Feed Utility reads the configuration parameters, feed rules, filtering rules, and parsing rules for feeds from the configuration file. This file is in XML format and has several groups of parameters.
The paths in the configuration file must contain only the characters used in the operating system locale, otherwise Feed Utility will not work.
Feed (feed rules, filtering rules, and parsing rules)
The Feed parameter contains rules for a particular feed. This element has several types of nested parameters:
This parameter has the following attributes:
enabledSpecifies whether Feed Utility must download and process this feed.
If enabled is true, Feed Utility downloads and processes the feed. If enabled is false, Feed Utility skips this feed.
The following example demonstrates how feed rules, filtering rules, and parsing rules are nested in the configuration file.
<Settings> ... <Feeds> ... <Feed enabled="true"> <Name>Malicious_Hash_Data_Feed</Name> <!-- Other feed rules for this feed --> <Filters> <Field name="popularity" value="4;5"/> <!-- Other filtering rules for this feed --> </Filters> </Feed> <Feed> <Name>Botnet_CnC_URL_Data_Feed</Name> <!-- Other feed rules for this feed --> <!-- This feed has no filtering rules --> </Feed> ... </Feeds> ... </Settings> |
FeedsDir
The FeedsDir parameter specifies the directory where Feed Utility puts processed feed files.
WorkDir
The WorkDir parameter specifies the directory where Feed Utility puts the downloaded and unpacked feed files.
If this parameter is not specified, Feed Utility uses the default temporary directory of the operating system.
WorkDir cannot be equal to FeedsDir.
CertFile
The CertFile parameter specifies the path to the certificate file. This certificate is used by Feed Utility to download feeds.
The certificate file must be in PEM format.
SourceIPs
The SourceIPs parameter specifies the IP addresses that are used by Feed Utility to download feeds.
This parameter is optional. If it is omitted or has an empty value, Feed Utility resolves Kaspersky server addresses by their domain names.
You can specify one or more IPv4 addresses in this parameter. To specify several IP addresses, use the semicolon (";") as a delimiter.
The following example demonstrates specifying IP addresses in the SourceIPs parameter.
<SourceIPs>192.0.2.1;192.0.2.2</SourceIPs> |
SourceDomains
The SourceDomains parameter specifies the domain names that are used by Feed Utility to download feeds.
You can specify one or more domain names in this parameter. To specify several domain names, use the semicolon (";") as a delimiter. Feed Utility will attempt to download feeds from the specified domain names in the order they appear in the configuration file.
When SourceDomains and SourceIPs parameters are used together, domains specified in the SourceDomains parameter are used before IP addresses specified in the SourceIPs parameter. If all attempts to download feeds fail, Feed Utility will generate an error message.
You can use Unicode symbols in this parameter.
The following example demonstrates specifying IP addresses in the SourceDomains parameter.
<SourceDomains>updates1.example.com;updates2.example.com</SourceDomains> |
CreateExternalFeedInfoList path="PATH"
This parameter is obsolete. It is ignored in the current version of Kaspersky CyberTrace.
The CreateExternalFeedInfoList parameter specifies whether a list of supported OSINT feeds must be generated. This parameter is mandatory.
If this parameter is 1, Feed Utility creates a list of supported OSINT feeds, osint_feed_list.conf, in a directory specified in the path attribute. If you added any custom or third-party feeds to Kaspersky CyberTrace, Feed Utility also creates a list of these feeds, custom_feed_list.conf, in the same directory as osint_feed_list.conf.
If this parameter is 0, Feed Utility does not create a list of supported OSINT feeds.
The following example demonstrates specifying a path where the list must be created. In this example, the list will be created in a directory where Feed Utility binary is located.
<CreateExternalFeedInfoList path=".">1</CreateExternalFeedInfoList> |
NotifyKTFS path="PATH"
The NotifyKTFS parameter specifies whether Feed Service must be notified about the feed updates.
This parameter can be used only with json output format.
