Step 7. Performing the verification test (RSA NetWitness)
April 11, 2024
ID 167823
After you configure Kaspersky CyberTrace and RSA NetWitness, you can test their performance.
Please make sure you perform the verification test before editing any filtering rules in the Feed Utility configuration file.
To check whether Kaspersky CyberTrace is correctly integrated with RSA NetWitness:
- Configure Log Scanner to send events to the IP address and port that Kaspersky CyberTrace Service listens on.
For this purpose, in the
Connectionelement of the Log Scanner configuration file, specify the IP address and port that are set for outbound events on the Settings > Service tab of Kaspersky CyberTrace Web. - Send the
kl_verification_test_cef.txtfile from the verification directory to Kaspersky CyberTrace Service by using Log Scanner.For this purpose, run the following command:
In Linux:
./log_scanner -p ../verification/kl_verification_test_cef.txtIn Windows:
log_scanner.exe -p ..\verification\kl_verification_test_cef.txtDo not specify the
-rflag in this command: send the test results to the SIEM solution by using the parameters for outbound events specified on the Settings > Service tab of Kaspersky CyberTrace. - Make sure that you obtain the test results according to the table below.
You can view the test results in the same way as when browsing Kaspersky CyberTrace Service events in RSA NetWitness.
Verification test results
The verification test results depends on the feeds you use. The verification test results are listed in the following table.
Verification test results
Feed used | Detected objects |
Malicious URL Data Feed | http://fakess123.nu http://badb86360457963b90faac9ae17578ed.com |
Phishing URL Data Feed | http://fakess123ap.nu http://e77716a952f640b42e4371759a661663.com |
Botnet C&C URL Data Feed | http://fakess123bn.nu http://a7396d61caffe18a4cffbb3b428c9b60.com |
IP Reputation Data Feed | 192.0.2.0 192.0.2.3 |
Malicious Hash Data Feed | FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F (stands for EICAR Standard Anti-Virus Test File) C912705B4BBB14EC7E78FA8B370532C9 |
Mobile Malicious Hash Data Feed | 60300A92E1D0A55C7FDD360EE40A9DC1 |
Mobile Botnet C&C URL Data Feed | 001F6251169E6916C455495050A3FB8D (MD5 hash) sdfed7233dsfg93acvbhl.su/steallallsms.php (URL mask) |
Ransomware URL Data Feed | http://fakess123r.nu http://fa7830b4811fbef1b187913665e6733c.com |
APT URL Data Feed | http://b046f5b25458638f6705d53539c79f62.com |
APT Hash Data Feed | 7A2E65A0F70EE0615EC0CA34240CF082 |
APT IP Data Feed | 192.0.2.4 |
IoT URL Data Feed | http://e593461621ee0f9134c632d00bf108fd.com/.i |
Demo Botnet C&C URL Data Feed | http://5a015004f9fc05290d87e86d69c4b237.com http://fakess123bn.nu |
Demo IP Reputation Data Feed | 192.0.2.1 192.0.2.3 |
Demo Malicious Hash Data Feed | 776735A8CA96DB15B422879DA599F474 FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F |
ICS Hash Data Feed | 7A8F30B40C6564EFF95E678F7C43346C |
