Configuration file elements

The Feed Service configuration file consists of the following XML elements:

• EULA

  Specifies whether the terms of the End User License Agreement (EULA) were accepted by a user. Contains accepted and rejected values. If the terms of the EULA were accepted, the value is accepted. If the terms of the EULA were not accepted, the value is rejected. In this case, CyberTrace cannot be used.

• InputSettings

  Defines the IP address and port that Feed Service will listen on for incoming events, defines normalizing rules for processing the events, and defines regular expressions for parsing the events.

  • RegExps

    Contains Boost regular expressions that are used to parse incoming events. These regular expressions are used to pick out the values of different parameters (such as a URL or hash) to be checked against feeds or to be inserted into outgoing events.

    The RegExps element also contains rules for modifying incoming events. For more information, see section "About normalizing rules".

    For more information about these elements, see section "About regular expressions".

  • ConnectionString

    Specifies the IP address and port (or the Windows named pipe) that the service will listen on for incoming events. The string is formatted as <ip_address>:<port> (if an IP address and port are used) or as \\.\pipe\<pipe_name> (if a Windows named pipe is used). The IP address must consist of four decimal octets, each less than 256 and separated by a dot.

    The ConnectionString element is mandatory.

  • EventDelimiter

    Specifies the rule for incoming events splitting. This rule must have the following format:

    <EventDelimiter>%START_EVENT_SYMBOLS%</EventDelimiter>

    The %START_EVENT_SYMBOLS% value contains the regular expression that corresponds to the beginning of the substring of the incoming event.

    The rule processes all of the occurrences of the %START_EVENT_SYMBOLS% value. If the %START_EVENT_SYMBOLS% value is found in the string of the incoming event, this string will be split into multiple events by adding the newline character (\n) before every matched substring.

    If the %START_EVENT_SYMBOLS% value does not match any substring of the incoming string, all the incoming string will be processed in a standardized manner.

• Feeds

  Defines how events must be checked against feeds.

  You can use the per_scan_detect_limit attribute in the Feeds element to specify how many times a field from an event can be matched against feeds. For example, a certain URL can match many feed records, so there will be many detection events. The per_scan_detect_limit attribute is used to limit the number of generated events. The per_scan_detect_limit attribute is optional.

  Also, you can use the update_frequency attribute in the Feeds element to specify the update period (in minutes) for the feeds. You can use one of the following values: 0, 30, 60, 120, 240, 480, 960, or 1440. The value 0 means that Kaspersky CyberTrace does not use a timer for updating feeds. The update_frequency attribute is optional. If it is omitted, the value 30 is used by default.

  • Feed

    Every Feed element describes a feed.

    The value of the mandatory filename attribute of the element is the file name of the feed in the directory specified in the ServiceSettings > Bases element.

    The value of the optional outdated_alert_period attribute is the period (in hours) following the last feed update, after which a notification about an outdated feed is sent to the event target. To turn off notifications for this feed, set this parameter to 0. If the attribute is omitted, the value of the ServiceSettings > OutdatedBasesAlertPeriod element is used. We recommend that you set this parameter to 120 for commercial Kaspersky Data Feeds and to 720 for Kaspersky APT feeds.

    A configuration file must contain at least one Feed element. The filename attribute of the element is mandatory.

    The following is an example of specifying a feed:

    <Feed filename="Botnet_CnC_URL_Data_Feed.json">

    • Field

      A Field element specifies the rules for checking an event against the records of the feed.

      For more information about this element, see section "About feed matching rules".

    • ActionableFields

      An ActionableFields element lists the fields that must be inserted into the outgoing events apart from the context. An outgoing event contains context and actionable fields.

      For more information about this element, see section "About actionable fields".

• OutputSettings

  Defines the address and port of the event target software to send the outgoing events to, and the format of the outgoing events:

  • EventFormat

    Specifies the format of outgoing events.

    The EventFormat element is mandatory.

    For more information about this element, see section "About output format settings".

  • RecordFieldContextFormat

    Specifies the format of a single name-value pair of a feed field. The pairs will be inserted into the outgoing event (see the OutputSettings > EventFormat element and the OutputSettings > AlertFormat element).

    The RecordFieldContextFormat element is mandatory.

    For more information about this element, see section "About output format settings".

  • ActionableFieldContextFormat

    Specifies the format of a single name-value pair of an actionable feed field (see the Feeds > Feed > ActionableFields element). The pairs will be inserted into the outgoing event (see the OutputSettings > EventFormat element).

    The ActionableFieldContextFormat element is mandatory.

    For more information about this element, see section "About output format settings" and section "About actionable fields".

  • AlertFormat

    Specifies the format for outgoing events that inform the event target software of the Feed Service state.

    The AlertFormat element is optional. If it is absent from the configuration file, no notification is made.

    For more information about this element, see section "About output format settings".

  • ConnectionString

    Specifies the IP address and port (or the Windows named pipe) to which the service will send outgoing events. The string is formatted as <ip_address>:<port> (if an IP address and port are used) or as \\.\pipe\<pipe_name> (if a Windows named pipe is used). The IP address must consist of four decimal octets, each less than 256 and separated by a dot.

    The ConnectionString element is mandatory.

  • FinishedEventFormat

    Specifies the format of the informational event that can be generated after all events from a thread are matched against the feeds.

