Jump to content
Kaspersky Support Forum

How to analyze KATA collect script output [KATA/KEDRE]

Egor Erastov

Entry posted by Egor Erastov in How-to

15 views

 Share

Collect script output is a must for most KATA-related issues and questions.

Which information?
Which file?
How to find/interpret?
Example
 
КАТА version and role: CN/PCN/SCN/Sensor /config/apt-va File contains the version and role in human-readable form. Also, you can see if the node was upgraded from previous KATA versions in 'migrate' line
Primary CN 
[product]
name=kata-cn
title=Kaspersky Anti Targeted Attack Platform
version=3.5.0-1269
release=release
master = yes
sensor = yes
timestamp = 1568700994
migrate =
cn_role = pcn
Standalone CN 
[product]
 
name=kata-cn
 
title=Kaspersky Anti Targeted Attack Platform
 
version=3.6.1-713
 
release=release
 
master = yes
 
sensor = yes
 
timestamp =1572445307.01
 
migrate =
 
cn_role = cn
Sensor node 
[product]
 
name=kata-cn
 
title=Kaspersky Anti Targeted Attack Platform
 
version=3.6.1-713
 
release=release
 
master = no
 
sensor = yes
 
timestamp =1583845362.98
 
migrate =
 
cn_role =
Virtual or hardware?

/environment/dmesg.txt

OR

/var/log/messages

OR

/var/log/boot.log

Search for "DMI" entries in the file.
Physical server 
[ 0.000000] DMI: HPE ProLiant DL560 Gen10/ProLiant DL560 Gen10, BIOS U34 06/20/2018
Virtual server 
[ 0.000000] DMI: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016
CPU /environment/cpuinfo.txt Scroll to the bottom of the file. Each "processor" listed is not a physical core, but virtual "thread", so, i.e. 8-physical core CPU with hyper-threading will have 16 CPUs in the file. Keep in mind that CPUs are counted from 0, so for 16-thread CPU last entry will have number 15.
 
processor : 15
 
vendor_id : GenuineIntel
 
cpu family : 6
 
model : 79
 
model name : Intel(R) Xeon(R) Platinum 8158 CPU @ 3.00GHz
 
stepping : 0
 
microcode : 0x2000050
 
cpu MHz : 2992.968
 
cache size : 25344 KB
 
physical id : 0
 
siblings : 16
 
core id : 15
 
cpu cores : 16
 
apicid : 15
 
initial apicid : 15
 
fpu : yes
 
fpu_exception : yes
 
cpuid level : 13
 
wp : yes
 
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ibrs ibpb stibp fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 invpcid rtm rdseed adx smap xsaveopt arat spec_ctrl intel_stibp arch_capabilities
 
bogomips : 5985.93
 
clflush size : 64
 
cache_alignment : 64
 
address sizes : 43 bits physical, 48 bits virtual
 
power management:
RAM /environment/memory.txt File shows free command output. Values are in megabytes, pay attention to 'total' and 'available' columns. NB! Ignore 'free' column: despite of it's name, it doesn't actually show free RAM, 'available' column does it.
 
total used free shared buff/cache available
 
Mem: 197308 63869 3634 6738 129804 125558
 
Swap: 0 0 0

 

 

HDD /environment/hdd.txt

Pay attention to partitions /dev/sda* and /dev/sdb*.

If /dev/sdb* partition is present, you are dealing with two-disk installation, otherwise, it's one-disk installation.

NB! Always check HDD partitions size and available free space! KATA needs a LOT of disk space to work correctly.

Most important partitions are:

/dev/sda4 1.2T 894G 224G 80% /data ← Used for processing queues and quarantine, main partition for KATA

/dev/sdb1 2.7T 1.4T 1.3T 52% /data/var/lib/kaspersky/storage ← Used for EDR data: (telemetry from Endpoint Sensors)

 

 
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda3       367G   14G  335G   4% /
devtmpfs        126G     0  126G   0% /dev
tmpfs           126G  252K  126G   1% /dev/shm
tmpfs           126G  4.1G  122G   4% /run
tmpfs           126G     0  126G   0% /sys/fs/cgroup
/dev/sda2       232M   32M  189M  15% /boot
/dev/sda1       237M  5.5M  232M   3% /boot/efi
/dev/sda4       1.5T  435G  955G  32% /data
/dev/sdb1       2.7T  1.4T  1.3T  52% /data/var/lib/kaspersky/storage
tmpfs            26G     0   26G   0% /run/user/998
tmpfs            26G     0   26G   0% /run/user/1002
tmpfs            26G     0   26G   0% /run/user/1001

