Kaspersky CyberTrace
Installation and integration guides > Part 2: Integrating Kaspersky CyberTrace with an event source > Extra integration scenarios > Separate installation of Feed Service and Feed Utility (Windows)

Separate installation of Feed Service and Feed Utility (Windows)

You can install Feed Service and Feed Utility on separate computers. This allows you to isolate the computer, on which event data is matched against feeds, from the Internet.

Do not delete the dmz directory from the distribution kit of Kaspersky CyberTrace, even if you do not plan to use Feed Service and Feed Utility on separate computers.

You can install Feed Utility on a Linux computer. For this you must have the distribution package for Linux, which also contains the instructions on how to perform the installation.

How Feed Service and Feed Utility work in DMZ

The following diagram describes how Feed Service and Feed Utility work in the DMZ.

DMZ_SIEM

Workflow when Feed Service and Feed Utility are installed on separate computers

Using CyberTrace Web if Feed Service and Feed Utility are on separate computers

If you use Kaspersky CyberTrace Web with Feed Service and Feed Utility installed on separate computers, keep the following actions in mind with respect to the Settings > Feeds tab, in the Feeds update period section.

  • Do not update feeds (by clicking the Launch update now button) or change the update frequency (by selecting a value from the Update frequency drop-down list).

    The feeds will not be updated on the Local computer, because it is isolated from the Internet.

  • (Kaspersky CyberTrace version 3.0) Do not change the Kaspersky certificate by clicking Import certificate.

    The certificate will only be changed on the Local computer. To change the certificate on the DMZ computer, manually copy it from the Local computer to the dmz folder.

By default, Kaspersky CyberTrace updates Kaspersky Threat Data Feeds every 30 minutes.

If you use DMZ integration, perform one of the following actions:

  • Stop the scheduled task that regularly updates feeds by disabling feed updates on the Settings > Feeds tab of the web interface.
  • Stop the scheduled task that regularly updates feeds by specifying 0 in the update_frequency attribute of the Feeds element in the Feed Service configuration file.

You can use Kaspersky CyberTrace Web to perform the actions listed below. However, note that each time you make any changes, you have to copy the kl_feed_util.conf file from the Local computer to the DMZ computer so that the changes you made on the Local computer will be replicated on the DMZ computer.

  • You can change the remaining settings of feeds on the Settings > Feeds tab.

    For example, you can add new custom or third-party feeds.

  • You can change the settings of a proxy server on the Settings > Service tab, in the Connection settings section.

Installing Feed Service and Feed Utility on separate computers

The following procedure describes how to install Feed Service on one computer (in this topic, referred to as Local) and Feed Utility on another computer (in this topic, referred to as DMZ).

If you use Kaspersky CyberTrace Web, see subsection "Using CyberTrace Web if Feed Service and Feed Utility are on separate computers", above, before proceeding to the installation.

To install Feed Service and Feed Utility on separate computers:

  1. Install Kaspersky CyberTrace from the distribution package to a directory (referred to as %service_dir%) on the Local computer.

    (Kaspersky CyberTrace version 3.0) If you use Windows Installer, after you specify the path to the certificate file, the list of available feeds is not retrieved, because the Local computer is not connected to the Internet. In this case, you are prompted to manually select the feeds.

  2. Locate the kl_feed_service.conf configuration file. In this file, locate the <NotifyKTFS path="">false</NotifyKTFS> element. Change it to <NotifyKTFS path="..\bin">true</NotifyKTFS>.
  3. Copy the dmz subfolder of the installation folder from the Local computer to the DMZ computer.

    (Kaspersky CyberTrace version 3.0) When you want to use a new PEM-formatted certificate for updating feeds, change Kaspersky CyberTrace configuration by performing the installation procedure again. You will have to copy the dmz subfolder from the Local computer to the DMZ computer.

  4. If you use Kaspersky CyberTrace Web and want to change the settings of any feed or add a new custom or third-party feed, make all the necessary changes directly on the Settings > Feeds tab in Kaspersky CyberTrace Web.
  5. Replace the kl_feed_util.conf file in the dmz folder located on the DMZ computer with the copy of the same file stored on the Local computer.

