Managing false positives

This section explains how to manage the False Positives supplier on the Feeds tab. Make sure that the General tenant is selected from the drop-down list that has all available tenants, in the upper-left area of the window.

You can access the false positives list by clicking the Manage False Positives button in the Filtering rules for feeds section.

Managing the false positives list

To access the false positives list, click the Manage False Positives button.

The False Positives window opens:

False Positives list

You can edit the false positives list of indicators as follows:

• Select the URL, Hash, or IP address tab to manage the group you want.

  On the URL tab, you can specify a URL containing a wildcard symbol * (for example, example.com/testpage/*, which will match URLs such as example.com/testpage/test1 and example.com/testpage/test/long_url).

  Starting from Kaspersky CyberTrace version 4.0, the * symbol in the URL is not used as a wildcard. The * just means the "asterisk."

  Kaspersky CyberTrace will apply normalization rules to any URL that you add on the URL tab and which is not yet contained in the indicator database. Thus, the representation of these URLs may change. For example, if you add a URL that contains a port, this port value will be removed. For instructions on how Kaspersky CyberTrace normalizes a URL, see subsection "URL normalization rules" below.

• Every indicator must be on a separate line in the text box.

The false positives list is checked only after all events from a thread have been matched against all the suppliers. The main purpose of the false positives list is to enable Kaspersky CyberTrace to ignore detections for trusted indicators. If any feed produces a detection, but a given indicator is found in the false positives list, Kaspersky CyberTrace does not generate a detection event. In this case, on the Dashboard tab, in the Supplier statistics table, the value in the False positives column corresponding to the supplier that produced the detection is incremented by one. The values in the False positives column show how many false detections were produced by each supplier. For more information about the Dashboard, see section "Kaspersky CyberTrace Dashboard".

URL normalization rules

Any URLs added to the false positives list on the URL tab will be normalized according to the following URL normalization rules:

1. Remove dot segments ("." and "..") according to the algorithm described in RFC 3986, section 5.2.4 Remove Dot Segments (https://www.ietf.org/rfc/rfc3986.txt):

   http://www.example.com/../a/b/../c/./d.html => http://www.example.com/a/c/d.html

2. Remove the protocol:

   http://example.com => example.com

3. Convert internationalized domain names according to the Punycode algorithm described in RFC 3492 (https://www.ietf.org/rfc/rfc3492.txt):

   тест.рф => xn--e1aybc.xn--p1ai

4. Remove the www prefix:

   www.example.com => example.com

5. Remove repeated slashes:

   example.com//dir/test.html => example.com/dir/test.html

6. Remove the trailing slash at the end of the URL:

   example.com/ => example.com

7. Remove the authorization information:

   login:password@example.com => example.com

8. Remove the port number:

   example.com:80/index => example.com/index

9. Remove the #fragment reference:

   example.com#fragment => example.com

10. Remove dots at the end of the host name:

    example.com./index.html => example.com/index.html

11. Convert percent-encoded symbols to UTF-8 according to RFC 3986 (https://www.ietf.org/rfc/rfc3986.txt) and RFC 2279 (https://www.ietf.org/rfc/rfc2279.txt).
12. Convert all characters to lower case:

    EXAMPLE.COM => example.com

13. Convert the IP address (if any) leading to the requested host to dot-decimal notation:

    0112.0175.0117.0150 => 74.125.79.104

Page top