Kaspersky Anti Targeted Attack & EDR Expert

Open Club · 3 members

Save

KATA & KEDR Expert community articles

A club blog for Kaspersky Anti Targeted Attack & EDR Expert

How to enable TX capturing in KATA [KATA/KEDRE]

Entry posted by svc_kms in How-to 6 hours ago

4 views

Sometimes one may need to enable transmitted traffic capturing in KATA (in example, for local testing of Suricata detections).

Here's how to do it.

In file /etc/modprobe.d/pf_ring.conf set enable_tx_capture=1. File should look like this:

options pf_ring enable_tx_capture=1 min_num_slots=16384

Stop apt-preprocessor and suricata services:

systemctl stop apt-preprocessor.service

systemctl stop suricata.service

Start apt-preprocessor and suricata back

systemctl start apt-preprocessor.service

systemctl start suricata.service

In file /etc/modprobe.d/pf_ring.conf set enable_tx_capture=1. File should look like this:

options pf_ring enable_tx_capture=1 min_num_slots=16384
Stop docker service:

systemctl stop docker
Reload pf_ring module:

rmmod pf_ring

modprobe pf_ring
Start docker back

systemctl start docker

In file /etc/pf_ring/pf_ring.conf set enable_tx_capture=1. File should look like this:

options pf_ring enable_tx_capture=1 min_num_slots=16384
Stop docker service:

systemctl stop docker
Reload pf_ring module:

rmmod pf_ring

modprobe pf_ring
Start docker back

systemctl start docker

With these changes, KATA will capture and process both incoming and outgoing traffic.