If this parameter is 1, Feed Utility notifies Feed Service that the feeds must be reloaded. A path to the Feed Service binary file must be specified in the path attribute of this parameter.
If this parameter is 0, Feed Utility does not notify Feed Service.
EULA
The EULA parameter specifies whether the terms of the End User License Agreement (EULA) were accepted by a user.
If this value is accepted, the terms of the EULA were accepted.
If this value is rejected, the terms of the EULA were not accepted. In this case, Feed Utility cannot be used.
RetryCount
The RetryCount parameter specifies the number of attempts to download a Kaspersky Threat Data Feed. Feed Utility tries to re-download a feed when a connection timeout, partial downloading, and other errors occur.
If the specified number of attempts were unsuccessful, Feed Utility displays an error message and continues its operation.
This parameter is used only for Kaspersky Threat Data Feeds. OSINT feeds and other custom feeds will not be re-downloaded by Feed Utility.
This parameter is optional. If this parameter is not specified, Feed Utility uses the default value of 10.
If this parameter is 0, the number of attempts is not limited.
SequentialDownload
The SequentialDownload parameter specifies whether Feed Utility must download feeds in sequential or parallel mode.
If this value is 1 or true, Feed Utility downloads feeds in sequential mode, one by one.
If this value is 0 or false, Feed Utility downloads feeds in parallel mode, all feeds at the same time.
By default, this parameter has the value of 0.
OutputFormat
The OutputFormat parameter defines the output format for all feeds. This parameter can have the following values:
jsonThe feeds are in JSON format. The feed files have a .json extension.
This is the default value. If the OutputFormat parameter is omitted, this value is used to define the output format.
txtThe feeds are in plain text format (UTF-8 with BOM). The feed files have a .txt extension.
delimiter attributeIn this format, record fields are separated with a delimiter. The default delimiter is ";". To specify a custom delimiter, use the delimiter attribute as follows:
<OutputFormat delimiter="%delimiter%">txt</OutputFormat>
Here, substitute %delimiter% with a symbol that must be used as a delimiter.
indicatorPerLine attributeTo output one record field per line, set the indicatorPerLine attribute to 1 as follows:
<OutputFormat indicatorPerLine="1">txt</OutputFormat>
If you use this attribute, subfields specified in the RequiredFields feed rule must have the same parent field. For example, "files/MD5;files/SHA1" is valid, while "files/MD5;whois/domain" is invalid and will result in an error.
If this output format is specified, all feed rules in the configuration file must include a RequiredFields parameter. The RequiredFields parameter specifies the order in which the fields are written to the output feed.
csvSame as txt. The feed files have a .csv extension.
You can use delimiter and indicatorPerLine attributes.
openiocThe feeds are in OpenIOC format. The feed files have an .ioc extension.
You can specify the version of the OpenIOC format in the version attribute: it can be either 1.0, or 1.1. If the attribute is omitted, version 1.1 is used.
Converting feeds to OpenIOC 1.0 format has some restrictions. Phishing URL Data Feed and Malicious URL Data Feed cannot be converted to OpenIOC 1.0 format; an error message is printed instead. For other feeds, only hash and IP address fields are converted. Converting feeds to OpenIOC 1.1 format has no such restrictions.
Feeds in OpenIOC format take significantly more hard drive space than the original feed files.
stixThe feeds will be in STIX™ format. The files will have an .xml extension.
For STIX format, feeds with URL masks must have the type field.
You can specify the version of the STIX format in the version attribute: it can be 1, 2.0 or 2.1. If value 1 is specified, the feed will be in STIX 1.1 format. If the attribute is omitted, value 1 is used.
Feeds in STIX format take significantly more hard drive space than the original feed files.
The following example demonstrates how the OutputFormat parameter is nested in the configuration file.
