Separate installation of Kaspersky CyberTrace Service and Feed Utility (Windows)

You can install Kaspersky CyberTrace Service and Feed Utility on separate computers. This allows you to isolate the computer, on which event data is matched against feeds, from the Internet.

Do not delete the dmz directory from the distribution kit of Kaspersky CyberTrace, even if you do not plan to use Kaspersky CyberTrace Service and Feed Utility on separate computers.

You can install Feed Utility on a Linux computer. For this, you must have the distribution package for Linux, which also contains instructions on how to perform the installation.

How Kaspersky CyberTrace Service and Feed Utility work in the DMZ

The following diagram describes how Kaspersky CyberTrace Service and Feed Utility work in the DMZ.

Workflow when Kaspersky CyberTrace Service and Feed Utility are installed on separate computers

Kaspersky CyberTrace limitations when operating in an isolated environment

Since Kaspersky CyberTrace will be running on a host without direct internet access, the following Kaspersky CyberTrace operation limitations will apply:

• No possibility of graph enrichment from the third-party sources on the Kaspersky CyberTrace Local host.
• For adding feeds, the Kaspersky CyberTrace settings should be transferred from the local host to the DMZ host, changed, and then moved back to local host. For more information, see section "Changing feed settings after installing Kaspersky CyberTrace Service and Feed Utility on separate computers".

Installing Kaspersky CyberTrace Service and Feed Utility on separate computers

The following procedure describes how to configure the DMZ host and the local host for installing Kaspersky CyberTrace Service on one computer (in this section, referred to as Local) and Feed Utility on another computer (in this section, referred to as DMZ).

Configuring a DMZ host

To configure a DMZ host, do the following:

1. Install Kaspersky CyberTrace on the DMZ host, for easy configuration of the feeds that are supposed to be loaded to Kaspersky CyberTrace in an isolated environment.
2. In the Initial Setup Wizard, specify the required SIEM settings (name, connection details).

   These settings will be further used for the local host.

   Also, add a PEM-formatted certificate for configuring Kaspersky feeds that will be used. It is not necessary to add a Kaspersky CyberTrace license key on the DMZ host, since the Community edition allows configuration of all supported feed types. Adding a license key is obligatory on the local host.

3. If necessary, add or additionally configure the feeds on the Settings > Feeds page, after specifying settings in the Initial Setup Wizard.

   Ensure that the feeds are configured correctly by running the feeds update in Kaspersky CyberTrace at least once.

4. Export the settings from Kaspersky CyberTrace by clicking the Export configuration files button on the Settings > Service page.

   If custom feeds had been earlier configured in Kaspersky CyberTrace, also save the httpsrv\etc\custom_feed_list.conf file for further use.

5. Copy the %service_dir%\dmz directory to a location other than the %service_dir% directory (for example, to the C:\Users\%UserName% directory).

   Hereafter, the path to this directory will be referred as %dmz_fu%.

6. Remove Kaspersky CyberTrace.

   If you have to add new feeds, install Kaspersky CyberTrace on the DMZ host again.

7. Move sections Settings>Feeds and Settings>ProxySettings from the exported kl_feed_util.conf file (see Step 4) to the %dmz_fu%\kl_feed_util.conf file (if the section is present in the target configuration file, replace this section).

   Do not remove the instance of the kl_feed_util.conf file exported from Kaspersky CyberTrace, as well as the kl_feed_service.conf. These files will be used on the local host.

8. Specify accepted in the Settings>EULA tag of the %dmz_fu%\kl_feed_util.conf file.
9. Specify <WorkDir>tmp_download</WorkDir> in the Settings/WorkDir of the %dmz_fu%\kl_feed_util.conf file.
10. Add %dmz_fu%\cron_dmz.cmd to the schtasks list of tasks.

    The cron_dmz.cmd script enables downloading feeds on the DMZ host.

    In the example below, the cron_dmz.cmd script runs once in 30 minutes:

    schtasks /create /tn KasperskyFeedServiceUpdate /ru system /f /tr "\"%dmz_fu%\cron_dmz.cmd\"" /sc minute /mo 30

    You can set your own schedule to run the script.

Configuring a local host

To configure a local host, do the following:

1. Check if the DMZ host is accessible for the local host by using the RSync utility (to do this, perform the steps from section "Synchronizing directories that contain feeds").
2. On the local host, install the same version as Kaspersky CyberTrace that was previously installed on the DMZ host.
3. Stop Kaspersky CyberTrace after installation by running the sc stop cybertrace command.
4. Remove the %service_dir%\bin\.need_run_wizard file.

   This action disables the initial configuration wizard, since configuration has already been completed on the DMZ host.

5. Replace the %service_dir%\bin\kl_feed_util.conf and %service_dir%\bin\kl_feed_service.conf files with the files that were obtained in Step 4 of section "Configuring a DMZ host".

   If custom feeds had been earlier configured in Kaspersky CyberTrace, also replace or add (if the file was not present) the httpsrv\etc\custom_feed_list.conf file.

