Testing the connection with Kaspersky CyberTrace Service and the availability of feeds
April 11, 2024
ID 211378
This section explains how to test the connection with Kaspersky CyberTrace Service and its ability to match events against specific feeds.
Before testing the connection with Kaspersky CyberTrace Service, make sure that there is at least one unused scanner in the ServiceSettings > ScannersCount
element of the configuration file.
Sending a ping request
You can send a ping request to test the connection with Kaspersky CyberTrace Service. This method does not require any feeds to be enabled. You do not need a commercial certificate for Kaspersky Threat Data Feeds to use this method.
To test the connection with Kaspersky CyberTrace Service by sending a ping request:
- Establish a TCP connection using the IP address and port that Kaspersky CyberTrace Service listens on for incoming events.
- Send
X-KF-ReplyBackPING
as the first message. - Wait for the response.
If the response is PONG
, it means that Kaspersky CyberTrace Service is running and listening for incoming events on the specified IP address and port.
Sending a test event
Besides the indicators of compromise, Kaspersky Threat Data Feeds also contain records that are provided for test purposes only and do not represent malicious objects. You can use these records to make sure that Kaspersky CyberTrace Service runs properly when matching incoming events against Kaspersky Threat Data Feeds. These records always appear in Kaspersky Threat Data Feeds and will never be removed.
To test the connection with Kaspersky CyberTrace Service by sending a test event:
- Establish a TCP connection using the IP address and port that Kaspersky CyberTrace Service listens on for incoming events.
- Send
X-KF-SendFinishedEventX-KF-ReplyBack
as the first message. - Send a test event containing a test record for the specific feed from the tables below.
The following table contains the test records for commercial feeds.
Test records (commercial feeds)
Feed used
Test records
Event category
Malicious URL Data Feed
http://fakess123.nu
KL_Malicious_URL
Phishing URL Data Feed
http://fakess123ap.nu
KL_Phishing_URL
Botnet C&C URL Data Feed
http://fakess123bn.nu
KL_BotnetCnC_URL
IP Reputation Data Feed
192.0.2.1
KL_IP_Reputation
Malicious Hash Data Feed
FEAF2058298C1E174C2B79AFFC7CF4DF
KL_Malicious_Hash_MD5
Mobile Malicious Hash Data Feed
60300A92E1D0A55C7FDD360EE40A9DC1
KL_Mobile_Malicious_Hash_MD5
Mobile Botnet C&C URL Data Feed
http://sdfed7233dsfg93acvbhl.su/steallallsms.php
KL_Mobile_BotnetCnC_URL
Ransomware URL Data Feed
http://fa7830b4811fbef1b187913665e6733c.com
KL_Ransomware_URL
APT URL Data Feed
http://b046f5b25458638f6705d53539c79f62.com
KL_APT_URL
APT Hash Data Feed
7A2E65A0F70EE0615EC0CA34240CF082
KL_APT_Hash_MD5
APT IP Data Feed
192.0.2.4
KL_APT_IP
IoT URL Data Feed
http://e593461621ee0f9134c632d00bf108fd.com/.i
KL_IoT_URL
ICS Hash Data Feed
7A8F30B40C6564EFF95E678F7C43346C
KL_ICS_Hash_MD5
The following table contains the test records that can be used when only demo feeds are enabled.
Test records (demo feeds)
Feed used
Test records
Event category
DEMO Botnet_CnC_URL_Data_Feed
http://5a015004f9fc05290d87e86d69c4b237.com
KL_BotnetCnC_URL
DEMO IP_Reputation_Data_Feed
192.0.2.1
KL_IP_Reputation
DEMO Malicious_Hash_Data_Feed
776735A8CA96DB15B422879DA599F474
KL_Malicious_Hash_MD5
- Wait for the response:
- If the response is a detection event that contains the corresponding event category from the tables above, it means that Kaspersky CyberTrace Service can receive events and match them against the specific feed.
- If the response is
LookupFinished
without event information, it means that Kaspersky CyberTrace Service can receive events and perform matching, but the specific feed is disabled.