Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Kaspersky CyberTrace

 

JSA DSM for Kaspersky CyberTrace collects events from Kaspersky Feed Service.

To integrate Kaspersky CyberTrace with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs onto your JSA Console:
    • DSM Common RPM

    • Kaspersky CyberTrace DSM RPM

  2. Install Kaspersky CyberTrace and configure Feed Service during the installation.
  3. Integrate Kaspersky CyberTrace with JSA.
    1. Configure forwarding events from JSA to Kaspersky CyberTrace.

    2. Complete one of the following options.

      • Complete the verification test.

      • Install the Kaspersky Threat Feed App for JSA.

  4. If JSA does not automatically detect the log source, add a Kaspersky CyberTrace log source on the desired event collector. The following table describes the parameters that require specific values for Kaspersky CyberTrace event collection:Note

    You need to clear the Coalescing Events check box when you configure the log source.

    Table 1: Kaspersky CyberTrace Log Source Parameters

    Parameter

    Value

    Log Source type

    Kaspersky CyberTrace

    Protocol Configuration

    Syslog

    Log Source Identifier

    KL_Threat_Feed_Service_V2

    If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring Kaspersky CyberTrace Appliances to Communicate with JSA

To enable Kaspersky CyberTrace to communicate with JSA, install and configure the Threat Feed Service on a device.

Before you install Kaspersky CyberTrace on a device, ensure that your device meets the hardware and software requirements. The requirements are specified in the Kaspersky CyberTrace documentation.

RPM installation - For this installation you must run the run.sh installation script, which installs the RPM package and runs the configurator. The configurator completes an interactive setup of Feed Service, Feed Utility, and Log Scanner.

DEB installation - The DEB installation is used on Linux systems that are based on Debian Linux. For this installation you must run the run.sh installation script, which installs the DEB package and runs the configurator. The configurator completes an interactive setup of Feed Service, Feed Utility, and Log Scanner.

TGZ installation - For this installation, you manually unpack the TGZ archive to the /opt/kaspersky/ktfs directory, create symbolic links to the configuration files and startup scripts, and register Fee Service in crontab. Then, you must manually run the configurator binary file and accept the End User License Agreement. The configurator completes an interactive setup of Feed Service, Feed Utility, and Log Scanner.

You can install CyberTrace by using one of the following installation methods.

  1. Install CyberTrace by using the RPM/DEB method.
    1. Unpack the distribution kit contents to any directory on your system. The RPM/DEB package, installation script, and documentation is unpacked to this directory.

    2. Run the run.sh installation script. The installation script installs the RPM/DEB package, adds Feed Service to the list of services by using chkconfig or systemd, and then creates a cron job to update feeds every 30 minutes. Feed Service starts automatically on a system boot.

      After the RPM/DEB package is installed, the installation script automatically runs the configurator wizard.

  2. To accept the End user License Agreement, print Yes. Use PgUp and PgDn keys to navigate. Press q to quit.
  3. Specify the path to the certificate.
    • If you want to use a demo certificate, click Enter.

    • If you have a certificate for commercial feeds, specify the full path to it, and then click Enter.

    Note

    The certificate must be in PEM format. The user who runs the configurator binary file must have read permissions for this file. The configurator creates a copy of the certificate file and stores it in a different directory. If you want to replace the certificate file, you must run the configurator again.

  4. Specify the proxy server settings by following the instructions. The specified proxy credentials are stored in encrypted form.

    To remove the specified proxy settings and stop using a proxy, you must manually delete the ProxySettings element and all nested elements from the Feed Utility configuration files.

  5. Specify the feeds that you want to use. The configurator obtains a list of feeds that are available for the certificate that you specified in Step 3.
  6. Specifying the connection parameters. The configuration automatically checks whether the specified connection parameters are correct. For example, the configurator checks that the SIEM software is present at the address and port for outbound events.

    The IP address must consist of four decimal octets that are separated by a dot. For example, 192.0.2.254 is a valid IP address.

    The following connection parameters are included:

    IP address and port for incoming events - Feed Service listens on the specified address and port for incoming events.

    JSA connection string - Feed Service sends outbound events to the specified IP address and port or UNIX socket.

  7. After the installation is complete, you can change the setting by using CybreTrace Web. See the product online help for details.

Completing the Verification Test

The verification test is a procedure that is used to check the capabilities of Kaspersky CyberTrace and to confirm the accuracy of the integration.

During this test you check to see whether events from JSA are received by Feed Service, whether events from Feed Service are received by JSA, and whether events are correctly parsed by Feed Service using the regular expressions.

The verification test file is a file that contains a set of events with URLs, IP addresses, and hashes. This file is located in the ./verification directory in the distribution kit. The name of this file is kl_verification_test.txt.

  1. Start Feed Service. For example, /etc/init.d/kl_feed_service start
  2. Ensure that the KL_Verification_Tool log source is added to JSA, and routing rules are set in such a way that events from KL_Verification_Tool are sent to Feed Service.
  3. Log in to the JSA Console.
  4. Click Admin > Add Filter.
  5. From the Parameter list, select Log Source.
  6. From the Operator list, select Equals.
  7. From the Log Source list, in the Value group, select the required service name.
  8. From the View list, select Real Time to clear the filter area. You can now browse the information about the service events.
  9. In the Connection element of the Log Scanner configuration file ./log_sanner/log_scanner.conf, specify the IPV4 address and port of your JSA Event Collector.
  10. Run Log Scanner to send the kl_verification_test.txt file to JSA (./log_scanner -p ../ verification/kl_verification_test.txt)

    The expected results that are displayed by JSA depend on the feeds that you use. The following table displays the verification results.

