After you configure Kaspersky CyberTrace and RSA NetWitness, you can test their performance.
Please make sure you perform the verification test before editing any filtering rules in the Feed Utility configuration file.
To check whether Kaspersky CyberTrace is correctly integrated with RSA NetWitness:
For this purpose, in the Connection
element of the Log Scanner configuration file, specify the IP address and port that are set for outbound events on the Settings > Service tab of Kaspersky CyberTrace Web.
kl_verification_test_cef.txt
file from the verification directory to Feed Service by using Log Scanner.For this purpose, run the following command:
In Linux: ./log_scanner -p ../verification/kl_verification_test_cef.txt
In Windows: log_scanner.exe -p ..\verification\kl_verification_test_cef.txt
Do not specify the -r
flag in this command: send the test results to the SIEM solution by using the parameters for outbound events specified on the Settings > Service tab of Kaspersky CyberTrace.
You can view the test results in the same way as when browsing Feed Service events in RSA NetWitness.
Verification test results
The verification test results depends on the feeds you use. The verification test results are listed in the following table.
Verification test results
Feed used |
Detected objects |
Malicious URL Data Feed |
http://fakess123.nu http://badb86360457963b90faac9ae17578ed.com |
Phishing URL Data Feed |
http://fakess123ap.nu http://e77716a952f640b42e4371759a661663.com |
Botnet CnC URL Data Feed |
http://fakess123bn.nu http://a7396d61caffe18a4cffbb3b428c9b60.com |
IP Reputation Data Feed |
192.0.2.0 192.0.2.3 |
Malicious Hash Data Feed |
FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F (stands for EICAR Standard Anti-Virus Test File) C912705B4BBB14EC7E78FA8B370532C9 |
Mobile Malicious Hash Data Feed |
60300A92E1D0A55C7FDD360EE40A9DC1 |
Mobile Botnet CnC URL Data Feed |
001F6251169E6916C455495050A3FB8D (MD5 hash) sdfed7233dsfg93acvbhl.su/steallallsms.php (URL mask) |
Ransomware URL Data Feed |
http://fakess123r.nu http://fa7830b4811fbef1b187913665e6733c.com |
Vulnerability Data Feed |
D8C1F5B4AD32296649FF46027177C594 |
APT URL Data Feed |
http://b046f5b25458638f6705d53539c79f62.com |
APT Hash Data Feed |
7A2E65A0F70EE0615EC0CA34240CF082 |
APT IP Data Feed |
192.0.2.4 |
IoT URL Data Feed |
http://e593461621ee0f9134c632d00bf108fd.com/.i |
Demo Botnet CnC URL Data Feed |
http://5a015004f9fc05290d87e86d69c4b237.com http://fakess123bn.nu |
Demo IP Reputation Data Feed |
192.0.2.1 192.0.2.3 |
Demo Malicious Hash Data Feed |
776735A8CA96DB15B422879DA599F474 FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F |
ICS Hash Data Feed |
7A8F30B40C6564EFF95E678F7C43346C |