<Settings> ... <Feeds> <OutputFormat>json</OutputFormat> ... </Feeds> ... </Settings> |
CreateDiff
The CreateDiff parameter specifies whether Feed Utility must create feed diffs. Feed diffs are files that contain differences between the old and new version of a processed feed file. This parameter affects all feeds created by Feed Utility as follows:
0, Feed Utility does not create feed diffs. This is the default value.1, Feed Utility creates feed diffs. If CreateDiff is 1, and new versions of feeds are downloaded, two additional files are created for each feed (%feed_name% is the name of the feed file):
The %feed_name%_new.json file contains records that were added to the new version of the feed file.The %feed_name%_del.json file contains records that were deleted in the new version of the feed file.Feed diffs can be created only for feeds in JSON format that are contained in a single file:
OutputFormat parameter must have the json value.UrlMatcherField parameter must be omitted or have an empty value.RecordsCount parameter must not have the perFile attribute, or this attribute must have a value of 0.To create feed diffs, Feed Utility uses a key field in the old and new version of the feed:
id, MD5, ip, url, or domain field, this field is used as a key field.The following example demonstrates how the OutputFormat parameter is nested in the configuration file.
<Settings> ... <Feeds> ... <CreateDiff>0</CreateDiff> ... </Feeds> ... </Settings> |
ProxySettings
The ProxySettings parameter specifies proxy settings for Feed Utility. If you specify a proxy server, Feed Utility will download feeds using the specified parameters.
The user name and password for the proxy are stored in the Feed Utility configuration file. This information is not provided to Kaspersky.
Proxy settings are specified in the following parameters:
HostHost of the proxy server.
You can specify a domain name or an IP address in this parameter. Both IPv4 and IPv6 addresses are supported.
PortPort of the proxy server.
UserEncrypted user name for proxy server authentication.
If a proxy server does not require authentication, leave this parameter empty.
This parameter is stored encrypted. Use the --set-proxy command-line option to set this parameter. If you do not use this option and enter your user name as plain text, connection to the proxy server will not be established.
PasswordEncrypted password for proxy server authentication.
If a proxy server does not require authentication, leave this parameter empty.
This parameter is stored encrypted. Use the --set-proxy command-line option to set this parameter. If you do not use this option and enter your password as plain text, connection to the proxy server will not be established.
The following example demonstrates how proxy settings are nested in the configuration file.
<Settings> ... <ProxySettings> <Host></Host> <Port></Port> <User></User> <Password></Password> </ProxySettings> ... </Settings> |
LogSettings
The LogSettings parameter defines how Feed Utility logs its activity.
If you enable logging, Feed Utility can write to the log files any of the following information that can be considered private, security-related, or sensitive: Feed Utility configuration parameters, proxy host and port, and operations performed while downloading and processing feeds.
If logging is enabled, Feed Utility writes to log files the information about free hard drive space that available for the work and feed directories. Also, starting from this version, an average speed that the feeds have while loading will be written to logs.
Log files are regular text files. All information written to the log files is not encrypted. The log files have standard inherited access rights. We recommend that you assign the directory for storing log files the appropriate rights so that only the administrator can read the log files.
Log files are stored until they are explicitly deleted by a user.
Feed Utility does not send log files or any data contained in them to Kaspersky. For technical support purposes, your Technical Account Manager (TAM) can ask you to provide log files.
Logging settings are specified in the following parameters:
EnableLogEnables logging.
If this value is 1 or true, Feed Utility logs its activity.
If this value is 0 or false, Feed Utility does not log its activity.
LogsDirDirectory where Feed Utility stores its log files.
CleanOldLogEnables removal of old log files.
If this value is 0, upon initialization, Feed Utility keeps old log files.
If this value is 1, upon initialization, Feed Utility deletes old log files.
The following example demonstrates how logging settings are nested in the configuration file.
<Settings> ... <LogSettings> <EnableLog>0</EnableLog> <LogsDir>logs</LogsDir> <CleanOldLog>1</CleanOldLog> </LogSettings> </Settings> |