Configuring Kaspersky CyberTrace for integration with AlienVault USM / OSSIM

This section describes how to configure Kaspersky CyberTrace for integration with AlienVault USM / OSSIM.

Kaspersky CyberTrace and the device whose events will be forwarded to Kaspersky CyberTrace must work on different computers. Forwarding rules are based on IP addresses. Therefore, the IP address of the computer where Kaspersky CyberTrace is installed must be different from the IP addresses of the devices whose events have to be forwarded to Kaspersky CyberTrace.

To configure Kaspersky CyberTrace for integration with AlienVault USM / OSSIM:

  1. Download Kaspersky CyberTrace from https://support.kaspersky.com/datafeeds/download/15920.
  2. Install Kaspersky CyberTrace.
    • In Linux, Kaspersky CyberTrace is installed to the /opt/kaspersky/ktfs directory.
    • For the Windows installation, the installation directory is hereinafter referred to as %CyberTrace_installDir%.
  3. When you sign in to the Kaspersky CyberTrace Web UI for the first time, the Initial Setup Wizard opens.

    Specify the following Kaspersky CyberTrace settings:

    • IP address of the computer on which AlienVault USM / OSSIM runs, and port 514.

      These are the IP address and port on which Kaspersky CyberTrace sends detection events.

    • IP address of the computer on which Kaspersky CyberTrace works, and any available port (for example, 9999).

      These are the IP address and port to which AlienVault USM / OSSIM sends events for checking. This is the port that Kaspersky CyberTrace listens on for incoming events.

    • Service event format as follows:

      alert=%Alert% context=%RecordContext%

    • Detection event format as follows:

      category=%Category% detected=%MatchedIndicator% url=%RE_URL% src=%SRC_IP% ip=%RE_IP% hash=%RE_MD5% context=%RecordContext%

  4. In the kl_feed_service.conf file, set the enabled attribute of the OutputSettings > FinishedEventFormat element to false.
  5. Save the kl_feed_service.conf file.
  6. Restart Kaspersky CyberTrace by using Kaspersky CyberTrace Web or the kl_feed_service script.
Page top