Extending detection categories
April 11, 2024
ID 216094
Starting from Kaspersky CyberTrace version 4.0, detection by some fields of the feeds was disabled, therefore the respective detection categories were also disabled (see the list below).
- Botnet C&C URL Data Feed and Demo Botnet C&C URL Data Feed:
- KL_BotnetCnC_Hash_MD5
- KL_BotnetCnC_Hash_SHA1
- KL_BotnetCnC_Hash_SHA256
- IP Reputation Data Feed and Demo IP Reputation Data Feed:
- KL_IP_Reputation_Hash_MD5
- KL_IP_Reputation_Hash_SHA1
- KL_IP_Reputation_Hash_SHA256
- Malicious URL Data Feed:
- KL_Malicious_URL_Hash_MD5
- KL_Malicious_URL_Hash_SHA1
- KL_Malicious_URL_Hash_SHA256
- Mobile Botnet C&C URL Data Feed:
- KL_Mobile_BotnetCnC_Hash_MD5
- KL_Mobile_BotnetCnC_Hash_SHA1
- KL_Mobile_BotnetCnC_Hash_SHA256
- Ransomware URL Data Feed:
- KL_Ransomware_URL_Hash_MD5
- KL_Ransomware_URL_Hash_SHA1
- KL_Ransomware_URL_Hash_SHA256
To enable event detection for these categories:
- Stop Kaspersky CyberTrace Service.
systemctl stop cybertrace.service
(in Linux)sc stop cybertrace
(in Windows) - Open the configuration file:
- Windows:
httpsrv\etc\kl_feed_info.conf
- Linux:
httpsrv/etc/kl_feed_info.conf
- Windows:
- Add the categories to the
fields
element of the feed. For detailed information on the categories that you can add, see the table below.For example, to enable detection by MD5, SHA1, and SHA256 for Botnet C&C URL Data Feed, edit
kl_feed_info.conf
as follows:{
"name": "Botnet_CnC_URL_Data_Feed",
"id": 65,
"description": "A set of URLs and hashes with context that cover desktop botnet C&C servers and related malicious objects. Masked and non-masked records are available.",
"fields": [
{ "name": "mask", "type": "URL", "category": "KL_BotnetCnC_URL" },
{ "name": "files/MD5", "type": "MD5", "category": "KL_BotnetCnC_Hash_MD5" },
{ "name": "files/SHA1", "type": "SHA1", "category": "KL_BotnetCnC_Hash_SHA1" },
{ "name": "files/SHA256", "type": "SHA256", "category": "KL_BotnetCnC_Hash_SHA256" }
],"verification": [
{ "indicator": "http://fakess123bn.nu/", "category": "KL_BotnetCnC_URL" } ]
}
- Start Kaspersky CyberTrace Service.
systemctl start cybertrace.service
(in Linux)sc start cybertrace
(in Windows) - Open CyberTrace Web. Go to Settings > Feeds, and then launch the feeds update by using the Launch update now button.
In the table below, you can find the values for the name
, type
, and category
elements in kl_feed_info.conf
.
Categories that can be added to the feeds
Name | Type | Category |
---|---|---|
Botnet C&C URL Data Feed and Demo Botnet C&C URL Data Feed | ||
files/MD5 | MD5 | KL_BotnetCnC_Hash_MD5 |
files/SHA1 | SHA1 | KL_BotnetCnC_Hash_SHA1 |
files/SHA256 | SHA256 | KL_BotnetCnC_Hash_SHA256 |
IP Reputation Data Feed and Demo IP Reputation Data Feed | ||
files/MD5 | MD5 | KL_IP_Reputation_Hash_MD5 |
files/SHA1 | SHA1 | KL_IP_Reputation_Hash_SHA1 |
files/SHA256 | SHA256 | KL_IP_Reputation_Hash_SHA256 |
Malicious URL Data Feed | ||
files/MD5 | MD5 | KL_Malicious_URL_Hash_MD5 |
files/SHA1 | SHA1 | KL_Malicious_URL_Hash_SHA1 |
files/SHA256 | SHA256 | KL_Malicious_URL_Hash_SHA256 |
Mobile Botnet C&C URL Data Feed | ||
files/MD5 | MD5 | KL_Mobile_BotnetCnC_Hash_MD5 |
files/SHA1 | SHA1 | KL_Mobile_BotnetCnC_Hash_SHA1 |
files/SHA256 | SHA256 | KL_Mobile_BotnetCnC_Hash_SHA256 |
Ransomware URL Data Feed | ||
files/MD5 | MD5 | KL_Ransomware_URL_Hash_MD5 |
files/SHA1 | SHA1 | KL_Ransomware_URL_Hash_SHA1 |
files/SHA256 | SHA256 | KL_Ransomware_URL_Hash_SHA256 |
After you perform the actions described in this section, Kaspersky CyberTrace does the following: in addition to loading IP addresses and masks when loading Kaspersky feeds to the indicator database, Kaspersky CyberTrace also loads the indicators that correspond to the hashes. As a result, for the feeds that are listed in this section, Kaspersky CyberTrace detects events by file hashes in addition to detection by IP addresses and masks.