Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation JSA Series Virtual Appliance Juniper Secure Analytics Configuring DSMs Guide Kaspersky

Juniper Secure Analytics Configuring DSMs Guide

keyboard_arrow_up
close
keyboard_arrow_left
Juniper Secure Analytics Configuring DSMs Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Kaspersky CyberTrace

date_range 20-Jul-21
arrow_backward
arrow_forward

JSA DSM for Kaspersky CyberTrace collects events from Kaspersky Feed Service.

To integrate Kaspersky CyberTrace with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs onto your JSA Console:

    • DSM Common RPM

    • Kaspersky CyberTrace DSM RPM

  2. Install Kaspersky CyberTrace and configure Feed Service during the installation.

  3. Integrate Kaspersky CyberTrace with JSA.

    1. Configure forwarding events from JSA to Kaspersky CyberTrace.

    2. Complete one of the following options.

      • Complete the verification test.

      • Install the Kaspersky Threat Feed App for JSA.

  4. If JSA does not automatically detect the log source, add a Kaspersky CyberTrace log source on the desired event collector. The following table describes the parameters that require specific values for Kaspersky CyberTrace event collection:

    Note:

    You need to clear the Coalescing Events check box when you configure the log source.

    Table 1: Kaspersky CyberTrace Log Source Parameters

    Parameter

    Value

    Log Source type

    Kaspersky CyberTrace

    Protocol Configuration

    Syslog

    Log Source Identifier

    KL_Threat_Feed_Service_V2

    If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring Kaspersky CyberTrace Appliances to Communicate with JSA

To enable Kaspersky CyberTrace to communicate with JSA, install and configure the Threat Feed Service on a device.

Before you install Kaspersky CyberTrace on a device, ensure that your device meets the hardware and software requirements. The requirements are specified in the Kaspersky CyberTrace documentation.

RPM installation - For this installation you must run the run.sh installation script, which installs the RPM package and runs the configurator. The configurator completes an interactive setup of Feed Service, Feed Utility, and Log Scanner.

DEB installation - The DEB installation is used on Linux systems that are based on Debian Linux. For this installation you must run the run.sh installation script, which installs the DEB package and runs the configurator. The configurator completes an interactive setup of Feed Service, Feed Utility, and Log Scanner.

TGZ installation - For this installation, you manually unpack the TGZ archive to the /opt/kaspersky/ktfs directory, create symbolic links to the configuration files and startup scripts, and register Fee Service in crontab. Then, you must manually run the configurator binary file and accept the End User License Agreement. The configurator completes an interactive setup of Feed Service, Feed Utility, and Log Scanner.

You can install CyberTrace by using one of the following installation methods.

  1. Install CyberTrace by using the RPM/DEB method.

    1. Unpack the distribution kit contents to any directory on your system. The RPM/DEB package, installation script, and documentation is unpacked to this directory.

    2. Run the run.sh installation script. The installation script installs the RPM/DEB package, adds Feed Service to the list of services by using chkconfig or systemd, and then creates a cron job to update feeds every 30 minutes. Feed Service starts automatically on a system boot.

      After the RPM/DEB package is installed, the installation script automatically runs the configurator wizard.

  2. To accept the End user License Agreement, print Yes. Use PgUp and PgDn keys to navigate. Press q to quit.

  3. Specify the path to the certificate.

    • If you want to use a demo certificate, click Enter.

    • If you have a certificate for commercial feeds, specify the full path to it, and then click Enter.

    Note:

    The certificate must be in PEM format. The user who runs the configurator binary file must have read permissions for this file. The configurator creates a copy of the certificate file and stores it in a different directory. If you want to replace the certificate file, you must run the configurator again.

  4. Specify the proxy server settings by following the instructions. The specified proxy credentials are stored in encrypted form.

    To remove the specified proxy settings and stop using a proxy, you must manually delete the ProxySettings element and all nested elements from the Feed Utility configuration files.

  5. Specify the feeds that you want to use. The configurator obtains a list of feeds that are available for the certificate that you specified in Step 3.

  6. Specifying the connection parameters. The configuration automatically checks whether the specified connection parameters are correct. For example, the configurator checks that the SIEM software is present at the address and port for outbound events.

    The IP address must consist of four decimal octets that are separated by a dot. For example, 192.0.2.254 is a valid IP address.

    The following connection parameters are included:

    IP address and port for incoming events - Feed Service listens on the specified address and port for incoming events.

    JSA connection string - Feed Service sends outbound events to the specified IP address and port or UNIX socket.

  7. After the installation is complete, you can change the setting by using CybreTrace Web. See the product online help for details.

Completing the Verification Test

The verification test is a procedure that is used to check the capabilities of Kaspersky CyberTrace and to confirm the accuracy of the integration.

During this test you check to see whether events from JSA are received by Feed Service, whether events from Feed Service are received by JSA, and whether events are correctly parsed by Feed Service using the regular expressions.

The verification test file is a file that contains a set of events with URLs, IP addresses, and hashes. This file is located in the ./verification directory in the distribution kit. The name of this file is kl_verification_test.txt.

  1. Start Feed Service. For example, /etc/init.d/kl_feed_service start

  2. Ensure that the KL_Verification_Tool log source is added to JSA, and routing rules are set in such a way that events from KL_Verification_Tool are sent to Feed Service.

  3. Log in to the JSA Console.

  4. Click Admin > Add Filter.

  5. From the Parameter list, select Log Source.

  6. From the Operator list, select Equals.

  7. From the Log Source list, in the Value group, select the required service name.

  8. From the View list, select Real Time to clear the filter area. You can now browse the information about the service events.

