Extending detection categories

Starting from Kaspersky CyberTrace version 4.0, the detection by some fields of the feeds was removed, therefore the respective detection categories are also removed (see the list below).

• Botnet CnC URL Data Feed and Demo Botnet CnC URL Data Feed:
  • KL_BotnetCnC_Hash_MD5
  • KL_BotnetCnC_Hash_SHA1
  • KL_BotnetCnC_Hash_SHA256
• IP Reputation Data Feed and Demo IP Reputation Data Feed:
  • KL_IP_Reputation_Hash_MD5
  • KL_IP_Reputation_Hash_SHA1
  • KL_IP_Reputation_Hash_SHA256
• Malicious URL Data Feed:
  • KL_Malicious_URL_Hash_MD5
  • KL_Malicious_URL_Hash_SHA1
  • KL_Malicious_URL_Hash_SHA256
• Mobile Botnet CnC URL Data Feed:
  • KL_Mobile_BotnetCnC_Hash_MD5
  • KL_Mobile_BotnetCnC_Hash_SHA1
  • KL_Mobile_BotnetCnC_Hash_SHA256
• Ransomware URL Data Feed:
  • KL_Ransomware_URL_Hash_MD5
  • KL_Ransomware_URL_Hash_SHA1
  • KL_Ransomware_URL_Hash_SHA256

To enable event detection for these categories:

1. Stop Feed Service.

   systemctl stop cybertrace.service (in Linux)

   %service_dir%\bin\kl_control.bat stop (in Windows)

2. Open the configuration file:
   • Windows: httpsrv\etc\kl_feed_info.conf
   • Linux: httpsrv/etc/kl_feed_info.conf
3. Add the categories to the fields element of the feed. For detailed information on the categories that you can add, see the table below.

   For example, to enable detection by MD5, SHA1, and SHA256 for Botnet CnC URL Data Feed, edit kl_feed_info.conf as follows:

   { "name": "Botnet_CnC_URL_Data_Feed", "id": 65, "description": "A set of URLs and hashes with context that cover desktop botnet C&C servers and related malicious objects. Masked and non-masked records are available.", "fields": [ { "name": "mask", "type": "URL", "category": "KL_BotnetCnC_URL" }, { "name": "files/MD5", "type": "MD5", "category": "KL_BotnetCnC_Hash_MD5" }, { "name": "files/SHA1", "type": "SHA1", "category": "KL_BotnetCnC_Hash_SHA1" }, { "name": "files/SHA256", "type": "SHA256", "category": "KL_BotnetCnC_Hash_SHA256" } ], "verification": [ { "indicator": "http://fakess123bn.nu/", "category": "KL_BotnetCnC_URL" } ] }

4. Start Feed Service.

   systemctl start cybertrace.service (in Linux)

   %service_dir%\bin\kl_control.bat start (in Windows)

5. Open CyberTrace Web. Go to Settings > Feeds, and launch feeds update by using the Launch update now button.

In the table below, you can find the values for the name, type, and category elements in kl_feed_info.conf.

Categories that can be added to the feeds

Name	Type	Category
Botnet CnC URL Data Feed and Demo Botnet CnC URL Data Feed
files/MD5	MD5	KL_BotnetCnC_Hash_MD5
files/SHA1	SHA1	KL_BotnetCnC_Hash_SHA1
files/SHA256	SHA256	KL_BotnetCnC_Hash_SHA256
IP Reputation Data Feed and Demo IP Reputation Data Feed
files/MD5	MD5	KL_IP_Reputation_Hash_MD5
files/SHA1	SHA1	KL_IP_Reputation_Hash_SHA1
files/SHA256	SHA256	KL_IP_Reputation_Hash_SHA256
Malicious URL Data Feed
files/MD5	MD5	KL_Malicious_URL_Hash_MD5
files/SHA1	SHA1	KL_Malicious_URL_Hash_SHA1
files/SHA256	SHA256	KL_Malicious_URL_Hash_SHA256
Mobile Botnet CnC URL Data Feed
files/MD5	MD5	KL_Mobile_BotnetCnC_Hash_MD5
files/SHA1	SHA1	KL_Mobile_BotnetCnC_Hash_SHA1
files/SHA256	SHA256	KL_Mobile_BotnetCnC_Hash_SHA256
Ransomware URL Data Feed
files/MD5	MD5	KL_Ransomware_URL_Hash_MD5
files/SHA1	SHA1	KL_Ransomware_URL_Hash_SHA1
files/SHA256	SHA256	KL_Ransomware_URL_Hash_SHA256

After you perform the actions described in this section, Kaspersky CyberTrace does the following: in addition to loading IP addresses and masks when loading Kaspersky feeds to the indicator database, Kaspersky CyberTrace also loads the indicators that correspond to the hashes. As a result, for the feeds that are listed in this section, Kaspersky CyberTrace detects events by file hashes in addition to detection by IP addresses and masks.

Page top