收集脚本输出对于大多数与KATA相关的问题和疑问来说是必须的。
哪些信息
哪些文件
如何发现和拦截
举例说明
КАТА version and role: CN/PCN/SCN/Sensor
/config/apt-va
文件包含人类可读的版本和角色。此外,您还可以在“migrate”行中查看节点是否从之前的KATA版本升级而来
Primary CN
[product]
name=kata-cn
title=Kaspersky Anti Targeted Attack Platform
version=3.5.0-1269
release=release
master = yes
sensor = yes
timestamp = 1568700994
migrate =
cn_role = pcn
Standalone CN
[product]
name=kata-cn
title=Kaspersky Anti Targeted Attack Platform
version=3.6.1-713
release=release
master = yes
sensor = yes
timestamp =1572445307.01
migrate =
cn_role = cn
Sensor node
[product]
name=kata-cn
title=Kaspersky Anti Targeted Attack Platform
version=3.6.1-713
release=release
master = no
sensor = yes
timestamp =1583845362.98
migrate =
cn_role =
Virtual or hardware?
/environment/dmesg.txt
OR
/var/log/messages
OR
/var/log/boot.log
在文件中搜索“DMI”条目。
Physical server
[ 0.000000] DMI: HPE ProLiant DL560 Gen10/ProLiant DL560 Gen10, BIOS U34 06/20/2018
Virtual server
[ 0.000000] DMI: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016
CPU
/environment/cpuinfo.txt
滚动到文件底部。列出的每个“处理器”不是物理核心,而是虚拟“线程”,因此,例如,具有超线程功能的8核物理CPU在文件中将有16个CPU。请记住,CPU是从0开始计数的,因此对于16线程CPU,最后一个条目将为15。
processor : 15
vendor_id : GenuineIntel
cpu family : 6
model : 79
model name : Intel(R) Xeon(R) Platinum 8158 CPU @ 3.00GHz
stepping : 0
microcode : 0x2000050
cpu MHz : 2992.968
cache size : 25344 KB
physical id : 0
siblings : 16
core id : 15
cpu cores : 16
apicid : 15
initial apicid : 15
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ibrs ibpb stibp fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 invpcid rtm rdseed adx smap xsaveopt arat spec_ctrl intel_stibp arch_capabilities
bogomips : 5985.93
clflush size : 64
cache_alignment : 64
address sizes : 43 bits physical, 48 bits virtual
power management:
RAM
/environment/memory.txt
文件显示了free命令的输出。值以兆字节为单位,请注意“total”和“available”列。注意!忽略“free”列:尽管它的名字是free,但它实际上并没有显示可用RAM,而是显示了“available”列。
total used free shared buff/cache available
Mem: 197308 63869 3634 6738 129804 125558
Swap: 0 0 0
HDD
/environment/hdd.txt
请注意分区 /dev/sda* 和 /dev/sdb*。
如果存在 /dev/sdb* 分区,则您正在处理双磁盘安装,否则,它是一个磁盘安装。
注意!请务必检查硬盘分区大小和可用空间!KATA需要大量磁盘空间才能正常工作。
最重要的分区是:
/dev/sda4 1.2T 894G 224G 80% /data←用于处理队列和隔离,KATA的主分区
/dev/sdb1 2.7T 1.4T 1.3T 52% /data/var/lib/kaspersky/storage ← 用于 EDR 数据:(来自端点传感器的遥测数据)
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 367G 14G 335G 4% /
devtmpfs 126G 0 126G 0% /dev
tmpfs 126G 252K 126G 1% /dev/shm
tmpfs 126G 4.1G 122G 4% /run
tmpfs 126G 0 126G 0% /sys/fs/cgroup
/dev/sda2 232M 32M 189M 15% /boot
/dev/sda1 237M 5.5M 232M 3% /boot/efi
/dev/sda4 1.5T 435G 955G 32% /data
/dev/sdb1 2.7T 1.4T 1.3T 52% /data/var/lib/kaspersky/storage
tmpfs 26G 0 26G 0% /run/user/998
tmpfs 26G 0 26G 0% /run/user/1002
tmpfs 26G 0 26G 0% /run/user/1001
DNS name
/environment/hostname.txt
文件包含具体的主机名称
kata-cn
IP address
/environment/ipa.txt
/environment/ifconfig.txt
这两个文件都包含有关网络接口和分配的IP地址的信息。
ifconfig命令被社区认为已经过时,但它可能很有用:它有助于识别SPAN接口。SPAN接口通常没有分配IP地址,但流量很大。此外,SPAN接口始终处于混杂模式:<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>
ipa.txt
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9f:0e:77 brd ff:ff:ff:ff:ff:ff
inet 10.200.178.85/23 brd 10.200.179.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe9f:e77/64 scope link
valid_lft forever preferred_lft forever
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9f:db:4d brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:56ff:fe9f:db4d/64 scope link
valid_lft forever preferred_lft forever
ifconfig.txt
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.200.178.85 netmask 255.255.254.0 broadcast 10.200.179.255
inet6 fe80::250:56ff:fe9f:e77 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:9f:0e:77 txqueuelen 1000 (Ethernet)
RX packets 604911116 bytes 747444631331 (696.1 GiB)
RX errors 0 dropped 26 overruns 0 frame 0
TX packets 368814032 bytes 353073760300 (328.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::250:56ff:fe9f:db4d prefixlen 64 scopeid 0x20<link>
