I've been a huge fan of KFSensor for many years. It has been at the top of the honeypot class for nearly a decade, and I was eager to see how it stacked up to improving competition, notably HoneyPoint Security Server, as well as free open source Honeyd.
Unlike most honeypot solutions, which eventually become neglected, KFSensor has been maintained and updated by creator Tom Wright since it was launched in 2003. It has long been the easiest honeypot program to install, with the most elegant and fuss-free GUI, and its feature set established the gold standard that other honeypot programs had to match. KFSensor is still the gold standard.
I reviewed the latest version, KFSensor Professional 4.7.0. Installation was as simple as downloading the install file, executing, and choosing Next, Next, Next. The installation routine even prompts you to accept or download WinPcap, which allows KFSensor to capture and display attacks with packet-level detail. KFSensor is a Windows-only program.
There are three main KFSensor versions: Standard, Professional, and Enterprise. You can compare features of the different KFSensor versions at the KeyFocus website. The Enterprise version includes a centralized management console and other features that make managing multiple honeypots across a larger enterprise easier to do. You can download a free trial version of KFSensor Professional. All versions can be installed as a user-mode program or system service.
KFSensor ports and services
KFSensor is formed around the concept of "scenarios," or listening port collections. You can define one or more scenarios to listen on one or more ports and services. For example, you could create a scenario to listen on all TCP and UDP ports (and ICMP traffic), maximizing the potential to detect remote probes. Another scenario might simulate a MySQL database server or IIS Web server. Administrators can easily define scenarios and quickly switch between them, although only one scenario per sensor can be active at a time.
A basic default scenario (called Main Scenario) is provided for new users, which helps to get new installs up and running quickly:
In addition, the user is allowed to make general category selections, which affect the ports and services activated:
By default, the KFSensor GUI shows only probed ports, with recently probed ports bolded (all of this is user configurable). Ports with a line struck through them are inactive because of an underlying host binding. Each activity alert can be assigned a different criticality and different response action.
KFSensor rules and signatures
By clicking on a specific port or service in the left pane of the KFSensor GUI, you can filter the activity log in the right pane and zero in on related events:
Each event message has all the detail you could ever want, including IP, plaintext data, and packet detailed information. One of the features I love the most is the ability to create, with one click, either a Visitor Rule or an IDS Event Signature from any reported probe event. A Visitor Rule allows administrators to set severity and simulation levels on a per-event, per-visitor, and per-port basis, and to quickly filter out unnecessary data:
IDS Event Signatures allow an administrator to turn any captured probe into a new, detailed, Snort-formed, intrusion detection signature. Signatures can easily be imported into KFSensor, as well as into Snort and other compatible intrusion detection systems. KFSensor comes with hundreds of built-in signatures, and it's easy to import more.