Support

Support for business applications

Kaspersky CyberTrace

Installation and integration guides

Part 2: Integrating Kaspersky CyberTrace with an event source

Integration with AlienVault USM/OSSIM

Importing configuration files to AlienVault USM / OSSIM
Kaspersky CyberTrace
Нет результатов
Online Help
FAQ System requirements Download Contact support Recovery tools Product videos

Importing configuration files to AlienVault USM / OSSIM

April 11, 2024

ID 183920

This section describes how to configure AlienVault USM / OSSIM for treating Kaspersky CyberTrace as an event source. To configure AlienVault USM / OSSIM for this purpose, make sure to perform the following procedure on the computer on which AlienVault USM / OSSIM runs.

To configure AlienVault USM / OSSIM for receiving events from Kaspersky CyberTrace:

  1. Copy the following configuration files to their target directories:
    • Copy kaspersky_cyberTrace.cfg to the /etc/ossim/agent/plugins/ directory.
    • Copy kaspersky_cyberTrace.sql to the /usr/share/doc/ossim-mysql/contrib/plugins/ directory.

    The kaspersky_cyberTrace.cfg and kaspersky_cyberTrace.sql files are shipped together with this Help documentation or are received from your technical account manager (TAM).

  2. Add the following line to the plugins section of the /etc/ossim/agent/config.cfg file:

    kaspersky_cyberTrace =/etc/ossim/agent/plugins/kaspersky_cyberTrace.cfg

  3. Add the following rule to the /etc/rsyslog.conf file:

    if ($fromhost-ip == '%CyberTrace_IP_OUT%') then -/var/log/kaspersky_cyberTrace.log

    Here %CyberTrace_IP_OUT% is the IP address of the computer from which Kaspersky CyberTrace sends events.

    It is recommended to add this line before the rules that are added when configuring AlienVault USM / OSSIM for forwarding events to Kaspersky CyberTrace.

  4. Run the following command:

    cat /usr/share/doc/ossim-mysql/contrib/plugins/kaspersky_cyberTrace.sql | ossim-db

    This command adds information about Kaspersky CyberTrace to the AlienVault database.

  5. Run the following commands:

    /etc/init.d/ossim-agent restart

    /etc/init.d/ossim-server restart

    With this command, AlienVault USM / OSSIM applies the settings specified in the kaspersky_cyberTrace.cfg configuration file. This file contains the rules that AlienVault USM / OSSIM uses for parsing events from Kaspersky CyberTrace.

  6. Restart the rsyslog service by running the following command:

    /etc/init.d/rsyslog restart

  7. Configure the logrotate utility to archive Kaspersky CyberTrace events on the computer on which AlienVault USM / OSSIM runs:
    1. Create the kaspersky_cybertrace file in the /etc/logrotate.d directory.
    2. In the kaspersky_cybertrace file, specify the following lines:

      /var/log/kaspersky_cyberTrace.log

      {

      # save 3 months of logs

      rotate 3

      monthly

      missingok

      notifempty

      compress

      delaycompress

      sharedscripts

      # run a script after log rotation

      postrotate

      invoke-rc.d rsyslog rotate > /dev/null

      endscript

      }

    3. Save and close the kaspersky_cybertrace file.

    If you want to save logs for another period, see the logrotate documentation to configure the kaspersky_cybertrace file.

After you perform this procedure, Kaspersky CyberTrace device will be added to AlienVault USM / OSSIM.

The rsyslog service will store events from Kaspersky CyberTrace in the /var/log/kaspersky_cyberTrace.log file.

After you configure Kaspersky CyberTrace and AlienVault USM / OSSIM, perform the verification test. For this, send the verification test events to Kaspersky CyberTrace by using the Log Scanner utility (which is part of Kaspersky CyberTrace). The verification test events are contained in the verification/kl_verification_test.txt file. Check the verification test result in the AlienVault USM / OSSIM web interface.

By default, every detection event, for each Kaspersky Threat Data Feed, has its own type in AlienVault. The other detection events have the Kaspersky CyberTrace - Detection event value in the event name field.

You can rename the detection events of the imported feeds in order to classify the detection events according to their categories.

To rename the detection events of the imported feed:

  1. Add the following line to the translation section of the /etc/ossim/agent/plugins/kaspersky_cyberTrace.cfg configuration file:

    %CATEGORY_ATTRIBUTE_VALUE_OF_THE_IMPORTED_FEED%=%ANY_FREE_NUMERIC_VALUE%

    where %CATEGORY_ATTRIBUTE_VALUE_OF_THE_IMPORTED_FEED% is the value of the category attribute of the imported feed from kl_feed_service.conf. For example: Custom_Feed=50.

  2. Save and close the file.
  3. Add the following line before the last line of the /usr/share/doc/ossim-mysql/contrib/plugins/kaspersky_cyberTrace.sql file:

    (23021992, %NUMERIC_VALUE_SPECIFIED_AT_THE_kaspersky_cyberTrace.cfg%, 15, 71, NULL, 'Kaspersky CyberTrace - %NAME_TO_REPLACE%', 5, 8),

  4. Save and close the file.
  5. Run the following commands:

    cat /usr/share/doc/ossim-mysql/contrib/plugins/kaspersky_cyberTrace.sql | ossim-db

    /etc/init.d/ossim-agent restart

    /etc/init.d/ossim-server restart

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.