    You can use the enable attribute in the FinishedEventFormat element to specify whether this informational event will be generated. If the value of the enable attribute is false, Feed Service will generate no informational event. If the value of the enable attribute is true or there is no enable attribute, Feed Service will generate such an event. The enable attribute is optional.

    The %RecordContext% pattern uses the format specified in the RecordFieldContextFormat element. It uses the following parameters:

    • category

      It is "LookupFinished" for events of this type.

    • sent_events

      The number of events sent to a SIEM solution.

    • total

      Concatenation of the following substrings formed for every category assigned to detection events:

      <category>:<number_of_detections>;

    If there were no detections, the sent_events parameter is set to 0, and the total string is empty.

    The FinishedEventFormat element is mandatory.

• ServiceSettings

  Defines settings for the Feed Service process:

  • Bases

    Specifies the path to the directory that contains feeds from Kaspersky. If a relative path is set, it is calculated relative to the directory that contains the service binary file.

    The Bases element is mandatory.

  • BasesBackup

    Specifies the path to the directory that contains backup version of feeds from Kaspersky. If a relative path is set, it is calculated relative to the directory that contains the service binary file.

    The BasesBackup element is mandatory.

  • BasesDownload

    Specifies the path to the directory that contains downloaded feeds from Kaspersky. If a relative path is set, it is calculated relative to the directory that contains the service binary file.

    The BasesDownload element is mandatory.

  • StorageType

    Specifies the storage for storing feeds in use. Its value can be either Mem or Disk. If Mem, the feeds in use are stored in RAM; this boosts the performance of Feed Service. If Disk, the feeds in use are stored partly in RAM and partly on a disk; this decreases the consumption of RAM.

    The StorageType element is optional. If it is omitted, the default value Disk is used.

  • TemporaryDir

    The directory for temporary files.

    The TemporaryDir element is optional. If it is omitted, the default value is used.

    In Linux, the default value is /tmp.

    In Windows, the default value is %TEMP% (the current Windows user's temporary folder).

  • OutdatedBasesAlertPeriod

    The time interval in hours following the last feed update, after which a notification about an outdated feed is sent to the event target. To turn off notifications, set this parameter to 0. This setting is taken into account for every feed that has no outdated_alert_period attribute.

    The OutdatedBasesAlertPeriod element is optional. If it is omitted, the default value 0 is used.

  • ScannersCount

    The number of scanners. Every scanner handles a single TCP connection.

    If you want to run Feed Service in watchdog mode, specify one scanner in addition to the number of scanners needed for Feed Service itself. This must be done because the watchdog module uses an additional scanner.

    The ScannersCount element is optional. If it is omitted, the default value 9 is used.

  • ScanningThreadsPerScanner

    The number of threads per scanner.

    The ScanningThreadsPerScanner element is optional. If it is omitted, the default value 8 is used.

• GUISettings

  Defines settings for the CyberTrace HTTP service.

  • HTTPServer

    Contains the CyberTrace HTTP service parameters. The HTTPServer element can have the enabled attribute which means whether the CyberTrace HTTP service must be used. If the value of the enabled attribute is true or the HTTPServer element does not have the enabled attribute, the CyberTrace HTTP service is used.

    Starting from Kaspersky CyberTrace version 3.1.0, the CyberTrace HTTP service always runs when Kaspersky CyberTrace is initialized.

    The HTTPServer element is optional. If it is omitted, the CyberTrace HTTP service is not used.

    The HTTPServer element contains the following elements:

    • ConnectionString

      Specifies the IP address and port where the CyberTrace HTTP service is available.

      The ConnectionString element is optional. If it is omitted, the 127.0.0.1:443 IP address and port are used. After the installation process is complete, the default value of the HTTPServer > ConnectionString element is 0.0.0.0:443.

    • SSLCertificatePath

      Path to the PEM-formatted certificate on a local computer for HTTPS connections. If a relative path is specified, it is calculated relative to the executable file.

      For security reasons, do not store your certificate in a shared folder accessible over a network and do not specify the path to a network shared folder containing your certificate.

      The SSLCertificatePath element is optional. If it is omitted, the ../httpsrv/kl_feed_service_cert.pem file is used.

    • SSLPrivateKeyPath

      Path to the PEM-formatted private key on a local computer for HTTPS connections. If a relative path is specified, it is calculated relative to the executable file.

      For security reasons, do not store your private key in a shared folder accessible over a network and do not specify the path to a network shared folder containing your private key.

      The SSLPrivateKeyPath element is optional. If it is omitted, the ../httpsrv/kl_feed_service_private.pem file is used.

    • TemplatesPath

      Path to the directory that contains layout pages for CyberTrace HTTP Service. If a relative path is specified, it is calculated relative to the executable file.

      The TemplatesPath element is optional. If it is omitted, the ../httpsrv/templates/ directory is used.

  • FeedUtil

    Contains the Feed Utility parameters.

    • ConfigurationPath

      Path to the Feed Utility configuration file.

      The ConfigurationPath element is mandatory if the CyberTrace web interface is used.

Using special characters

To use special characters (for example, an ampersand or angle brackets) in regular expressions and other parameters, enclose the text of the elements in a CDATA section.

The following example uses braces around parameters:

<RecordFieldContextFormat><![CDATA[{%ParamName%=%ParamValue%}]]></RecordFieldContextFormat>

Page top