 

 

DNS name

/environment/hostname.txt File contains exactly the hostname of the machine. kata-cn
IP address

/environment/ipa.txt

/environment/ifconfig.txt

Both files contain info about network interfaces and assigned IP addresses.

ifconfig command is considered obsolete by community, but it can be useful: it helps to recognize SPAN interfaces. SPAN interfaces usually don't have IP address assigned, but have a lot of traffic. Also, SPAN interfaces always are in promiscuous mode: <UP,BROADCAST,RUNNING,PROMISC,MULTICAST>

ipa.txt 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 
inet 127.0.0.1/8 scope host lo
 
valid_lft forever preferred_lft forever
 
inet6 ::1/128 scope host
 
valid_lft forever preferred_lft forever
 
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
 
link/ether 00:50:56:9f:0e:77 brd ff:ff:ff:ff:ff:ff
 
inet 10.200.178.85/23 brd 10.200.179.255 scope global ens192
 
valid_lft forever preferred_lft forever
 
inet6 fe80::250:56ff:fe9f:e77/64 scope link
 
valid_lft forever preferred_lft forever
 
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
 
link/ether 00:50:56:9f:db:4d brd ff:ff:ff:ff:ff:ff
 
inet6 fe80::250:56ff:fe9f:db4d/64 scope link
 
valid_lft forever preferred_lft forever

 

 

ifconfig.txt 
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.200.178.85 netmask 255.255.254.0 broadcast 10.200.179.255
inet6 fe80::250:56ff:fe9f:e77 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:9f:0e:77 txqueuelen 1000 (Ethernet)
RX packets 604911116 bytes 747444631331 (696.1 GiB)
RX errors 0 dropped 26 overruns 0 frame 0
TX packets 368814032 bytes 353073760300 (328.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
 
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::250:56ff:fe9f:db4d prefixlen 64 scopeid 0x20<link>
ether 00:50:56:9f:db:4d txqueuelen 1000 (Ethernet)
RX packets 437 bytes 135823 (132.6 KiB)
RX errors 0 dropped 1125 overruns 0 frame 0
TX packets 8 bytes 656 (656.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 19418334689 bytes 12053991732736 (10.9 TiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19418334689 bytes 12053991732736 (10.9 TiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
SPAN interface 
eno2: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
 
inet6 fe80::42f2:e9ff:fecc:4343 prefixlen 64 scopeid 0x20<link>
 
ether 40:f2:e9:cc:43:43 txqueuelen 1000 (Ethernet)
 
RX packets 122540697216 bytes 104768065608116 (95.2 TiB)
 
RX errors 0 dropped 0 overruns 0 frame 0
 
TX packets 7 bytes 586 (586.0 B)
 
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
 
device memory 0xbd5a0000-bd5bffff

 

 

 

Sandbox server information /config/apt-agents-id Bottom part of the file contains info about connected sandbox nodes: IP addresses, cert fingerprints and states: Sandbox may be connected, but disabled.
 
[sandbox_node.sandbox1]
 
host = 172.16.0.151
 
enable = yes
 
fingerprint = C0:15:18:C8:11:46:11:BC:23:50:16:95:10:2D:FF:FA:4E:06:21:90:20:AA:CC:36:53:27:B8:BF:CF:5A:1A:9C
Enabled integrations(SPAN, ICAP, etc) /config/preprocessor.conf

Preprocessor is the component responsible for main KATA integrations: SPAN, SMTP, ICAP, POP3.

You should look for corresponding section in preprocessor.conf:

SPAN: [traffic]

SMTP: [smtp_proxy]

ICAP: [icap]

POP3: [pop3]

For each section, there's a line defining whether this integration is enabled:

enable=yes/no

Other integrations like KSMG/KLMS/API aren't easy to check by collect script output

Only SPAN is enabled 
[app]
use_syslog=no
trace_level=ERR
cache_socket=localhost:6379
collector_url=http://centralnode:8081/apt/collector
license_remote=no
 
#this section applicable for sections: pop3, smtp_proxy and for traffic section but only for smtp preprocessor
[mail]
extract_urls=yes
#file extensions of attachments which format recognizer is not used for
file_extensions=dll,exe,com,java,js,jse,wsf,wsh,vbs,vbe,msi,deb,rpm,apk,zip,7z,rar,iso,cab,jar,bz2,gz,tgz,ace,arj,dmg,xsr,rtf,pdf,msg,eml,vsd,vdx,xps,xsn,odt,ods,odp,sxw,doc,dot,docx,docb,dotx,docm,dotm,xls,xlt,xlm,xla,xll,xlw,xlsx,xltx,xlsm,xltm,xlam,xlsb,ppt,pot,pps,ppam,sldx,sldm,thmx,pptx,potx,pptm,potm,ppsx,ppsm,pub,html,htm,hta,swf,jpg,jpeg,gif,png,tiff,chm,mht,cpl,ocx,pif,scr,bat,cmd,ps1,lnk,reg,msu,msp,z
 