6. Open the %service_dir%\bin\kl_feed_util.conf file and specify the following parameters:
   • <NotifyKTFS path="../bin">true</NotifyKTFS>
   • <WorkDir>output</WorkDir>
   • <FeedsDir>../feeds/download</FeedsDir>
7. Configure the following in the %service_dir%\bin\kl_feed_service.conf file:
   • Specify settings in:
     • Configuration>InputSettings>ConnectionString
     • Configuration>GUISettings>HTTPServer>ConnectionString
     • Configuration>GUISettings>HTTPServer>ResourcesIP
   • Set 0 in the update_frequency attribute.

     This customization is applied, since the feeds files loaded on the DMZ host will be periodically synchronized by Schtasks, not Kaspersky CyberTrace.

8. (Recommended) Rename the %service_dir%\dmz\feeds.pem file to feeds.pem.0 to avoid incorrect feeds updating when clicking the Launch update now button.

   You will need to rename this file back to feeds.pem for upgrading Kaspersky CyberTrace from a previous version.

9. Open the %service_dir%\scripts\cron_cybertrace.cmd file and specify the following:
   • RSYNC_USER (user name on the DMZ host for authorization).
   • RSYNC_HOST (host name/IP address of the DMZ host).
   • PATH_TO_FEEDS (path to the %dmz_fu%\download directory on the DMZ host).
   • DOWNLOAD_DIR ("output").
   • SSH_KEY (make sure that you specified the same RSA key file path as described in Step 1 of section "Synchronizing directories that contain feeds").
10. Add %service_dir%\scripts\cron_cybertrace.cmd to the list of the cron tasks.

    The cron_cybertrace.cmd script starts synchronization of the feeds files from the DMZ host. The example below shows that the cron_dmz.cmd file is launched once in 30 minutes:

    schtasks /create /tn KasperskyFeedServiceUpdate /ru %user% /rp %password% /f /tr "%service_dir%\scripts\cron_cybertrace.cmd" /sc minute /mo 30

    You can set your own schedule for synchronization.

11. Start Kaspersky CyberTrace.

    Run the sc start cybertrace command.

12. Open Kaspersky CyberTrace Web in a browser (by using the details specified in Step 7 in Configuration>GUISettings>HTTPServer>ConnectionString).
13. Make sure that the settings for the feeds on the Settings>Feeds page are similar to the settings on the DMZ host.
14. On the Settings>Feeds page, set Never for the Update frequency parameter.
15. On the Settings>Licensing page, add a license key.
16. Configure other settings that are not related to updating feeds.

Changing feed settings after installing Kaspersky CyberTrace Service and Feed Utility on separate computers

Since the DMZ host is only for downloading feeds, you can configure the settings below for the previously enabled feeds in Kaspersky CyberTrace on the local host. You can change the following feeds parameters:

• Feed confidence value (except for Kaspersky feeds)
• Limit for number of feed entries being processed
• Retention period (except for Kaspersky feeds)
• Available fields for a feed
• Filtering rules
• Actionable fields

You can also disable any feed that had been enabled before (in this case, the disabled feeds will continue to be downloaded on the DMZ host and transferred to the local host, until you disable them in %dmz_fu%/kl_feed_util.conf).

You can configure the proxy server settings directly in the %dmz_fu%\kl_feed_util.conf file on the DMZ host.

If necessary, you can add a new feed as described below.

If any feed had been previously disabled on the local host, the actions below will stop downloading this feed on the DMZ host.

To add a new feed, do the following:

1. On the local host:
   1. Export the current settings from Kaspersky CyberTrace by clicking the Export configuration files button on the Settings>Service page.

      If custom feeds had been earlier configured in Kaspersky CyberTrace, also save the httpsrv\etc\custom_feed_list.conf file for further use.

   2. Stop the Kaspersky CyberTrace service.

      Run the sc stop cybertrace command.

2. On the DMZ host:
   1. Install the same version of Kaspersky CyberTrace as on the local host.

      If you did not remove Kaspersky CyberTrace on the DMZ host during initial setup, skip this step.

   2. Stop the Kaspersky CyberTrace service.

      Run the sc stop cybertrace command.

   3. Remove the %service_dir%/bin/.need_run_wizard file.

      If you did not remove Kaspersky CyberTrace on the DMZ host during initial setup, skip this step.

   4. Replace the %service_dir%\bin\kl_feed_service.conf and %service_dir%\bin\kl_feed_util.conf files with the files exported from the local host in Step 1 above.

      If custom feeds had been earlier configured in Kaspersky CyberTrace, also replace or add (if the file was not present) the httpsrv\etc\custom_feed_list.conf file.

      Specify the proper Configuration>GUISettings>HTTPServer>ConnectionString to open Kaspersky CyberTrace Web in a browser.

   5. Start the Kaspersky CyberTrace service.

      Run the sc start cybertrace command.

