------------------------------------

Taskbar: the taskbar has four menus: "FILE", "VIEW", "Scenario", and "HELP ".

"FILE ":

The first item in the "FILE" column is "Export", which is divided into "event list" ("Export event list") and "select event" ("Export selected EVENT "). "Export event list" means that the HONEYPOT system can be attacked only when an intrusion event exists (that is, when someone intrude you ), this operation exports all events. You must click an event shown in the right window to activate the selected event. The exported file only records the details of the selected event. The preceding two types of export are saved as XML text. You can use the ASCII Editor (Notepad, etc.) or other tools that can open XML text to view them. The next item is "SERVICE". The first three sub-items have the same usage as the last three items in the toolbar. The last two items are designed to facilitate our use. They are "register KFS as a service of SYSTEM" and "remove this service ". The last two items are "CLOSE" ("CLOSE") and "EXIT" ("EXIT") (PS: Are they not the same ???) The two items are different. "CLOSE" will CLOSE the desktop program interface, but the program is still running. "EXIT" means 'true' to EXIT the program.

 

"VIEW ":

The first item in "VIEW" is "Event Details...". You need to click an 'event' in the right window to be hit. In fact, its operation is the same as double-clicking an 'event' in the right window. It is used to understand the intrusion of an event.

For example.

EVENT Forum:

Start time ------------- behavior start time

End time -------------- behavior stop time

Event ID --------------- event ID

TYPE ------------------ connection method

DISCSRIPTION --- detailed description of the event

SERVERITY ------- event severity

 

VISITOR Forum:

IP ---------------------- hacker IP

PORT ---------------- PORT used by the intruder

DOMAIN ------------ name of the intruder Machine

 

SENSOR Forum:

IP --------------------- detector user IP Address

PORT --------------- the PORT from which the detector is intruded

BOUND ------------ IP address BOUND to the detector

PROTOCOL ----- PROTOCOL type

ACTION ----------- detector ACTION on this event

Sim server-simple (pre-configured) SERVER BANNER

 

DETAILS Forum:

Closed by ------ which party closes the connection?

Limit Exceeded --- traffic exceeding description

RECEIVED --------- data sent from intruders and RECEIVED by the Detector

RESPONSE ------- the data sent from the detector and received by the intruder

"EXPAND" button ------------ EXPAND (Multiple display formats can be selected after expansion, in the 'format' column)

"NEXT" button --------------- details of the event of the NEXT ID

"PREVIOUS" button -------- event details of the previous id (do not say anything else ?! : P)

 

Next we will introduce the "PORTS" and "VISITORS" display modes under "VIEW.

"PORTS" and "VISITORS" refer to the two display methods on the toolbar respectively. The "PORTS" mode is more intuitive, probably similar to other firewalls in the mode. In "VISITORS" mode, the names and IP addresses of intruders are recorded in the window on the left. After you click the selected option, the window on the right displays the response of the attacker to the behavior of the attacker and the behavior of the attacker.

Select "load event..." to read events within a certain period of time.

"Hide event" is used to HIDE events, and the right menu is displayed.