Using a test network packet to verify event registration
To verify the registration of events in Kaspersky Industrial CyberSecurity for Networks, you can use a test network packet. When this type of packet is detected in traffic, the application registers test events based on the following technologies:
- Deep Packet Inspection An event is registered regardless of whether or not there are Process Control rules or tags.
- Network Integrity Control An event is registered regardless of whether or not there are Interaction Control rules. Use of Network Integrity Control technology must be enabled.
- Intrusion Detection An event is registered regardless of whether or not there are Intrusion Detection rules. Use of Rule-based Intrusion Detection must be enabled.
- Asset Management An event is registered regardless of whether or not there are known devices in the devices table. Use of device activity detection must be enabled.
Events are registered with system event types that are assigned the following codes:
- 4000000001 for an event based on Deep Packet Inspection technology.
- 4000000002 for an event based on Network Integrity Control technology.
- 4000000003 for an event based on Intrusion Detection technology.
- 4000000004 for an event based on Asset Management technology.
You can view test events in the table of registered events.
To verify audit functions, Kaspersky Industrial CyberSecurity for Networks saves information about the registration of test events in the audit log. An audit entry is created for each registered event, and this entry specifies the technology used to register the test event.
A test network packet is a UDP protocol packet with certain parameter values. The parameters are defined in such a way as to exclude the probability of receiving such a packet in normal industrial network traffic.
The following data must be defined in the parameters of a test network packet:
- Ethernet II header:
- Source MAC address:
00:00:00:00:00:00
- Destination MAC address:
ff:ff:ff:ff:ff:ff
- EtherType:
0x0800 (IPv4)
- Source MAC address:
- IP header:
- Source IP address:
127.0.20.20
- Destination IP address:
127.0.20.20
- ID:
20
- TTL:
20
- Protocol type:
17 (UDP)
- Flags:
0x00
- Source IP address:
- UDP header:
- Source port:
20
- Destination port:
20
- Source port:
- Packet contents:
- Length of packet contents, in bytes:
20
- Packet contents: "
KICS4Net Sentinel 20
"
- Length of packet contents, in bytes:
To generate and send a test network packet, you can use a network packet generator program such as Scapy. You need to send the test network packet from a node whose traffic is controlled by Kaspersky Industrial CyberSecurity for Networks.
Example: To send a test network packet using the program Scapy in a Linux operating system:
After the packet is detected in traffic, Kaspersky Industrial CyberSecurity for Networks registers test events. |