   6. Add and configure new feeds by using Kaspersky CyberTrace Web at the address specified in Configuration/GUISettings/HTTPServer/ConnectionString of the %service_dir%\bin\kl_feed_service.conf file.

      Ensure that the feeds are configured correctly by running a feeds update in Kaspersky CyberTrace at least once.

   7. Export the updated settings from Kaspersky CyberTrace by clicking the Export configuration files button on the Settings>Service page.

      If custom feeds had been earlier configured in Kaspersky CyberTrace, also save the httpsrv\etc\custom_feed_list.conf file for further use.

   8. Remove Kaspersky CyberTrace.
   9. Move (replace) the sections Settings/Feeds and Settings/ProxySettings from the kl_feed_util.conf exported file to the %dmz_fu%\kl_feed_util.conf file.

   Do not remove the instance of the kl_feed_util.conf file exported from Kaspersky CyberTrace, as well as kl_feed_service.conf. These files will be used on local host.

3. On the local host:
   1. Replace the %service_dir%\bin\kl_feed_service.conf and %service_dir%\bin\kl_feed_util.conf files with the files exported from the DMZ host.

      If custom feeds had been earlier configured in Kaspersky CyberTrace, also replace or add (if the file was not present) the httpsrv\etc\custom_feed_list.conf file.

      Specify the proper Configuration>GUISettings>HTTPServer>ConnectionString to open Kaspersky CyberTrace Web in a browser.

   2. Start the Kaspersky CyberTrace service.

      Run the sc start cybertrace command.

   3. Using the address specified in Configuration>GUISettings>HTTPServer>ConnectionString, open Kaspersky CyberTrace Web and make sure that the Settings>Feeds page contains the newly added feed and that its settings are similar to the settings on the DMZ host. Also, make sure that all other feeds are configured correctly.
   4. On the Settings>Feeds page, set Never in the Update frequency parameter.

Synchronizing directories that contain feeds

For synchronizing feeds on both the local host and DMZ host, you can use the RSync utility. On a computer running Windows, the RSync utility can be run by using Cygwin.

All Linux commands below are run on Windows computers by using Cygwin.

To install the RSync utility on a Windows computer:

1. Install the default set of packages from the Cygwin distribution.
2. Install the following utilities: OpenSSH, OpenSSL, and RSync.
3. On the DMZ host, configure the OpenSSH components as follows:
   1. Run the following command as root:

      ssh-host-config

      You can answer Yes every time. The important point is to run the sshd daemon as a service.

   2. Run the following command:

      net start sygsshd

The sshd daemon will start automatically.

To configure synchronization on the local host:

1. Create a private key and a corresponding public key.

   For this purpose, run the following command on the local host:

   ssh-keygen -t rsa -q -N '' -f /home/<user>/.ssh/dmz_rsa_key

   Specify the user login instead of <user>. The keys will be created without a password.

2. Copy the public key from the local host to the DMZ host by running the following command:

   ssh-copy-id -i /home/<user>/.ssh/dmz_rsa_key <DMZ_user>@<DMZ_host>

   When you run this command, you will be asked for the password to <DMZ_user>@<DMZ_host>.

3. Test the synchronization of the contents of directories that contain feeds by running the following command on the local host:

   rsync -a --delete-before --delay-updates -e "ssh -i /home/<user>/.ssh/dmz_rsa_key" <DMZ_user>@<DMZ_host>:/<Path_to_feeds>/ /<Path_to_feeds_on_Local>/

   In this command, <Path_to_feeds_on_Local> is the path to the folder containing feeds on the local host (namely, %service_dir%/feeds), and <Path_to_feeds> is the path to the folder on which updated feeds are stored on the DMZ host.

   To pass the synchronization test, the contents of the <Path_to_feeds_on_Local> folder on the Local computer must be the same as the contents of the <Path_to_feeds> folder on the DMZ host.

When testing Rsync by using Cygwin, there can be problems related to space characters in a path, so it is recommended to do the following:

1. Specify the path to the directory on the DMZ host enclosed in quotation marks and escape the space character ("\ ").
2. Escape the space character ("\ ") in the path to the directory on the local host.

To reach the directory on the C:\ drive by using Cygwin, specify the path /cygdrive/c/, and then the usual path (/cygdrive/c/Users/...).

Upgrading Kaspersky CyberTrace from a previous version

Before upgrading, if you had previously renamed the feeds.pem file to feeds.pem.0, rename it back to feeds.pem.

To upgrade Kaspersky CyberTrace and Feed Utility to newer versions, do the following:

1. On the local host, upgrade Kaspersky CyberTrace as described in section "Upgrading automatically on Windows".
2. From the %service_dir%\dmz directory on the local host, move the kl_feed_util.exe file to %dmz_fu%\kl_feed_util on the DMZ host.
3. (Optional) Rename the %service_dir%\dmz\feeds.pem file to feeds.pem.0 to avoid incorrect feeds updating when clicking the Launch update now button.

Page top