Kaspersky CyberTrace
JSA DSM for Kaspersky CyberTrace collects events from Kaspersky Feed Service.
To integrate Kaspersky CyberTrace with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs onto your JSA Console:
DSM Common RPM
Kaspersky CyberTrace DSM RPM
Install Kaspersky CyberTrace and configure Feed Service during the installation.
Integrate Kaspersky CyberTrace with JSA.
Configure forwarding events from JSA to Kaspersky CyberTrace.
Complete one of the following options.
Complete the verification test.
Install the Kaspersky Threat Feed App for JSA.
If JSA does not automatically detect the log source, add a Kaspersky CyberTrace log source on the desired event collector. The following table describes the parameters that require specific values for Kaspersky CyberTrace event collection:
Note:You need to clear the Coalescing Events check box when you configure the log source.
Table 1: Kaspersky CyberTrace Log Source Parameters Parameter
Value
Log Source type
Kaspersky CyberTrace
Protocol Configuration
Syslog
Log Source Identifier
KL_Threat_Feed_Service_V2
If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.
Configuring Kaspersky CyberTrace Appliances to Communicate with JSA
To enable Kaspersky CyberTrace to communicate with JSA, install and configure the Threat Feed Service on a device.
Before you install Kaspersky CyberTrace on a device, ensure that your device meets the hardware and software requirements. The requirements are specified in the Kaspersky CyberTrace documentation.
RPM installation - For this installation you must run the run.sh installation script, which installs the RPM package and runs the configurator. The configurator completes an interactive setup of Feed Service, Feed Utility, and Log Scanner.
DEB installation - The DEB installation is used on Linux systems that are based on Debian Linux. For this installation you must run the run.sh installation script, which installs the DEB package and runs the configurator. The configurator completes an interactive setup of Feed Service, Feed Utility, and Log Scanner.
TGZ installation - For this installation, you manually unpack the TGZ archive to the /opt/kaspersky/ktfs directory, create symbolic links to the configuration files and startup scripts, and register Fee Service in crontab. Then, you must manually run the configurator binary file and accept the End User License Agreement. The configurator completes an interactive setup of Feed Service, Feed Utility, and Log Scanner.
You can install CyberTrace by using one of the following installation methods.
Install CyberTrace by using the RPM/DEB method.
Unpack the distribution kit contents to any directory on your system. The RPM/DEB package, installation script, and documentation is unpacked to this directory.
Run the
run.sh
installation script. The installation script installs the RPM/DEB package, adds Feed Service to the list of services by usingchkconfig
orsystemd
, and then creates a cron job to update feeds every 30 minutes. Feed Service starts automatically on a system boot.After the RPM/DEB package is installed, the installation script automatically runs the configurator wizard.
To accept the End user License Agreement, print Yes. Use PgUp and PgDn keys to navigate. Press q to quit.
Specify the path to the certificate.
If you want to use a demo certificate, click Enter.
If you have a certificate for commercial feeds, specify the full path to it, and then click Enter.
Note:The certificate must be in PEM format. The user who runs the configurator binary file must have read permissions for this file. The configurator creates a copy of the certificate file and stores it in a different directory. If you want to replace the certificate file, you must run the configurator again.
Specify the proxy server settings by following the instructions. The specified proxy credentials are stored in encrypted form.
To remove the specified proxy settings and stop using a proxy, you must manually delete the ProxySettings element and all nested elements from the Feed Utility configuration files.
Specify the feeds that you want to use. The configurator obtains a list of feeds that are available for the certificate that you specified in Step 3.
Specifying the connection parameters. The configuration automatically checks whether the specified connection parameters are correct. For example, the configurator checks that the SIEM software is present at the address and port for outbound events.
The IP address must consist of four decimal octets that are separated by a dot. For example, 192.0.2.254 is a valid IP address.
The following connection parameters are included:
IP address and port for incoming events - Feed Service listens on the specified address and port for incoming events.
JSA connection string - Feed Service sends outbound events to the specified IP address and port or UNIX socket.
After the installation is complete, you can change the setting by using CybreTrace Web. See the product online help for details.
Completing the Verification Test
The verification test is a procedure that is used to check the capabilities of Kaspersky CyberTrace and to confirm the accuracy of the integration.
During this test you check to see whether events from JSA are received by Feed Service, whether events from Feed Service are received by JSA, and whether events are correctly parsed by Feed Service using the regular expressions.
The verification test file is a file that contains a set of
events with URLs, IP addresses, and hashes. This file is located in
the ./verification
directory in the distribution
kit. The name of this file is kl_verification_test.txt
.
Start Feed Service. For example, /etc/init.d/kl_feed_service start
Ensure that the KL_Verification_Tool log source is added to JSA, and routing rules are set in such a way that events from KL_Verification_Tool are sent to Feed Service.
Log in to the JSA Console.
