How to exclude protocol from SPAN traffic in KATA 5.x CN with Sensor role [KATA/KEDRE]
Issue
In KATA 4.1, when Central Node was used as Sensor, it was possible to access Traffic Capture and disable protocol, e.g SMTP.
CN-Sensor - https://support.kaspersky.com/help/KATA/4.1/en-US/199500.htm
Standalone Sensor - https://support.kaspersky.com/help/KATA/4.1/en-US/199500_1.htm
In KATA 5.0, this possibility is missing from docs and from CN and only available on Standalone Sensor:
Solution
Workaround is to use CLI and access predecessor configuration directly:
Settings section
#console-settings-updater get /kata/configuration/product/preprocessor_span | python3 -m json.tool | grep \"traffic\" -A 23
"traffic" : {
"buffer_size_limit" : 4096 ,
"checksum_validation" : false ,
"enable" : true ,
"enable_dns" : true ,
"enable_ftp" : true ,
"enable_http" : true ,
"enable_smtp" : false ,
"enable_ssl" : true ,
"ftp_data_expired_timeout" : "PT60S" ,
"ftp_data_supposed_max_size_bytes" : 10485760 ,
"iface_groups" : [
{
"ifaces" : [
"ens192"
],
"core_id" : null
}
],
"pcap_filter" : "" ,
"pcap_snaplen" : 1600 ,
"pcap_timeout" : 10 ,
"tcp_threads_number" : 16
},
|
Example disable SMTP, enable the rest
#console-settings-updater set --merge /kata/configuration/product/preprocessor_span '{"traffic": {"enable_dns": true, "enable_ftp": true, "enable_http": true, "enable_smtp": false}}'
|
Example change
#console-settings-updater get /kata/configuration/product/preprocessor_span | python3 -m json.tool > /tmp/preprocessor_span.json
#vim /tmp/preprocessor_span.json
#console-settings-updater set /kata/configuration/product/preprocessor_span @/tmp/preprocessor_span.json
|
0 Comments
Recommended Comments
There are no comments to display.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now