This section describes how to configure AlienVault USM / OSSIM for treating Kaspersky CyberTrace as an event source. To configure AlienVault USM / OSSIM for this purpose, make sure to perform the following procedure on the computer on which AlienVault USM / OSSIM runs.
To configure AlienVault USM / OSSIM for receiving events from Kaspersky CyberTrace:
/etc/ossim/agent/plugins/
directory./usr/share/doc/ossim-mysql/contrib/plugins/
directory.The kaspersky_cyberTrace.cfg and kaspersky_cyberTrace.sql files are shipped together with this Help documentation or are received from your technical account manager (TAM).
plugins
section of the /etc/ossim/agent/config.cfg
file:kaspersky_cyberTrace =/etc/ossim/agent/plugins/kaspersky_cyberTrace.cfg
/etc/rsyslog.conf
file:if ($fromhost-ip == '%CyberTrace_IP_OUT%') then -/var/log/kaspersky_cyberTrace.log
Here %CyberTrace_IP_OUT%
is the IP address of the computer from which Kaspersky CyberTrace sends events.
It is recommended to add this line before the rules that are added when configuring AlienVault USM / OSSIM for forwarding events to Kaspersky CyberTrace.
cat /usr/share/doc/ossim-mysql/contrib/plugins/kaspersky_cyberTrace.sql | ossim-db
This command adds information about Kaspersky CyberTrace to the AlienVault database.
/etc/init.d/ossim-agent restart
/etc/init.d/ossim-server restart
With this command, AlienVault USM / OSSIM applies the settings specified in the kaspersky_cyberTrace.cfg configuration file. This file contains the rules that AlienVault USM / OSSIM uses for parsing events from Kaspersky CyberTrace.
/etc/init.d/rsyslog restart
logrotate
utility to archive Kaspersky CyberTrace events on the computer on which AlienVault USM / OSSIM runs:kaspersky_cybertrace
file in the /etc/logrotate.d
directory.kaspersky_cybertrace
file, specify the following lines:/var/log/kaspersky_cyberTrace.log
{
# save 3 months of logs
rotate 3
monthly
missingok
notifempty
compress
delaycompress
sharedscripts
# run a script after log rotation
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
kaspersky_cybertrace
file.If you want to save logs for another period, see the logrotate documentation to configure the kaspersky_cybertrace
file.
After you perform this procedure, Kaspersky CyberTrace device will be added to AlienVault USM / OSSIM.
The rsyslog service will store events from Kaspersky CyberTrace in the /var/log/kaspersky_cyberTrace.log
file.
After you configure Kaspersky CyberTrace and AlienVault USM / OSSIM, perform the verification test. For this, send the verification test events to Kaspersky CyberTrace by using the Log Scanner utility (which is part of Kaspersky CyberTrace). The verification test events are contained in the verification/kl_verification_test.txt
file. Check the verification test result in the AlienVault USM / OSSIM web interface.
By default, every detection event, for each Kaspersky Threat Data Feed, has its own type in AlienVault. The other detection events have the Kaspersky CyberTrace - Detection event
value in the event name
field.
You can rename the detection events of the imported feeds in order to classify the detection events according to their categories.
To rename the detection events of the imported feed:
translation
section of the /etc/ossim/agent/plugins/kaspersky_cyberTrace.cfg
configuration file:%CATEGORY_ATTRIBUTE_VALUE_OF_THE_IMPORTED_FEED%=%ANY_FREE_NUMERIC_VALUE%
where %CATEGORY_ATTRIBUTE_VALUE_OF_THE_IMPORTED_FEED%
is the value of the category attribute of the imported feed from kl_feed_service.conf
. For example: Custom_Feed=50
.
/usr/share/doc/ossim-mysql/contrib/plugins/kaspersky_cyberTrace.sql
file:(23021992, %NUMERIC_VALUE_SPECIFIED_AT_THE_kaspersky_cyberTrace.cfg%, 15, 71, NULL, 'Kaspersky CyberTrace - %NAME_TO_REPLACE%', 5, 8),
cat /usr/share/doc/ossim-mysql/contrib/plugins/kaspersky_cyberTrace.sql | ossim-db
/etc/init.d/ossim-agent restart
/etc/init.d/ossim-server restart