Click Admin > Add Filter.
From the Parameter list, select Log Source.
From the Operator list, select Equals.
From the Log Source list, in the Value group, select the required service name.
From the View list, select Real Time to clear the filter area. You can now browse the information about the service events.
In the Connection element of the Log Scanner configuration file ./log_sanner/log_scanner.conf, specify the IPV4 address and port of your JSA Event Collector.
Run Log Scanner to send the kl_verification_test.txt file to JSA (./log_scanner -p ../ verification/kl_verification_test.txt)
The expected results that are displayed by JSA depend on the feeds that you use. The following table displays the verification results.
Table 2: Verification Test Results Parameters Feed used
Detected objects
Malicious URL Data Feed
http://badb86360457963b90faac9ae17578ed.com and many others, such as kaspersky.com/test/wmuf
Phishing URL Data Feed
Botnet CnC URL Data Feed
IP Reputation Data Feed
192.0.2.0
192.0.2.3
Malicious Hash Data Feed
FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F (The EICAR standard anti-virus test file.)
C912705B4BBB14EC7E78FA8B370532C9
Mobile Malicious Hash Data Feed
60300A92E1D0A55C7FDD360EE40A9DC1
Mobile Botnet Data Feed
001F6251169E6916C455495050A3FB8D (MD5 hash)
sdfed7233dsfg93acvbhl.su/steallallsms.php (URL mask)
P-SMS Trojan Data Feed
FFAD85C453F0F29404491D8DAF0C646E (MD5 hash)
Demo Botnet CnC URL Data Feed
Demo IP Reputation Data Feed
192.0.2.1
192.0.2.3
Demo Malicious Hash Data Feed
776735A8CA96DB15B422879DA599F474 FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F
Configuring JSA to forward events to Kaspersky CyberTrace
To have the Threat Feed Service check events that arrive in JSA, you must configure JSA to forward events to the Threat Feed Service.
Log in to the JSA Console UI.
Click the Admin tab, and select System Configuration > Forwarding Destinations.
In the Forwarding Destinations window, click Add.
In the Forwarding Destination Properties pane, configure the Forwarding Destination Properties.
Table 3: Forwarding Destination Parameters Parameter
Value
Name
An identifier for the destination. For example,
KL_Threat_Feed_Service_V2
Destination Address
IP address of the host that runs the Threat Feed Service.
Event Format
JSON
Destination Port
The port that is specified in
kl_feed_service.conf InputSetting > ConnectionString
.The default value is 9995.
Protocol
TCP
Profile
Default profile
Click Save.
Click the Admin tab, and then select System Configuration > Routing Rule.
In the Routing Rules window, click Add.
In the Routing Rules window, configure the routing rule parameters.
Table 4: Routing Rules Parameters Parameter
Value
Name
An identifier for the rule name. For example,
KL_Threat_Feed_Service_V2
Description
Create a description for the routing rule that you are creating
Mode
Online
Forwarding Event Collector
Select the event collector that is used to forward events to the Threat Feed Service.
Data Source
Events
Event Filters
Create a filter for the events that are going to be forwarded to the Threat Feed Service. To achieve maximum performance of the Threat Feed Service, only forward events that contain a URL or hash.
Routing Options
Enable Forward, and then select the <forwarding destination> that you created
Click Save.
Kaspersky CyberTrace DSM Specifications
The following table describes the specifications for the Kaspersky CyberTrace DSM.
Specification |
Value |
---|---|
Manufacturer |
Kaspersky Lab |
DSM name |
Kaspersky CyberTrace |
RPM file name |
DSM-Kaspersky CyberTrace-JSA_version-build_number.noarch.rpm |
Supported versions |
2.0 |
Protocol |
Syslog |
Event format |
LEEF |
Recorded event types |
Detect, Status, Evaluation |
Automatically discovered? |
Yes |
Includes custom properties? |
No |
Includes identity? |
No |
More information |
Kaspersky CyberTrace Sample Event Message
Use these sample event messages as a way of verifying a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
The following table shows a sample event message when using the syslog protocol for the Kaspersky CyberTrace DSM:
Event name |
Low level category |
Sample log message |
---|---|---|
KL_Mobile_BotnetCnc_URL |
Botnet address |
Jul 10 10:10:14 KL_Threat_Feed_Service_v2 LEEF:1.0|Kaspersky Lab|%DATE% KL_Threat_Feed _Service_v2 LEEF:1.0|Kaspe rskyLab|Threat Feed Servi ce|2.0|%EVENT%|%CONTEXT% |2.0|KL_Mobile_ BotnetCnc_URL| url=example.com/ xxxxxxxxxxxxxxxx/xxx md5=- sha1=- sha256=- usrName= TestUser mask= xxxxxxxxxxxx.xxxx type=2 first_seen=04.01.2016 16:40 last_seen=27.01.2016 10:46 popularity=5 |