Configuring Kaspersky CyberTrace for integration with AlienVault USM / OSSIM

This section describes how to configure Kaspersky CyberTrace for integration with AlienVault USM / OSSIM.

Kaspersky CyberTrace and the device whose events will be forwarded to Kaspersky CyberTrace must work on different computers. Forwarding rules are based on IP addresses. Therefore, the IP address of the computer where Kaspersky CyberTrace is installed must be different from the IP addresses of the devices whose events have to be forwarded to Kaspersky CyberTrace.

To configure Kaspersky CyberTrace for integration with AlienVault USM / OSSIM:

1. Download Kaspersky CyberTrace from https://support.kaspersky.com/datafeeds/download/15920.
2. Install Kaspersky CyberTrace.
   • In Linux, the installation directory is /opt/kaspersky/ktfs.
   • In Windows, the installation directory is %CyberTrace_installDir%.
3. When you login to Kaspersky CyberTrace Web UI for the first time, the Initial Setup Wizard window opens.

   Specify the following Kaspersky CyberTrace settings:

   • IP address of the computer on which AlienVault USM / OSSIM runs, and port 514

     These are the IP address and port on which Kaspersky CyberTrace sends detection events.

   • IP address of the computer on which Kaspersky CyberTrace works, and any available port (for example, 9999)

     These are the IP address and port to which AlienVault USM / OSSIM sends events for checking. This is the port that Kaspersky CyberTrace listens on for incoming events.

   • Service event format as follows:

     alert=%Alert% context=%RecordContext%

   • Detection event format as follows:

     category=%Category% detected=%MatchedIndicator% url=%RE_URL% src=%SRC_IP% ip=%RE_IP% hash=%RE_MD5% context=%RecordContext%

4. In the kl_feed_service.conf file, set the enabled attribute of the OutputSettings > FinishedEventFormat element to false.
5. Save the kl_feed_service.conf file.
6. Restart Kaspersky CyberTrace by using Kaspersky CyberTrace Web or the kl_feed_service script.