Extending detection categories

February 27, 2024

ID 216094

Starting from Kaspersky CyberTrace version 4.0, detection by some fields of the feeds was disabled, therefore the respective detection categories were also disabled (see the list below).

  • Botnet CnC URL Data Feed and Demo Botnet CnC URL Data Feed:
    • KL_BotnetCnC_Hash_MD5
    • KL_BotnetCnC_Hash_SHA1
    • KL_BotnetCnC_Hash_SHA256
  • IP Reputation Data Feed and Demo IP Reputation Data Feed:
    • KL_IP_Reputation_Hash_MD5
    • KL_IP_Reputation_Hash_SHA1
    • KL_IP_Reputation_Hash_SHA256
  • Malicious URL Data Feed:
    • KL_Malicious_URL_Hash_MD5
    • KL_Malicious_URL_Hash_SHA1
    • KL_Malicious_URL_Hash_SHA256
  • Mobile Botnet CnC URL Data Feed:
    • KL_Mobile_BotnetCnC_Hash_MD5
    • KL_Mobile_BotnetCnC_Hash_SHA1
    • KL_Mobile_BotnetCnC_Hash_SHA256
  • Ransomware URL Data Feed:
    • KL_Ransomware_URL_Hash_MD5
    • KL_Ransomware_URL_Hash_SHA1
    • KL_Ransomware_URL_Hash_SHA256

To enable event detection for these categories:

  1. Stop Kaspersky CyberTrace Service.

    systemctl stop cybertrace.service (in Linux)

    sc stop cybertrace (in Windows)

  2. Open the configuration file:
    • Windows: httpsrv\etc\kl_feed_info.conf
    • Linux: httpsrv/etc/kl_feed_info.conf
  3. Add the categories to the fields element of the feed. For detailed information on the categories that you can add, see the table below.

    For example, to enable detection by MD5, SHA1, and SHA256 for Botnet CnC URL Data Feed, edit kl_feed_info.conf as follows:

    {

    "name": "Botnet_CnC_URL_Data_Feed",

    "id": 65,

    "description": "A set of URLs and hashes with context that cover desktop botnet C&C servers and related malicious objects. Masked and non-masked records are available.",

    "fields": [

    { "name": "mask", "type": "URL", "category": "KL_BotnetCnC_URL" },

    { "name": "files/MD5", "type": "MD5", "category": "KL_BotnetCnC_Hash_MD5" },

    { "name": "files/SHA1", "type": "SHA1", "category": "KL_BotnetCnC_Hash_SHA1" },

    { "name": "files/SHA256", "type": "SHA256", "category": "KL_BotnetCnC_Hash_SHA256" } ],

    "verification": [

    { "indicator": "http://fakess123bn.nu/", "category": "KL_BotnetCnC_URL" } ]

    }

  4. Start Kaspersky CyberTrace Service.

    systemctl start cybertrace.service (in Linux)

    sc start cybertrace (in Windows)

  5. Open CyberTrace Web. Go to Settings > Feeds, and then launch the feeds update by using the Launch update now button.

In the table below, you can find the values for the name, type, and category elements in kl_feed_info.conf.

Categories that can be added to the feeds

Name

Type

Category

Botnet CnC URL Data Feed and Demo Botnet CnC URL Data Feed

files/MD5

MD5

KL_BotnetCnC_Hash_MD5

files/SHA1

SHA1

KL_BotnetCnC_Hash_SHA1

files/SHA256

SHA256

KL_BotnetCnC_Hash_SHA256

IP Reputation Data Feed and Demo IP Reputation Data Feed

files/MD5

MD5

KL_IP_Reputation_Hash_MD5

files/SHA1

SHA1

KL_IP_Reputation_Hash_SHA1

files/SHA256

SHA256

KL_IP_Reputation_Hash_SHA256

Malicious URL Data Feed

files/MD5

MD5

KL_Malicious_URL_Hash_MD5

files/SHA1

SHA1

KL_Malicious_URL_Hash_SHA1

files/SHA256

SHA256

KL_Malicious_URL_Hash_SHA256

Mobile Botnet CnC URL Data Feed

files/MD5

MD5

KL_Mobile_BotnetCnC_Hash_MD5

files/SHA1

SHA1

KL_Mobile_BotnetCnC_Hash_SHA1

files/SHA256

SHA256

KL_Mobile_BotnetCnC_Hash_SHA256

Ransomware URL Data Feed

files/MD5

MD5

KL_Ransomware_URL_Hash_MD5

files/SHA1

SHA1

KL_Ransomware_URL_Hash_SHA1

files/SHA256

SHA256

KL_Ransomware_URL_Hash_SHA256

After you perform the actions described in this section, Kaspersky CyberTrace does the following: in addition to loading IP addresses and masks when loading Kaspersky feeds to the indicator database, Kaspersky CyberTrace also loads the indicators that correspond to the hashes. As a result, for the feeds that are listed in this section, Kaspersky CyberTrace detects events by file hashes in addition to detection by IP addresses and masks.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.