    You can obtain kl_feed_util.conf on the Local computer in one of the following ways:

    • Copy it from the %service_dir%\bin folder.
    • If you use Kaspersky CyberTrace Web, select the Settings > Service tab and click Export configuration file.
  6. Configure the synchronization of directories containing feeds as stated in subsection "Synchronizing directories that contain feeds" below.
  7. In the %service_dir%\scripts\cron_cybertrace.cmd file on the Local computer, specify the credentials for connecting to the DMZ computer and the path to the feeds folder on the DMZ computer.

Configuring the updating of feeds on the DMZ computer

Create a regularly launched task that runs the updating of feeds on the DMZ computer so that the cron_dmz.cmd script will run twice as often as in the case when Kaspersky CyberTrace is installed on a single computer. This task will cause new versions of feeds to be used as soon as possible. For example, create the task by running the following command:

schtasks /create /tn KasperskyFeedServiceUpdate /ru system /f /tr "\"%path_to_cron.cmd%\cron_dmz.cmd\"" /sc minute /mo 15

Configuring the updating of feeds on the Local computer

Add a task that runs the updating of feeds so that the cron_cybertrace.cmd script will run twice as often as when Kaspersky CyberTrace is installed on a single computer. For example, modify the task by running the following command. Substitute %user% with the name of the user that is authorized to run Cygwin on a Windows computer, and substitute %password% with a password for this user.

schtasks /create /tn KasperskyFeedServiceUpdate /ru %user% /rp %password% /f /tr "%service_dir%\scripts\cron_cybertrace.cmd" /sc minute /mo 15

The synchronization of feeds must occur after they are updated on the DMZ computer, and so you can specify launching of the cron_cybertrace.cmd script several minutes after the cron_dmz.cmd script is launched on the DMZ computer.

You may have to change the settings in the cron_cybertrace.cmd script. The settings are describes in the following table. For more information, see subsection "Synchronizing directories that contain feeds" below.

Settings in cron_cybertrace.cmd

Setting

Description

RSYNC_USER

Login on the computer where the RSync utility is installed.

RSYNC_HOST

Host where the RSync utility is installed.

PATH_TO_FEEDS

Path to the directory where to store the processed feeds.

DOWNLOAD_DIR

Path to the directory in which the feeds are dowloaded.

Do not change the value of this parameter. Changing this value may cause Feed Utility not to work properly.

SSH_KEY

The RSA public key to be used when synchronizing directories with feeds.

Synchronizing directories that contain feeds

For synchronizing feeds on both the Local computer and DMZ computer, you can use the RSync utility. On a computer running Windows, the RSync utility can be run by using Cygwin.

All Linux commands below are run on Windows computers by using Cygwin.

To install the RSync utility on a Windows computer:

  1. Install the default set of packages from the Cygwin distribution.
  2. Install the following utilities: OpenSSH, OpenSSL, and RSync.
  3. On the DMZ computer, configure the OpenSSH components as follows:
    1. Run the following command as root:

      ssh-host-config

      You can answer Yes every time. The important point is to run the sshd daemon as a service.

    2. Run the following command:

      net start sshd

The sshd daemon will start automatically.

To configure the synchronization of feeds:

  1. Create a private key and a corresponding public key.

    For this purpose, run the following command on the Local computer:

    ssh-keygen -t rsa -q -N '' -f /home/<user>/.ssh/dmz_rsa_key

    (Specify the user login instead of <user>.) The keys will be created without a password.

  2. Copy the public key from the Local computer to the DMZ computer by running the following command:

    ssh-copy-id -i /home/<user>/.ssh/dmz_rsa_key <DMZ_user>@<DMZ_host>

    When you run this command, you will be asked for the password to <DMZ_user>@<DMZ_host>.

  3. Test the synchronization of the contents of directories that contain feeds by running the following command on the Local computer:

    rsync -a --delete-before --delay-updates -e "ssh -i /home/<user>/.ssh/dmz_rsa_key" <DMZ_user>@<DMZ_host>:/<Path_to_feeds>/ /<Path_to_feeds_on_Local>/

    In this command, <Path_to_feeds_on_Local> is the path to the folder containing feeds on the Local computer (namely, %service_dir%/feeds), and <Path_to_feeds> is the path to the folder on which updated feeds are stored on the DMZ computer.

    To pass the synchronization test, the contents of the <Path_to_feeds_on_Local> folder on the Local computer must be the same as the contents of the <Path_to_feeds> folder on the DMZ computer.

Article ID: 171560, Last review: Apr 14, 2021
Page top