Upgrading files (Linux)

This section describes how to replace files of Kaspersky Threat Feed Service for a SIEM solution with those of Kaspersky CyberTrace for Linux.

To upgrade the files of Kaspersky Threat Feed Service for a SIEM solution:

If Kaspersky CyberTrace is shipped as an RPM package:

  1. Stop Feed Service by running the following command:

    /opt/kaspersky/ktfs/etc/init.d/kl_feed_service stop

  2. Start the update process by running the following command with root privileges:

    run.sh upgrade

    Follow the installation script instructions. For how to ensure that the regular expressions are properly transferred to the new configuration file, see the procedure in step 2 below.

  3. After the installation is complete, run Feed Service as follows:

    /opt/kaspersky/ktfs/etc/init.d/kl_feed_service start

If Kaspersky CyberTrace is shipped as a TGZ package:

  1. Stop Feed Service by running the following command:

    /opt/kaspersky/ktfs/etc/init.d/kl_feed_service stop

  2. Copy the configuration files and certificate to the /tmp directory as follows:

    cp /opt/kaspersky/ktfs/etc/kl_feed_service.conf /opt/kaspersky/ktfs/etc/kl_feed_util.conf /opt/kaspersky/ktfs/dmz/feeds.pem /tmp

    The following information from these files will be automatically used by the configurator (which is the configure script):

    • Certificate
    • Normalization rules
    • Connection strings (IP addresses and ports that Kaspersky Threat Feed Service uses for sending and receiving events)
    • Available feeds
    • Regular expressions

      If a regular expression had an MD5, SHA1, SHA256, IP, or URL substring in its name, then this regular expression will be added to the Feed Service configuration file with the corresponding type. Otherwise, regular expressions are transferred to the new configuration file with the CONTEXT type.

  3. Unpack the TGZ archive to the /opt/kaspersky/ktfs/ directory and overwrite existing files as follows:

    tar zxvf Kaspersky_CyberTrace-Linux-x86_64-X.Y.Z.T-Release_for_SIEM.tar.gz -C /opt/kaspersky

    In this command, replace Kaspersky_CyberTrace-Linux-x86_64-X.Y.Z.T-Release_for_SIEM.tar.gz with the real name of the distribution archive.

  4. If you want to keep old files, run the following command:

    mv /opt/kaspersky/ktfs /opt/kaspersky/old_ktfs

    If you do not want to keep old files, run the following command:

    rm -fr /opt/kaspersky/ktfs

  5. Rename the directory to which the archive is unpacked as follows:

    mv /opt/kaspersky/Kaspersky_CyberTrace-Linux-x86_64-X.Y.Z.T-Release_for_SIEM /opt/kaspersky/ktfs

  6. Create or rewrite symbolic links (symlinks) for configuration files and startup scripts:

    ln -s /opt/kaspersky/ktfs/etc/init.d/kl_feed_service /etc/init.d/kl_feed_service

    ln -s /opt/kaspersky/ktfs/etc/kl_feed_service.conf /etc/kl_feed_service.conf

  7. As a root, run the configure script in upgrade mode as follows:

    /opt/kaspersky/ktfs/bin/configure -u -s %SIEM%

    Here %SIEM% is the SIEM solution being used, which can have one of the following values: ArcSight, Splunk, QRadar, RSA, Log_Scanner.

  8. After the installation is complete, run Feed Service as follows:

    /opt/kaspersky/ktfs/etc/init.d/kl_feed_service start

  9. If you want to use your newly transferred regular expressions in the matching process after the upgrade is complete, associate each regular expression with the corresponding feed field or fields in one of the following ways:
    • By using Kaspersky CyberTrace Web. Select the Settings > Matching tab and in the Event parsing rules section click Set event parsing rules. In the Rules for extracting data from incoming events window that opens, check which type has been assigned to the regular expressions that were transferred from the old configuration file. Make any necessary changes, click OK, and then Save to save the changes.
    • By manually editing the Feed Service configuration file (kl_feed_service.conf) and specifying the input_regexp_to_match parameter for each required feed field. This parameter must be the same as the name of the regular expression specified in the Source element. Below is an example of what the Feed Service configuration file must look like after editing. Note how the newly transfered REDIRECT_IP regular expression is associated with the ip feed field through the input_regexp_to_match attribute.

    <InputSettings>

    <RegExps>

    <Source id="default">

    <DST_IP concatenate="#1" extract="first" type="IP">dst\=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:$|\s)</DST_IP>

    <SRC_IP concatenate="#1" extract="first" type="IP">src\=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:$|\s)</SRC_IP>

    <REDIRECT_IP concatenate="#1" extract="first" type="IP">redirect\=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:$|\s)</REDIRECT_IP>

    </Source>

    <RegExps>

    </InputSettings>

    <Feeds per_scan_detect_limit="10000">

    <Feed filename="Demo_IP_Reputation_Data_Feed.json" enabled="true">

    <Field name="ip" matching_type="Exact" input_regexp_to_match="DST_IP" category="KL_IP_Reputation"/>

    <Field name="ip" matching_type="Exact" input_regexp_to_match="SRC_IP" category="KL_IP_Reputation"/>

    <Field name="ip" matching_type="Exact" input_regexp_to_match="REDIRECT_IP" category="KL_IP_Reputation"/>

    </Feed>

    </Feeds>

Page top