Upgrading Kaspersky CyberTrace files (Linux)

This section describes how to upgrade Kaspersky CyberTrace on Linux.

Upgrading files (RPM/DEB package)

To upgrade Kaspersky CyberTrace automatically to a newer version:

1. Make backup copies of the black and white lists:
   1. If the black list contains some records, copy the /opt/kaspersky/ktfs/feeds/Black_List.json file and the /opt/kaspersky/ktfs/feeds/Black_List.json.url.bin directory to the /tmp/feeds directory.
   2. If the white list contains some records, copy the /opt/kaspersky/ktfs/feeds/White_List.json file and the /opt/kaspersky/ktfs/feeds/White_List.json.url.bin directory to the /tmp/feeds directory.
2. Make backup copies of the /opt/kaspersky/ktfs/etc/kl_feed_service.conf and /opt/kaspersky/ktfs/etc/kl_feed_util.conf files.
3. Run the following command with root privileges:

   run.sh upgrade

4. At the beginning of the upgrade process, accept the request to stop Feed Service. If you refuse to stop it, the upgrade breaks.

   Starting from Kaspersky CyberTrace version 3.1.0, the CyberTrace HTTP service always starts when Kaspersky CyberTrace is initialized.

   When the installation script finishes the upgrade process, Feed Service will be launched.

5. Stop Feed Service by running the following command:

   /opt/kaspersky/ktfs/etc/init.d/kl_feed_service stop

6. Move the settings of Kaspersky feeds from the backup copy of kl_feed_util.conf to the %service_dir%\bin\kl_feed_util.conf file:
   • For each Feed element of the kl_feed_util.conf backup copy that is not related to an OSINT or custom feed and whose Name nested element does not contain Mobile_Botnet_CnC_URL_Data_Feed.json, copy the contents of the Feed element to the kl_feed_util.conf file to substitute the existing data with the new data.
   • For the Feed element of the kl_feed_util.conf backup copy, whose Name nested element contains Mobile_Botnet_CnC_URL_Data_Feed.json, move the value of its enabled attribute to the enabled attribute of the corresponding Feed element of the kl_feed_service.conf.
7. Move the settings of Kaspersky feeds from the backup copy of kl_feed_service.conf to the /opt/kaspersky/ktfs/etc/kl_feed_service.conf file: for each feed, move the Configuration > Feeds> Feed > ActionableFields section to the new configuration file.
8. Replace the Configuration > OutputSettings section of the /opt/kaspersky/ktfs/etc/kl_feed_service.conf file with the corresponding section of kl_feed_service.conf backup copy.
9. Restore the black and white lists from their backup copies by copying the contents of the /tmp/feeds directory to the /opt/kaspersky/ktfs/feeds directory.
10. Start Feed Service as follows:

    /opt/kaspersky/ktfs/etc/init.d/kl_feed_service start

11. Clear the browser cache using the standard method for your browser and navigate to the Kaspersky CyberTrace Web page.

After you perform the steps above, all the settings, user accounts data, available feeds and certificates will be transferred to the new version. If you have a commercial license key, you can add it to Kaspersky CyberTrace by means of the Licensing tab.

Note that automatic upgrade with the RPM/DEB package is available only if you have Kaspersky CyberTrace version 3.0.0 or later on your computer. Also, automatic upgrade functionality is available only if you have accepted the EULA in the installation that is being upgraded.

Upgrading files (TGZ package)

To upgrade Kaspersky CyberTrace:

1. Stop Feed Service by running the following command:

   /opt/kaspersky/ktfs/etc/init.d/kl_feed_service stop

2. Make a backup copy as follows:
   1. Copy the configuration and other files to the /tmp directory as follows:

      cp /opt/kaspersky/ktfs/etc/kl_feed_service.conf /opt/kaspersky/ktfs/etc/kl_feed_util.conf /opt/kaspersky/ktfs/httpsrv/etc/custom_feed_list.conf /opt/kaspersky/ktfs/httpsrv/etc/ktfsaccess /opt/kaspersky/ktfs/httpsrv/etc/ktfsstatistics.kvdb /opt/kaspersky/ktfs/httpsrv/etc/ktfsstorage.kvdb /tmp

      Also, copy the PEM-formatted certificates specified in the SSLCertificatePath and SSLPrivateKeyPath elements of the kl_feed_service.conf file and the CertFile element of the kl_feed_util.conf file to the /tmp directory.

