Extending detection categories

Starting from Kaspersky CyberTrace version 4.0, the detection by some fields of the feeds was removed, therefore the respective detection categories are also removed (see the list below).

To enable event detection for these categories:

  1. Stop Feed Service.

    systemctl stop cybertrace.service (in Linux)

    %service_dir%\bin\kl_control.bat stop (in Windows)

  2. Open the configuration file:
    • Windows: httpsrv\etc\kl_feed_info.conf
    • Linux: httpsrv/etc/kl_feed_info.conf
  3. Add the categories to the fields element of the feed. For detailed information on the categories that you can add, see the table below.

    For example, to enable detection by MD5, SHA1, and SHA256 for Botnet CnC URL Data Feed, edit kl_feed_info.conf as follows:

    {

    "name": "Botnet_CnC_URL_Data_Feed",

    "id": 65,

    "description": "A set of URLs and hashes with context that cover desktop botnet C&C servers and related malicious objects. Masked and non-masked records are available.",

    "fields": [

    { "name": "mask", "type": "URL", "category": "KL_BotnetCnC_URL" },

    { "name": "files/MD5", "type": "MD5", "category": "KL_BotnetCnC_Hash_MD5" },

    { "name": "files/SHA1", "type": "SHA1", "category": "KL_BotnetCnC_Hash_SHA1" },

    { "name": "files/SHA256", "type": "SHA256", "category": "KL_BotnetCnC_Hash_SHA256" } ],

    "verification": [

    { "indicator": "http://fakess123bn.nu/", "category": "KL_BotnetCnC_URL" } ]

    }

  4. Start Feed Service.

    systemctl start cybertrace.service (in Linux)

    %service_dir%\bin\kl_control.bat start (in Windows)

  5. Open CyberTrace Web. Go to Settings > Feeds, and launch feeds update by using the Launch update now button.

In the table below, you can find the values for the name, type, and category elements in kl_feed_info.conf.

Categories that can be added to the feeds

Name

Type

Category

Botnet CnC URL Data Feed and Demo Botnet CnC URL Data Feed

files/MD5

MD5

KL_BotnetCnC_Hash_MD5

files/SHA1

SHA1

KL_BotnetCnC_Hash_SHA1

files/SHA256

SHA256

KL_BotnetCnC_Hash_SHA256

IP Reputation Data Feed and Demo IP Reputation Data Feed

files/MD5

MD5

KL_IP_Reputation_Hash_MD5

files/SHA1

SHA1

KL_IP_Reputation_Hash_SHA1

files/SHA256

SHA256

KL_IP_Reputation_Hash_SHA256

Malicious URL Data Feed

files/MD5

MD5

KL_Malicious_URL_Hash_MD5

files/SHA1

SHA1

KL_Malicious_URL_Hash_SHA1

files/SHA256

SHA256

KL_Malicious_URL_Hash_SHA256

Mobile Botnet CnC URL Data Feed

files/MD5

MD5

KL_Mobile_BotnetCnC_Hash_MD5

files/SHA1

SHA1

KL_Mobile_BotnetCnC_Hash_SHA1

files/SHA256

SHA256

KL_Mobile_BotnetCnC_Hash_SHA256

Ransomware URL Data Feed

files/MD5

MD5

KL_Ransomware_URL_Hash_MD5

files/SHA1

SHA1

KL_Ransomware_URL_Hash_SHA1

files/SHA256

SHA256

KL_Ransomware_URL_Hash_SHA256

After you perform the actions described in this section, Kaspersky CyberTrace does the following: in addition to loading IP addresses and masks when loading Kaspersky feeds to the indicator database, Kaspersky CyberTrace also loads the indicators that correspond to the hashes. As a result, for the feeds that are listed in this section, Kaspersky CyberTrace detects events by file hashes in addition to detection by IP addresses and masks.

Page top