[traffic]
enable=yes
network_interfaces=ens6f0,ens6f1,ens5f1,ens5f0,ens5f3,ens5f2,eno1,ens3f1,ens3f0
pcap_snaplen=1600
pcap_cores=
pcap_filter=
checksum_validation=no
buffer_size_limit=4096
tcp_threads_number=16
enable_dns=yes
enable_http=yes
enable_ftp=yes
enable_ssl=yes
enable_smtp=yes
ftp_data_expired_timeout_in_seconds=60
ftp_data_supposed_max_size_in_bytes=10485760
 
[ksn]
enable=yes
#possible values of type are KSN or KPSN
type=KSN
timeout=500
non_dl_formats=GeneralHtml,GeneralTxt,ExecutableJs,ImageGif,ImageJpeg,ImagePng,ArchiveCab
ksn_adapter_interfaces=
# Change cache entries only you know what are doing.
# 0 - disables cache
cache_entries=3600100
request_threads=4
 
[snmp]
enable=yes
master_agent_address=tcp:localhost:705
ping_interval_in_seconds=15
 
[icap]
enable=no
listen_interfaces=ens3f3:1344,ens3f2:1344,eno2:1344
allow204=yes
max_connections=5000
respmod_url=av/respmod
header_client_ip=X-Client-IP
header_client_port=X-Client-Port
extract_user=no
header_username=X-Authenticated-User
base64_decode_username=yes
 
[filter]
file_size_limit=100000000
dns_lookup_enable=yes
dns_timeout=500
html_filter=/var/opt/kaspersky/apt/update/bases/htmlre.txt
 
[snort]
enable=yes
alerts_socket=/var/log/kaspersky/snort/snort_alert
 
[pop3]
enable=no
server=
port=
user=
password=
cipher_list=ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:!DSS:!KRB5:!PSK:!RC4:!SRP:!CAMELLIA:!IDEA:!SEED:!3DES:@STRENGTH:!kDH:!kECDH
encrypted=yes
check_interval_in_seconds=2
accept_any_certificates=no
accept_untrusted_self_signed_certificate=yes
process_msgs_per_session=3000
request_timeout_in_seconds=60
 
[smtp_proxy]
enable=no
max_threads=20
socket_in=inet:10025@127.0.0.1
#RFC 1123 suggests 10 min
timeout_in_seconds=600
 
[stat_engine]
enable=yes
db=kafka:centralnode:9092?topic=network
oltp_bulk_size=1000
subnets=
taa_skip_header_proxy_auth=status-code: 407
oltp_raw_data_limit=0
 
[proxy]
enable=no
bypass_local_addresses=yes
host=
port=
user=
password=
Connected Endpoint Sensors /config/aapt_info You can find the beginning of Endpoint Sensors list by searching for 'Agent Status'. To find the number of connected sensors, you need to calculate lines; but it's not easy to automate it as the lines don't have obvious unique grep-able attribute. However, using 'Microsoft Windows' will give you enough precision(it will give a few extra matches from last detections info).
Sample entry for 1 agent 
ae5290b1-c490-404b-beec-ee553d5d64ee | DXB00079395.*.corp    | 2019-09-24 08:41:51.579011 | 10.56.14.170   | 3.5.435.0     | 2019-09-23 03:21:26.883616 | 2019-09-24 03:15:28.642816 | t            | Microsoft Windows 10   |                            |                                                                                                                                                                                                                                                                                                                 | 2346c7a2-a395-4dc4-bc5c-ea99fa488386 |                6 | 568b01b8-4497-decf-7f8c-671bbf8ad8cc
KSN/KPSN connection /config/preprocessor.conf From collect script, you can only determine whether KATA is set up to receive verdicts from the cloud, and understand which sort of cloud it is - global KSN or private KPSN. Look for [ksn] section in preprocessor.conf, it's pretty self-explanatory. Keep in mind that you have a tool which allows you to check KSN availability https://forum.kaspersky.com/blogs/entry/86-how-to-check-ksn-availability-on-kata-cn-katakedre/
[ksn]
enable=yes
#possible values of type are KSN or KPSN
type=KSN
 Share

0 Comments

Recommended Comments

There are no comments to display.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...