      Hereinafter, these files are referred to as the backup copies. Data from these files will be used in the new installation.

   2. If the black list contains records, copy the /opt/kaspersky/ktfs/feeds/Black_List.json file and the /opt/kaspersky/ktfs/feeds/Black_List.json.url.bin directory to the /tmp/feeds directory.
   3. If the white list contains records, copy the /opt/kaspersky/ktfs/feeds/White_List.json file and the /opt/kaspersky/ktfs/feeds/White_List.json.url.bin directory to the /tmp/feeds directory.
   4. If you want to keep old files, run the following command:

      mv /opt/kaspersky/ktfs /opt/kaspersky/old_ktfs

      If you do not want to keep old files, run the following command:

      rm -fr /opt/kaspersky/ktfs

3. Unpack the TGZ archive to the /opt/kaspersky/ directory and overwrite existing files:

   tar zxvf Kaspersky_CyberTrace-Linux-x86_64-X.Y.Z.T-Release_for_SIEM.tar.gz -C /opt/kaspersky

   In this command, replace Kaspersky_CyberTrace-Linux-x86_64-X.Y.Z.T-Release_for_SIEM.tar.gz with the real name of the distribution archive.

4. Rename the directory to which the archive is unpacked as follows:

   mv /opt/kaspersky/Kaspersky_CyberTrace-Linux-x86_64-X.Y.Z.T-Release_for_SIEM /opt/kaspersky/ktfs

5. Set the connection settings as follows:
   1. Copy the proxy settings to the ProxySettings element of the kl_feed_util.conf file from its backup copy.
   2. Copy the IP address and port to which the outgoing events will be sent to the OutputSettings > ConnectionString element of the kl_feed_service.conf file from its backup copy.
   3. Copy the IP address and port to listen on for incoming events to the InputSettings > ConnectionString element of the kl_feed_service.conf file from its backup copy.
6. For every Configuration > InputSettings > RegExps > Source element of the kl_feed_service.conf file backup, copy the element to the kl_feed_service.conf file (by this you can substitute the existing data with the new data).
7. Copy the contents of the Configuration > NormalizingRules element of the backup copy of the kl_feed_service.conf file to every Configuration > InputSettings > RegExps > Source > NormalizingRules element of the kl_feed_service.conf file whose id attribute of the Source element is not http_single_lookup or http_file_lookup.

   If, however, a normalizing rule is used for delimiting events (namely, the output attribute of the Replace element has the value "\n" or "
"), do not copy it to the kl_feed_service.conf file, but create or edit the Configuration > InputSettings > EventDelimiter element instead with the following contents:
   <EventDelimiter>%START_EVENT_SYMBOLS%</EventDelimiter>
   Here %START_EVENT_SYMBOLS% is the value of the input attribute of that Replace element.

8. Merge the contents of the Feeds element of the kl_feed_service.conf file backup with the kl_feed_service.conf file as follows:
   1. In the kl_feed_service.conf file backup, in each Field element pertaining to custom JSON feeds, change the value of the name attribute as follows: in the kl_feed_util.conf file backup, in the Parsing element pertaining to this JSON feed, find an element whose name is the same as the value of the cited name attribute and replace the value of the name attribute with the value of the found element.

