Testing the connection with Feed Service and the availability of feeds
This section explains how to test the connection with Feed Service and its ability to match events against specific feeds.
Before testing the connection with Feed Service, make sure that there is at least one unused scanner in the ServiceSettings > ScannersCount
element of the configuration file.
Sending a ping request
You can send a ping request to test the connection with Feed Service. This method does not require any feeds to be enabled. You do not need a commercial certificate for Kaspersky Threat Data Feeds to use this method.
To test the connection with Feed Service by sending a ping request:
- Establish a TCP connection using the IP address and port that Feed Service listens on for incoming events (see section "Service settings").
- Send
X-KF-ReplyBackPING
as the first message. - Wait for the response.
If the response is PONG
, it means that Feed Service is running and listening for incoming events on the specified IP address and port.
Sending a test event
Kaspersky Threat Intelligence Data Feeds contain records that are provided for test purposes only and do not represent malicious objects. You can use these records to make sure that Feed Service can match events against specific feeds. These records always appear in the feeds and will never be removed.
To test the connection with Feed Service by sending a test event:
- Establish a TCP connection using the IP address and port that Feed Service listens on for incoming events (see section "Service settings").
- Send
X-KF-SendFinishedEventX-KF-ReplyBack
as the first message. - Send a test event containing a test record for the specific feed from the tables below.
The following table contains the test records for commercial feeds.
Test records (commercial feeds)
Feed used
Test records
Event category
Malicious URL Data Feed
http://fakess123.nu
KL_Malicious_URL
Phishing URL Data Feed
http://fakess123ap.nu
KL_Phishing_URL
Botnet CnC URL Data Feed
http://fakess123bn.nu
KL_BotnetCnC_URL
IP Reputation Data Feed
192.0.2.1
KL_IP_Reputation
Malicious Hash Data Feed
FEAF2058298C1E174C2B79AFFC7CF4DF
KL_Malicious_Hash_MD5
Mobile Malicious Hash Data Feed
60300A92E1D0A55C7FDD360EE40A9DC1
KL_Mobile_Malicious_Hash_MD5
Mobile Botnet CnC URL Data Feed
http://sdfed7233dsfg93acvbhl.su/steallallsms.php
KL_Mobile_BotnetCnC_URL
Ransomware URL Data Feed
http://fa7830b4811fbef1b187913665e6733c.com
KL_Ransomware_URL
Vulnerability Data Feed
D8C1F5B4AD32296649FF46027177C594
KL_Vulnerable_File_Hash_MD5
APT URL Data Feed
http://b046f5b25458638f6705d53539c79f62.com
KL_APT_URL
APT Hash Data Feed
7A2E65A0F70EE0615EC0CA34240CF082
KL_APT_Hash_MD5
APT IP Data Feed
192.0.2.4
KL_APT_IP
IoT URL Data Feed
http://e593461621ee0f9134c632d00bf108fd.com/.i
KL_IoT_URL
ICS Hash Data Feed
7A8F30B40C6564EFF95E678F7C43346C
KL_ICS_Hash_MD5
The following table contains the test records that can be used when only demo feeds are enabled.
Test records (demo feeds)
Feed used
Test records
Event category
DEMO Botnet_CnC_URL_Data_Feed
http://5a015004f9fc05290d87e86d69c4b237.com
KL_BotnetCnC_URL
DEMO IP_Reputation_Data_Feed
192.0.2.1
KL_IP_Reputation
DEMO Malicious_Hash_Data_Feed
776735A8CA96DB15B422879DA599F474
KL_Malicious_Hash_MD5
- Wait for the response:
- If the response is a detection event that contains the corresponding event category from the tables above, it means that Feed Service can receive events and match them against the specific feed.
- If the response is
LookupFinished
without event information, it means that Feed Service can receive events and perform matching, but the specific feed is disabled (see section "Enabling and disabling feeds").