    Table 2: Verification Test Results Parameters

    Feed used

    Detected objects

    Malicious URL Data Feed

    http://fakess123.nu

    http://badb86360457963b90faac9ae17578ed.com and many others, such as kaspersky.com/test/wmuf

    Phishing URL Data Feed

    http://fakess123ap.nu

    http://e77716a952f640b42e4371759a661663.com

    Botnet CnC URL Data Feed

    http://fakess123bn.nu

    http://a7396d61caffe18a4cffbb3b428c9b60.com

    IP Reputation Data Feed

    192.0.2.0

    192.0.2.3

    Malicious Hash Data Feed

    FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F (The EICAR standard anti-virus test file.)

    C912705B4BBB14EC7E78FA8B370532C9

    Mobile Malicious Hash Data Feed

    60300A92E1D0A55C7FDD360EE40A9DC1

    Mobile Botnet Data Feed

    001F6251169E6916C455495050A3FB8D (MD5 hash)

    sdfed7233dsfg93acvbhl.su/steallallsms.php (URL mask)

    P-SMS Trojan Data Feed

    FFAD85C453F0F29404491D8DAF0C646E (MD5 hash)

    Demo Botnet CnC URL Data Feed

    http://5a015004f9fc05290d87e86d69c4b237.com

    http://fakess123bn.nu

    Demo IP Reputation Data Feed

    192.0.2.1

    192.0.2.3

    Demo Malicious Hash Data Feed

    776735A8CA96DB15B422879DA599F474 FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F

Configuring JSA to forward events to Kaspersky CyberTrace

To have the Threat Feed Service check events that arrive in JSA, you must configure JSA to forward events to the Threat Feed Service.

  1. Log in to the JSA Console UI.
  2. Click the Admin tab, and select System Configuration > Forwarding Destinations.
  3. In the Forwarding Destinations window, click Add.
  4. In the Forwarding Destination Properties pane, configure the Forwarding Destination Properties.

    Table 3: Forwarding Destination Parameters

    Parameter

    Value

    Name

    An identifier for the destination. For example,

    KL_Threat_Feed_Service_V2

    Destination Address

    IP address of the host that runs the Threat Feed Service.

    Event Format

    JSON

    Destination Port

    The port that is specified in kl_feed_service.conf InputSetting > ConnectionString.

    The default value is 9995.

    Protocol

    TCP

    Profile

    Default profile

  5. Click Save.
  6. Click the Admin tab, and then select System Configuration > Routing Rule.
  7. In the Routing Rules window, click Add.
  8. In the Routing Rules window, configure the routing rule parameters.

    Table 4: Routing Rules Parameters

    Parameter

    Value

    Name

    An identifier for the rule name. For example,

    KL_Threat_Feed_Service_V2

    Description

    Create a description for the routing rule that you are creating

    Mode

    Online

    Forwarding Event Collector

    Select the event collector that is used to forward events to the Threat Feed Service.

    Data Source

    Events

    Event Filters

    Create a filter for the events that are going to be forwarded to the Threat Feed Service. To achieve maximum performance of the Threat Feed Service, only forward events that contain a URL or hash.

    Routing Options

    Enable Forward, and then select the <forwarding destination> that you created

  9. Click Save.

Kaspersky CyberTrace DSM Specifications

The following table describes the specifications for the Kaspersky CyberTrace DSM.

Table 5: Kaspersky CyberTrace DSM Specifications

Specification

Value

Manufacturer

Kaspersky Lab

DSM name

Kaspersky CyberTrace

RPM file name

DSM-Kaspersky CyberTrace-JSA_version-build_number

.noarch.rpm

Supported versions

2.0

Protocol

Syslog

Event format

LEEF

Recorded event types

Detect, Status, Evaluation

Automatically discovered?

Yes

Includes custom properties?

No

Includes identity?

No

More information

Kaspersky website

Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following table shows a sample event message when using the syslog protocol for the Kaspersky CyberTrace DSM:

Table 6: Kaspersky CyberTrace Sample Message Supported by the Cisco IronPort Device

Event name

Low level category

Sample log message

KL_Mobile_BotnetCnc_URL

Botnet address

Jul 10 10:10:14 KL_Threat_Feed_Service_v2 LEEF:1.0|Kaspersky Lab|%DATE% KL_Threat_Feed _Service_v2 LEEF:1.0| Kaspe rskyLab|Threat Feed Servi ce|2.0|%EVENT%|%CONTEXT % |2.0|KL_Mobile_ BotnetCnc_URL| url=example.com/ xxxxxxxxxxxxxxxx/xxx md5=- sha1=- sha256=- usrName= TestUser mask= xxxxxxxxxxxx.xxxx type=2 first_seen=04.01.2016 16:40 last_seen=27.01.2016 10:46 popularity=5