Using a test network packet to verify event registration

To verify the registration of events in Kaspersky Industrial CyberSecurity for Networks, you can use a test network packet. When this type of packet is detected in traffic, the application registers test events based on the following technologies:

• Deep Packet Inspection. An event is registered regardless of whether or not there are Process Control rules or tags.
• Network Integrity Control An event is registered regardless of whether or not there are Interaction Control rules. Use of Network Integrity Control technology must be enabled.
• Intrusion Detection. An event is registered regardless of whether or not there are Intrusion Detection rules. Use of Rule-based Intrusion Detection must be enabled.
• Asset Management. An event is registered regardless of whether or not there are known devices in the devices table. Use of device activity detection must be enabled.

Events are registered with system event types that are assigned the following codes:

• 4000000001 for an event based on Deep Packet Inspection technology.
• 4000000002 for an event based on Network Integrity Control technology.
• 4000000003 for an event based on Intrusion Detection technology.
• 4000000004 for an event based on Asset Management technology.

You can view test events in the table of registered events.

To verify audit functions, Kaspersky Industrial CyberSecurity for Networks saves information about the registration of test events in the audit log. An audit entry is created for each registered event, and this entry specifies the technology used to register the test event.

A test network packet is a UDP protocol packet with certain parameter values. The parameters are defined in such a way as to exclude the probability of receiving such a packet in normal industrial network traffic.

The following data must be defined in the parameters of a test network packet:

• Ethernet II header:
  • Source MAC address: 00:00:00:00:00:00
  • Destination MAC address: ff:ff:ff:ff:ff:ff
  • EtherType: 0x0800 (IPv4)
• IP header:
  • Source IP address: 127.0.20.20
  • Destination IP address: 127.0.20.20
  • ID: 20
  • TTL: 20
  • Protocol type: 17 (UDP)
  • Flags: 0x00
• UDP header:
  • Source port: 20
  • Destination port: 20
• Packet contents:
  • Length of packet contents, in bytes: 20
  • Packet contents: "KICS4Net Sentinel 20"

To generate and send a test network packet, you can use a network packet generator program such as Scapy. You need to send the test network packet from a node whose traffic is controlled by Kaspersky Industrial CyberSecurity for Networks.

Example: To send a test network packet using the program Scapy in a Linux operating system: In the operating system console of the computer, enter the command to run Scapy in interactive mode: sudo scapy Enter the command to send the test network packet: sendp( Ether(src='00:00:00:00:00:00', dst='ff:ff:ff:ff:ff:ff')/ IP(src='127.0.20.20', dst='127.0.20.20', id=20, ttl=20)/ UDP(sport=20, dport=20)/ "KICS4Net Sentinel 20", iface="<interface name>" ) where <interface name> is the name of the network interface connected to the industrial network (for example, eth0). After the packet is detected in traffic, Kaspersky Industrial CyberSecurity for Networks registers test events.

Page top