  9. In the Connection element of the Log Scanner configuration file ./log_sanner/log_scanner.conf, specify the IPV4 address and port of your JSA Event Collector.

  10. Run Log Scanner to send the kl_verification_test.txt file to JSA (./log_scanner -p ../ verification/kl_verification_test.txt)

    The expected results that are displayed by JSA depend on the feeds that you use. The following table displays the verification results.

    Table 2: Verification Test Results Parameters

    Feed used

    Detected objects

    Malicious URL Data Feed

    http://fakess123.nu

    http://badb86360457963b90faac9ae17578ed.com and many others, such as kaspersky.com/test/wmuf

    Phishing URL Data Feed

    http://fakess123ap.nu

    http://e77716a952f640b42e4371759a661663.com

    Botnet CnC URL Data Feed

    http://fakess123bn.nu

    http://a7396d61caffe18a4cffbb3b428c9b60.com

    IP Reputation Data Feed

    192.0.2.0

    192.0.2.3

    Malicious Hash Data Feed

    FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F (The EICAR standard anti-virus test file.)

    C912705B4BBB14EC7E78FA8B370532C9

    Mobile Malicious Hash Data Feed

    60300A92E1D0A55C7FDD360EE40A9DC1

    Mobile Botnet Data Feed

    001F6251169E6916C455495050A3FB8D (MD5 hash)

    sdfed7233dsfg93acvbhl.su/steallallsms.php (URL mask)

    P-SMS Trojan Data Feed

    FFAD85C453F0F29404491D8DAF0C646E (MD5 hash)

    Demo Botnet CnC URL Data Feed

    http://5a015004f9fc05290d87e86d69c4b237.com

    http://fakess123bn.nu

    Demo IP Reputation Data Feed

    192.0.2.1

    192.0.2.3

    Demo Malicious Hash Data Feed

    776735A8CA96DB15B422879DA599F474 FEAF2058298C1E174C2B79AFFC7CF4DF 44D88612FEA8A8F36DE82E1278ABB02F

Configuring JSA to forward events to Kaspersky CyberTrace

To have the Threat Feed Service check events that arrive in JSA, you must configure JSA to forward events to the Threat Feed Service.

  1. Log in to the JSA Console UI.

  2. Click the Admin tab, and select System Configuration > Forwarding Destinations.

  3. In the Forwarding Destinations window, click Add.

  4. In the Forwarding Destination Properties pane, configure the Forwarding Destination Properties.

    Table 3: Forwarding Destination Parameters

    Parameter

    Value

    Name

    An identifier for the destination. For example,

    KL_Threat_Feed_Service_V2

    Destination Address

    IP address of the host that runs the Threat Feed Service.

    Event Format

    JSON

    Destination Port

    The port that is specified in kl_feed_service.conf InputSetting > ConnectionString.

    The default value is 9995.

    Protocol

    TCP

    Profile

    Default profile

  5. Click Save.

  6. Click the Admin tab, and then select System Configuration > Routing Rule.

  7. In the Routing Rules window, click Add.

  8. In the Routing Rules window, configure the routing rule parameters.

    Table 4: Routing Rules Parameters

    Parameter

    Value

    Name

    An identifier for the rule name. For example,

    KL_Threat_Feed_Service_V2

    Description

    Create a description for the routing rule that you are creating

    Mode

    Online

    Forwarding Event Collector

    Select the event collector that is used to forward events to the Threat Feed Service.

    Data Source

    Events

    Event Filters

    Create a filter for the events that are going to be forwarded to the Threat Feed Service. To achieve maximum performance of the Threat Feed Service, only forward events that contain a URL or hash.

    Routing Options

    Enable Forward, and then select the <forwarding destination> that you created

  9. Click Save.

Kaspersky CyberTrace DSM Specifications

The following table describes the specifications for the Kaspersky CyberTrace DSM.

Table 5: Kaspersky CyberTrace DSM Specifications

Specification

Value

Manufacturer

Kaspersky Lab

DSM name

Kaspersky CyberTrace

RPM file name

DSM-Kaspersky CyberTrace-JSA_version-build_number.noarch.rpm

Supported versions

2.0

Protocol

Syslog

Event format

LEEF

Recorded event types

Detect, Status, Evaluation

Automatically discovered?

Yes

Includes custom properties?

No

Includes identity?

No

More information

Kaspersky website

Kaspersky CyberTrace Sample Event Message

Use these sample event messages as a way of verifying a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

The following table shows a sample event message when using the syslog protocol for the Kaspersky CyberTrace DSM:

Table 6: Kaspersky CyberTrace Sample Message Supported by the Cisco IronPort Device

Event name

Low level category

Sample log message

KL_Mobile_BotnetCnc_URL

Botnet address

 
Jul 10 10:10:14
KL_Threat_Feed_Service_v2
LEEF:1.0|Kaspersky
Lab|%DATE% KL_Threat_Feed
_Service_v2 LEEF:1.0|Kaspe
rskyLab|Threat Feed Servi
ce|2.0|%EVENT%|%CONTEXT%
|2.0|KL_Mobile_
BotnetCnc_URL|
url=example.com/
xxxxxxxxxxxxxxxx/xxx md5=-
sha1=- sha256=- usrName=
TestUser mask=
xxxxxxxxxxxx.xxxx type=2
first_seen=04.01.2016
16:40 last_seen=27.01.2016
10:46 popularity=5
arrow_backward PREVIOUS Kaspersky
NEXT arrow_forward Kaspersky Security Center
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top