This section describes how to replace Kaspersky Threat Feed Service for a SIEM solution with Kaspersky CyberTrace for Windows.
Upgrading files (Windows Installer—.msi file)
To use .msi file to upgrade files for Kaspersky Threat Feed Service for a SIEM solution:
%service_dir%\bin\kl_control.bat stop
%service_dir%\bin\kl_feed_service.conf (Feed Service configuration file)%service_dir%\bin\kl_feed_util.conf (Feed Utility configuration file)%service_dir%\dmz\feeds.pem (certificate for downloading feeds)InputSettings > ConnectionString and OutputSettings > ConnectionString elements of the backup copy of kl_feed_service.conf to the corresponding Kaspersky CyberTrace configuration file.kl_feed_service.conf to the corresponding CyberTrace configuration file, group these regular expressions by event source with the help of the Source element, and specify the type parameter for each regular expression. If you want to use your newly transferred regular expressions in the matching process after the upgrade is complete, associate each regular expression with the corresponding feed field or fields. You can do this by specifying the input_regexp_to_match parameter for each required feed field in the CyberTrace configuration file. This parameter must be the same as the name of the regular expression specified in the Source element. Below is an example of what the CyberTrace configuration file must look like after editing. Note how the newly transfered REDIRECT_IP regular expression is assigned the IP type and is associated with the ip feed field through the input_regexp_to_match attribute.<InputSettings> <RegExps> <Source id="default"> <DST_IP concatenate="#1" extract="first" type="IP">dst\=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:$|\s)</DST_IP> <SRC_IP concatenate="#1" extract="first" type="IP">src\=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:$|\s)</SRC_IP> <REDIRECT_IP concatenate="#1" extract="first" type="IP">redirect\=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:$|\s)</REDIRECT_IP> </Source> <RegExps> </InputSettings> <Feeds per_scan_detect_limit="10000"> <Feed filename="Demo_IP_Reputation_Data_Feed.json" enabled="true"> <Field name="ip" matching_type="Exact" input_regexp_to_match="DST_IP" category="KL_IP_Reputation"/> <Field name="ip" matching_type="Exact" input_regexp_to_match="SRC_IP" category="KL_IP_Reputation"/> <Field name="ip" matching_type="Exact" input_regexp_to_match="REDIRECT_IP" category="KL_IP_Reputation"/> </Feed> </Feeds> |
For more information on how to specify event sources in the Feed Service configuration file, see section "About event sources".
kl_feed_util.conf to the corresponding CyberTrace configuration file.You can also perform this action through Kaspersky CyberTrace Web, the web user interface for Kaspersky CyberTrace. For usage instructions, see section "Kaspersky CyberTrace Web".
Upgrading files (.zip file installation)
To use .zip archive to upgrade files for Kaspersky Threat Feed Service for a SIEM solution:
%service_dir%\bin\kl_control.bat stop
%service_dir%\bin\kl_feed_service.conf (Feed Service configuration file)%service_dir%\bin\kl_feed_util.conf (Feed Utility configuration file)%service_dir%\dmz\feeds.pem (certificate for downloading feeds)uninstall.bat script, which you can find in the Kaspersky Threat Feed Service distribution kit.%service_dir% folder. When copying your custom regular expressions to the CyberTrace configuration file, group these regular expressions by event source with the help of the Source element, and specify the type parameter for each regular expression. If you want to use your newly transferred regular expressions in the matching process after the upgrade is complete, associate each regular expression with the corresponding feed field or fields. You can do this by specifying the input_regexp_to_match parameter for each required feed field in the CyberTrace configuration file. This parameter must be the same as the name of the regular expression specified in the Source element. Below is an example of what the CyberTrace configuration file must look like after editing. Note how the newly transfered REDIRECT_IP regular expression is assigned the IP type and is associated with the ip feed field via the input_regexp_to_match attribute.
<InputSettings> <RegExps> <Source id="default"> <DST_IP concatenate="#1" extract="first" type="IP">dst\=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:$|\s)</DST_IP> <SRC_IP concatenate="#1" extract="first" type="IP">src\=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:$|\s)</SRC_IP> <REDIRECT_IP concatenate="#1" extract="first" type="IP">redirect\=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:$|\s)</REDIRECT_IP> </Source> <RegExps> </InputSettings> <Feeds per_scan_detect_limit="10000"> <Feed filename="Demo_IP_Reputation_Data_Feed.json" enabled="true"> <Field name="ip" matching_type="Exact" input_regexp_to_match="DST_IP" category="KL_IP_Reputation"/> <Field name="ip" matching_type="Exact" input_regexp_to_match="SRC_IP" category="KL_IP_Reputation"/> <Field name="ip" matching_type="Exact" input_regexp_to_match="REDIRECT_IP" category="KL_IP_Reputation"/> </Feed> </Feeds> |
For more information on how to specify event sources in the Feed Service configuration file, see section "About event sources".
You can copy values from the Kaspersky Threat Feed Service configuration files to the CyberTrace configuration files through Kaspersky CyberTrace Web, the web user interface for Kaspersky CyberTrace. For usage instructions, see section "Kaspersky CyberTrace Web".
Kaspersky CyberTrace is not compatible with Kaspersky Threat Feed Service configuration files. Do not replace CyberTrace configuration files with Kaspersky Threat Feed Service configuration files.
%service_dir%\dmz\feeds.pem with the backup copy of your certificate.