      For example:

      The contents of the kl_feed_service.conf file backup before editing: <Feed filename="My_custom_feed.json" outdated_alert_period="0" enabled="true"> <Field name="Custom_MD5" matching_type="Exact" input_regexp_to_match="RE_HASH" category=" My_custom_feed_MD5" /> <Field name="Custom_URL" matching_type="Url" input_regexp_to_match="RE_URL" category=" My_custom_feed_URL" /> </Feed>   The contents of the kl_feed_util.conf file backup: <Parsing type="json"> <Custom_URL type="url">URL</Field> <Custom_MD5 type="md5">MD5</Field> </Parsing>   The contents of the kl_feed_service.conf file backup after editing: <Feed filename="My_custom_feed.json" outdated_alert_period="0" enabled="true"> <Field name="MD5" matching_type="Exact" input_regexp_to_match="RE_HASH" category=" My_custom_feed_MD5" /> <Field name="URL" matching_type="Url" input_regexp_to_match="RE_URL" category=" My_custom_feed_URL" /> </Feed>

      A custom JSON feed is not from Kaspersky, nor is it an OSINT feed, but is a feed for which the Path element of the kl_feed_util.conf file has the .json extension.

   2. For every Feed element of the kl_feed_service.conf file backup that is not related to an OSINT feed and whose filename attribute is not equal to Mobile_Botnet_CnC_URL_Data_Feed.json, copy the Feed element's contents to the kl_feed_service.conf file to substitute the existing data with the new data.
   3. For the Feed element of the kl_feed_service.conf file backup whose filename attribute is Mobile_Botnet_CnC_URL_Data_Feed.json, copy the value of its enabled attribute to the enabled attribute of the Feed element of the kl_feed_service.conf file whose filename attribute is Mobile_Botnet_CnC_URL_Data_Feed.json.
9. Merge the contents of the Feeds element of the kl_feed_util.conf file backup with kl_feed_util.conf file as follows:
   1. Edit the kl_feed_util.conf file backup as follows:
      1. For each field listed in the RequiredFields element of every custom JSON feed, find an element, nested in the Parsing element of this JSON feed, whose name is the same as the field name, and rename the field in the RequiredFields element to the value of the found element.
      2. For the field specified in the UrlMatcherField element (if this element is used) of every custom JSON feed, find an element nested in the Parsing element of this JSON feed, whose name is the same as the field name. Rename the field in the UrlMatcherField element to the value of the found element.
      3. For each element nested in the Parsing element that pertains to a custom JSON feed, change its name to Field.

      For example:

      The contents of the kl_feed_util.conf file backup before editing: <Feed enabled="true"> <Name>My_custom_feed</Name> <Path>./custom_example/example_feed.json</Path> <UrlMatcherField>Custom_URL</UrlMatcherField> <Parsing type="json"> <Custom_MD5 type="MD5">MD5</Custom_MD5> <Custom_URL type="URL">URL</Custom_URL> <Some_Trash type="CONTEXT">trash</Some_Trash> </Parsing> <RequiredFields>Custom_MD5;Custom_URL;Some_Trash</RequiredFields> </Feed>   The contents of the kl_feed_util.conf file backup after editing: <Feed enabled="true"> <Name>My_custom_feed</Name> <Path>./custom_example/example_feed.json</Path> <UrlMatcherField>URL</UrlMatcherField> <Parsing type="json"> <Field type="MD5">MD5</Field> <Field type="URL">URL</Field> <Field type="CONTEXT">trash</Field> </Parsing> <RequiredFields>MD5;URL;trash</RequiredFields> </Feed>

      A custom JSON feed is not from Kaspersky, nor is it an OSINT feed, but instead is a feed for which the Path element of the kl_feed_util.conf has the .json extension.

   2. For every Feed element of the kl_feed_util.conf file backup that is not related to an OSINT feed and whose Name nested element does not contain Mobile_Botnet_CnC_URL_Data_Feed.json, copy the Feed element's contents to the kl_feed_util.conf file to substitute the existing data with the new data.
   3. For the Feed element of the kl_feed_util.conf file backup, whose Name nested element contains Mobile_Botnet_CnC_URL_Data_Feed.json, specify the value of its enabled attribute in the enabled attribute of the Feed element of the kl_feed_service.conf file whose Name nested element contains Mobile_Botnet_CnC_URL_Data_Feed.json.
10. Set the regular feed update settings as specified in the cron utility as follows:
    1. Browse the crontab file by running the command crontab -l in order to determine the update period for the /opt/kaspersky/ktfs/scripts/cron.sh script.
    2. Choose the nearest value for the update period among the following: 0, 30, 60, 120, 240, 480, 960, 1440 minutes.

