Starting from Kaspersky CyberTrace version 4.0, the detection by some fields of the feeds was removed, therefore the respective detection categories are also removed (see the list below).
To enable event detection for these categories:
systemctl stop cybertrace.service
(in Linux)
%service_dir%\bin\kl_control.bat stop
(in Windows)
httpsrv\etc\kl_feed_info.conf
httpsrv/etc/kl_feed_info.conf
fields
element of the feed. For detailed information on the categories that you can add, see the table below. For example, to enable detection by MD5, SHA1, and SHA256 for Botnet CnC URL Data Feed, edit kl_feed_info.conf
as follows:
{ "name": "Botnet_CnC_URL_Data_Feed", "id": 65, "description": "A set of URLs and hashes with context that cover desktop botnet C&C servers and related malicious objects. Masked and non-masked records are available.", "fields": [ { "name": "mask", "type": "URL", "category": "KL_BotnetCnC_URL" },
"verification": [ { "indicator": "http://fakess123bn.nu/", "category": "KL_BotnetCnC_URL" } ] } |
systemctl start cybertrace.service
(in Linux)
%service_dir%\bin\kl_control.bat start
(in Windows)
In the table below, you can find the values for the name
, type
, and category
elements in kl_feed_info.conf
.
Categories that can be added to the feeds
Name |
Type |
Category |
---|---|---|
Botnet CnC URL Data Feed and Demo Botnet CnC URL Data Feed |
||
files/MD5 |
MD5 |
KL_BotnetCnC_Hash_MD5 |
files/SHA1 |
SHA1 |
KL_BotnetCnC_Hash_SHA1 |
files/SHA256 |
SHA256 |
KL_BotnetCnC_Hash_SHA256 |
IP Reputation Data Feed and Demo IP Reputation Data Feed |
||
files/MD5 |
MD5 |
KL_IP_Reputation_Hash_MD5 |
files/SHA1 |
SHA1 |
KL_IP_Reputation_Hash_SHA1 |
files/SHA256 |
SHA256 |
KL_IP_Reputation_Hash_SHA256 |
Malicious URL Data Feed |
||
files/MD5 |
MD5 |
KL_Malicious_URL_Hash_MD5 |
files/SHA1 |
SHA1 |
KL_Malicious_URL_Hash_SHA1 |
files/SHA256 |
SHA256 |
KL_Malicious_URL_Hash_SHA256 |
Mobile Botnet CnC URL Data Feed |
||
files/MD5 |
MD5 |
KL_Mobile_BotnetCnC_Hash_MD5 |
files/SHA1 |
SHA1 |
KL_Mobile_BotnetCnC_Hash_SHA1 |
files/SHA256 |
SHA256 |
KL_Mobile_BotnetCnC_Hash_SHA256 |
Ransomware URL Data Feed |
||
files/MD5 |
MD5 |
KL_Ransomware_URL_Hash_MD5 |
files/SHA1 |
SHA1 |
KL_Ransomware_URL_Hash_SHA1 |
files/SHA256 |
SHA256 |
KL_Ransomware_URL_Hash_SHA256 |
After you perform the actions described in this section, Kaspersky CyberTrace does the following: in addition to loading IP addresses and masks when loading Kaspersky feeds to the indicator database, Kaspersky CyberTrace also loads the indicators that correspond to the hashes. As a result, for the feeds that are listed in this section, Kaspersky CyberTrace detects events by file hashes in addition to detection by IP addresses and masks.
Page top