Testing the connection with Kaspersky CyberTrace Service and the availability of feeds

This section explains how to test the connection with Kaspersky CyberTrace Service and its ability to match events against specific feeds.

Before testing the connection with Kaspersky CyberTrace Service, make sure that there is at least one unused scanner in the ServiceSettings > ScannersCount element of the configuration file.

Sending a ping request

You can send a ping request to test the connection with Kaspersky CyberTrace Service. This method does not require any feeds to be enabled. You do not need a commercial certificate for Kaspersky Threat Data Feeds to use this method.

To test the connection with Kaspersky CyberTrace Service by sending a ping request:

  1. Establish a TCP connection using the IP address and port that Kaspersky CyberTrace Service listens on for incoming events.
  2. Send X-KF-ReplyBackPING as the first message.
  3. Wait for the response.

If the response is PONG, it means that Kaspersky CyberTrace Service is running and listening for incoming events on the specified IP address and port.

Sending a test event

Besides the indicators of compromise, Kaspersky Threat Data Feeds also contain records that are provided for test purposes only and do not represent malicious objects. You can use these records to make sure that Kaspersky CyberTrace Service runs properly when matching incoming events against Kaspersky Threat Data Feeds. These records always appear in Kaspersky Threat Data Feeds and will never be removed.

To test the connection with Kaspersky CyberTrace Service by sending a test event:

  1. Establish a TCP connection using the IP address and port that Kaspersky CyberTrace Service listens on for incoming events.
  2. Send X-KF-SendFinishedEventX-KF-ReplyBack as the first message.
  3. Send a test event containing a test record for the specific feed from the tables below.

    The following table contains the test records for commercial feeds.

    Test records (commercial feeds)

    Feed used

    Test records

    Event category

    Malicious URL Data Feed

    http://fakess123.nu

    KL_Malicious_URL

    Phishing URL Data Feed

    http://fakess123ap.nu

    KL_Phishing_URL

    Botnet C&C URL Data Feed

    http://fakess123bn.nu

    KL_BotnetCnC_URL

    IP Reputation Data Feed

    192.0.2.1

    KL_IP_Reputation

    Malicious Hash Data Feed

    FEAF2058298C1E174C2B79AFFC7CF4DF

    KL_Malicious_Hash_MD5

    Mobile Malicious Hash Data Feed

    60300A92E1D0A55C7FDD360EE40A9DC1

    KL_Mobile_Malicious_Hash_MD5

    Mobile Botnet C&C URL Data Feed

    http://sdfed7233dsfg93acvbhl.su/steallallsms.php

    KL_Mobile_BotnetCnC_URL

    Ransomware URL Data Feed

    http://fa7830b4811fbef1b187913665e6733c.com

    KL_Ransomware_URL

    APT URL Data Feed

    http://b046f5b25458638f6705d53539c79f62.com

    KL_APT_URL

    APT Hash Data Feed

    7A2E65A0F70EE0615EC0CA34240CF082

    KL_APT_Hash_MD5

    APT IP Data Feed

    192.0.2.4

    KL_APT_IP

    IoT URL Data Feed

    http://e593461621ee0f9134c632d00bf108fd.com/.i

    KL_IoT_URL

    ICS Hash Data Feed

    7A8F30B40C6564EFF95E678F7C43346C

    KL_ICS_Hash_MD5

    The following table contains the test records that can be used when only demo feeds are enabled.

    Test records (demo feeds)

    Feed used

    Test records

    Event category

    DEMO Botnet_CnC_URL_Data_Feed

    http://5a015004f9fc05290d87e86d69c4b237.com

    KL_BotnetCnC_URL

    DEMO IP_Reputation_Data_Feed

    192.0.2.1

    KL_IP_Reputation

    DEMO Malicious_Hash_Data_Feed

    776735A8CA96DB15B422879DA599F474

    KL_Malicious_Hash_MD5
  4. Wait for the response:
    • If the response is a detection event that contains the corresponding event category from the tables above, it means that Kaspersky CyberTrace Service can receive events and match them against the specific feed.
    • If the response is LookupFinished without event information, it means that Kaspersky CyberTrace Service can receive events and perform matching, but the specific feed is disabled.
Page top