       If you specify 0, the automatic update is switched off.

    3. Specify the chosen value in the update_frequency attribute of the Configuration > Feeds element of the kl_feed_service.conf file.

       If you specify a value other than the values listed above, an error will occur during the Feed Service start.

    4. Remove from the cron settings the regular update of the /opt/kaspersky/ktfs/scripts/cron.sh script by running the command crontab -e and removing the corresponding line.
11. Copy the Kaspersky CyberTrace GUI settings to the GUISettings element of the kl_feed_service.conf file from its backup copy (in this way, you can replace existing data with new data).

    If the value of the enabled attribute of the GUISettings > HTTPServer section in the kl_feed_util.conf backup copy is false, copy this section to the kl_feed_util.conf configuration file without the enabled attribute.

12. Configure Kaspersky СyberTrace so that it will use the existing regular expressions and work with the new feeds.

    For this, specify feed matching rules for the new feeds (Mobile Botnet СnC URL Data Feed, IoT URL Data Feed, Vulnerability Data Feed) in the Feeds element of the kl_feed_service.conf configuration file as follows:

    1. For every new feed, remove all the Field elements from the kl_feed_service.conf file.
    2. In the /opt/kaspersky/ktfs/httpsrv/etc/kl_feeds_info.conf file, find the feed being considered, the list of its fields to detect, and the name, type, and category parameters of these fields.
    3. For every field to detect, determine the matching type and the type of extracted data on the basis of the field type, from the following table (there can be several choices):

       Field type	Type of extracted data	Matching type
       URL	URL	URL
       DOMAIN	URL	URL
       IP	IP	EXACT
       MD5	MD5	EXACT
       SHA1	SHA1	EXACT
       SHA256	SHA256	EXACT
       MD5	HASH	EXACT
       SHA1	HASH	EXACT
       SHA256	HASH	EXACT
       DOMAIN	DOMAIN	URL
       URL	DOMAIN	URL

    4. In the RegExps section of the kl_feed_service.conf file, find all regular expressions of the determined type of extracted data.
    5. For every regular expression found, add a Field element to the kl_feed_service.conf file with the following data:
       • The name attribute contains the value of the name parameter of the field to detect, according to the kl_feed_info.conf file.
       • The matching_type attribute contains the matching type from the above table.
       • The input_regexp_to_match attribute contains the regular expression name.
       • The category attribute contains the value of the category parameter of the field to detect, according to the kl_feed_info.conf file.
13. Replace the following files with their backup copies cited in step 2:
    • PEM-formatted certificates
    • /opt/kaspersky/ktfs/httpsrv/etc/custom_feed_list.conf
    • /opt/kaspersky/ktfs/httpsrv/etc/ktfsaccess
    • /opt/kaspersky/ktfs/httpsrv/etc/ktfsstatistics.kvdb
    • /opt/kaspersky/ktfs/httpsrv/etc/ktfsstorage.kvdb
14. Copy the Feed Utility proxy settings to the Settings > ProxySettings element of the kl_feed_util.conf file from its backup copy.
15. Copy the contents of the /tmp/feeds directory to the /opt/kaspersky/ktfs/feeds directory.
16. After the installation is complete, run Feed Service as follows:

    /opt/kaspersky/ktfs/etc/init.d/kl_feed_service start

17. Clear the browser cache using the standard method for your browser and navigate to the Kaspersky CyberTrace Web page.
18. Select the Settings > Feeds tab in Kaspersky CyberTrace Web and turn on the use of the OSINT feeds you need in the Filtering rules for feeds table.
19. If you have a commercial license key, you can add it to Kaspersky CyberTrace by means of the Licensing tab.

Page top