Configuring Kaspersky Threat Feed App for MISP

You can configure or reconfigure Kaspersky Threat Feed App for MISP mainly by editing the settings script file settings.py.

To configure Kaspersky Threat Feed App for MISP:

  1. In the settings script file settings.py, set the following settings:
    • MISP_URL

      This is the URL where the MISP instance is available.

      The run.py script adds this value after the --misp_url option of the import_to_misp.py script.

    • MISP_TOKEN

      This is the key for using the MISP instance.

      The run.py script adds this value after the --auth_key option of the import_to_misp.py script.

    • CERT_NO_VERIFY

      This setting enables (when its value is False) or disables (when its value is True) the SSL certificate verification when the MISP API is used.

      If this setting is True, the run.py script uses the --no_verification option of the import_to_misp.py script.

      This parameter is intended only for evaluation purposes. Using this parameter in a production environment may create security issues.

    • LOG_LEVEL

      Defines the logging level for a converter.

      Two logging levels are available: DEBUG and INFO. The DEBUG level is used by default.

      When the INFO logging level is enabled, the converter writes less information to the log files than when the DEBUG level is enabled. Before enabling the INFO debug level, make sure that the converter works without errors. Otherwise, the information about errors may not be logged or may be logged only partially on the INFO debug level.

    • LOG_OUTPUT

      Defines the output format for logs. Logs can be written to a file or to the stdout stream.

      Feed Utility logging settings are not affected by this parameter and can be configured by changing the LogSettings parameter in the %utility_dir%/feed_util/template.conf file. For more information about Feed Utility logging, refer to the online documentation for Kaspersky CyberTrace,

      This parameter can have the following values: STDOUT, FILE. The default value for this parameter is STDOUT.

    • LOG_FILENAME

      Defines a path and file name for the log file.

      If a path is not specified, the log file is created in the %utility_dir% directory. Make sure that a user that runs the converter has sufficient rights to write to this file.

    • RECORDS_COUNT

      This setting specifies the maximum number of attributes that a MISP event will contain after a feed is imported to a MISP instance. It must be a non-negative integer (0 means no limit). The default value is 200000.

      The run.py script adds this value after the --attributes_limit option of the import_to_misp.py script.

  2. In the settings script file settings.py, in the FEEDS dictionary, uncomment the lines containing the names of the feeds that you will import to a MISP instance.

    We recommend that you not use commercial feeds together with their demo versions. If you plan to use commercial feeds after you have used demo feeds, remove the MISP events that correspond to demo feeds.

    Also, you can edit the filters to be applied to feed records. The filter rules are defined in the filters subdictionary and re-used by Feed Utility without modification. For more information about filtering rules used by Feed Utility, refer to the online documentation for Kaspersky CyberTrace.

    By default, the following filter is set for the records of IP Reputation Data Feed and Demo IP Reputation Data Feed:

    'Demo_IP_Reputation_Data_Feed': {'id': '87', 'filters': {'threat_score': '[75;*]'}},

    'IP_Reputation_Data_Feed': {'id': '68', 'filters': {'threat_score': '[75;*]'}},

    The default filter allows importing only those feed records that contain IP addresses considered dangerous(namely, the threat_score field for which is equal to or exceeds 75).

  3. Copy the certificate for moving feeds to the same directory where the Feed Utility binary file resides and rename the certificate file to feeds.pem.
  4. If you are going to use a proxy server to gain access to Kaspersky servers to download feeds, from the Feed Utility directory run the following command once:

    kl_feed_util --set-proxy %PROXY% -c template.conf

    Here %PROXY% is the setting that specifies the proxy server parameters for gaining access to the Kaspersky servers.

Recommendations on the number of attributes kept in a MISP event

Updating the full set of Kaspersky Threat Data Feeds in a MISP instance can take a significant amount of time. You can decrease this time by specifying the maximum number of attributes to keep in a MISP event (the RECORDS_COUNT parameter in the settings.py file). We recommend that you set the maximum number of attributes to 200 000 (this value is initially set in the settings.py file).

In the table below, measurement data is provided that indicates the influence of the maximum number of attributes in a MISP event on the import time. This measurement data is got when all feeds were imported on our computers. Real data (other measurement data) depends on the software and hardware that you use, on the period between subsequent running of the importing script, and on the feeds you import to a MISP instance.

Import time depending on the maximum number of attributes

Maximum number of attributes

Time of the first import, hours

Time of a regular import, hours

50 000

3

2

200 000

13

4

500 000

24

8

Page top