This section explains how to test the connection with Feed Service and its ability to match events against specific feeds.
Before testing the connection with Feed Service, make sure that there is at least one unused scanner in the ServiceSettings > ScannersCount
element of the configuration file.
Sending a ping request
You can send a ping request to test the connection with Feed Service. This method does not require any feeds to be enabled. You do not need a commercial certificate for Kaspersky Threat Data Feeds to use this method.
To test the connection with Feed Service by sending a ping request:
X-KF-ReplyBackPING
as the first message.If the response is PONG
, it means that Feed Service is running and listening for incoming events on the specified IP address and port.
Sending a test event
Kaspersky Threat Intelligence Data Feeds contain records that are provided for test purposes only and do not represent malicious objects. You can use these records to make sure that Feed Service can match events against specific feeds. These records always appear in the feeds and will never be removed.
To test the connection with Feed Service by sending a test event:
X-KF-SendFinishedEventX-KF-ReplyBack
as the first message.The following table contains the test records for commercial feeds.
Test records (commercial feeds)
Feed used |
Test records |
Event category |
Malicious URL Data Feed |
http://fakess123.nu |
KL_Malicious_URL |
Phishing URL Data Feed |
http://fakess123ap.nu |
KL_Phishing_URL |
Botnet CnC URL Data Feed |
http://fakess123bn.nu |
KL_BotnetCnC_URL |
IP Reputation Data Feed |
192.0.2.1 |
KL_IP_Reputation |
Malicious Hash Data Feed |
FEAF2058298C1E174C2B79AFFC7CF4DF |
KL_Malicious_Hash_MD5 |
Mobile Malicious Hash Data Feed |
60300A92E1D0A55C7FDD360EE40A9DC1 |
KL_Mobile_Malicious_Hash_MD5 |
Mobile Botnet CnC URL Data Feed |
http://sdfed7233dsfg93acvbhl.su/steallallsms.php |
KL_Mobile_BotnetCnC_URL |
Ransomware URL Data Feed |
http://fa7830b4811fbef1b187913665e6733c.com |
KL_Ransomware_URL |
APT URL Data Feed |
http://b046f5b25458638f6705d53539c79f62.com |
KL_APT_URL |
APT Hash Data Feed |
7A2E65A0F70EE0615EC0CA34240CF082 |
KL_APT_Hash_MD5 |
APT IP Data Feed |
192.0.2.4 |
KL_APT_IP |
IoT URL Data Feed |
http://e593461621ee0f9134c632d00bf108fd.com/.i |
KL_IoT_URL |
ICS Hash Data Feed |
7A8F30B40C6564EFF95E678F7C43346C |
KL_ICS_Hash_MD5 |
The following table contains the test records that can be used when only demo feeds are enabled.
Test records (demo feeds)
Feed used |
Test records |
Event category |
DEMO Botnet_CnC_URL_Data_Feed |
http://5a015004f9fc05290d87e86d69c4b237.com |
KL_BotnetCnC_URL |
DEMO IP_Reputation_Data_Feed |
192.0.2.1 |
KL_IP_Reputation |
DEMO Malicious_Hash_Data_Feed |
776735A8CA96DB15B422879DA599F474 |
KL_Malicious_Hash_MD5 |
LookupFinished
without event information, it means that Feed Service can receive events and perform matching, but the specific feed is disabled (see section "Enabling and disabling feeds").