ether 00:50:56:9f:db:4d txqueuelen 1000 (Ethernet)
RX packets 437 bytes 135823 (132.6 KiB)
RX errors 0 dropped 1125 overruns 0 frame 0
TX packets 8 bytes 656 (656.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 19418334689 bytes 12053991732736 (10.9 TiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19418334689 bytes 12053991732736 (10.9 TiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
SPAN interface
eno2: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet6 fe80::42f2:e9ff:fecc:4343 prefixlen 64 scopeid 0x20<link>
ether 40:f2:e9:cc:43:43 txqueuelen 1000 (Ethernet)
RX packets 122540697216 bytes 104768065608116 (95.2 TiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7 bytes 586 (586.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xbd5a0000-bd5bffff
Sandbox server information
/config/apt-agents-id
文件的底部包含有关连接的沙盒节点的信息:IP地址、证书指纹和状态:沙盒可能已连接,但已禁用。
[sandbox_node.sandbox1]
host = 172.16.0.151
enable = yes
fingerprint = C0:15:18:C8:11:46:11:BC:23:50:16:95:10:2D:FF:FA:4E:06:21:90:20:AA:CC:36:53:27:B8:BF:CF:5A:1A:9C
Enabled integrations(SPAN, ICAP, etc)
/config/preprocessor.conf
预处理器是负责主要KATA集成的组件:SPAN、SMTP、ICAP、POP3。
你应该在 preprocessor.conf 中查找相应的部分:
西班牙语:[流量]
SMTP: [smtp_proxy]
ICAP:[icap]
POP3: [pop3]
对于每个部分,都有一行定义是否启用此集成:
启用=是/否
其他集成,如KSMG/KLMS/neneneba API,不容易通过收集脚本输出进行检查
Only SPAN is enabled
[app]
use_syslog=no
trace_level=ERR
cache_socket=localhost:6379
collector_url=http://centralnode:8081/apt/collector
license_remote=no
#this section applicable for sections: pop3, smtp_proxy and for traffic section but only for smtp preprocessor
[mail]
extract_urls=yes
#file extensions of attachments which format recognizer is not used for
file_extensions=dll,exe,com,java,js,jse,wsf,wsh,vbs,vbe,msi,deb,rpm,apk,zip,7z,rar,iso,cab,jar,bz2,gz,tgz,ace,arj,dmg,xsr,rtf,pdf,msg,eml,vsd,vdx,xps,xsn,odt,ods,odp,sxw,doc,dot,docx,docb,dotx,docm,dotm,xls,xlt,xlm,xla,xll,xlw,xlsx,xltx,xlsm,xltm,xlam,xlsb,ppt,pot,pps,ppam,sldx,sldm,thmx,pptx,potx,pptm,potm,ppsx,ppsm,pub,html,htm,hta,swf,jpg,jpeg,gif,png,tiff,chm,mht,cpl,ocx,pif,scr,bat,cmd,ps1,lnk,reg,msu,msp,z
[traffic]
enable=yes
network_interfaces=ens6f0,ens6f1,ens5f1,ens5f0,ens5f3,ens5f2,eno1,ens3f1,ens3f0
pcap_snaplen=1600
pcap_cores=
pcap_filter=
checksum_validation=no
buffer_size_limit=4096
tcp_threads_number=16
enable_dns=yes
enable_http=yes
enable_ftp=yes
enable_ssl=yes
enable_smtp=yes
ftp_data_expired_timeout_in_seconds=60
ftp_data_supposed_max_size_in_bytes=10485760
[ksn]
enable=yes
#possible values of type are KSN or KPSN
type=KSN
timeout=500
non_dl_formats=GeneralHtml,GeneralTxt,ExecutableJs,ImageGif,ImageJpeg,ImagePng,ArchiveCab
ksn_adapter_interfaces=
# Change cache entries only you know what are doing.
# 0 - disables cache
cache_entries=3600100
request_threads=4
[snmp]
enable=yes
master_agent_address=tcp:localhost:705
ping_interval_in_seconds=15
[icap]
enable=no
listen_interfaces=ens3f3:1344,ens3f2:1344,eno2:1344
allow204=yes
max_connections=5000
respmod_url=av/respmod
header_client_ip=X-Client-IP
header_client_port=X-Client-Port
extract_user=no
header_username=X-Authenticated-User
base64_decode_username=yes
[filter]
file_size_limit=100000000
dns_lookup_enable=yes
dns_timeout=500
html_filter=/var/opt/kaspersky/apt/update/bases/htmlre.txt
[snort]
enable=yes
alerts_socket=/var/log/kaspersky/snort/snort_alert
[pop3]
enable=no
server=
port=
user=
password=
cipher_list=ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:!DSS:!KRB5:!PSK:!RC4:!SRP:!CAMELLIA:!IDEA:!SEED:!3DES:@STRENGTH:!kDH:!kECDH
encrypted=yes
check_interval_in_seconds=2
accept_any_certificates=no
accept_untrusted_self_signed_certificate=yes
process_msgs_per_session=3000
request_timeout_in_seconds=60
[smtp_proxy]
enable=no
max_threads=20
socket_in=inet:10025@127.0.0.1
#RFC 1123 suggests 10 min
timeout_in_seconds=600
[stat_engine]
enable=yes
db=kafka:centralnode:9092?topic=network
oltp_bulk_size=1000
subnets=
taa_skip_header_proxy_auth=status-code: 407
oltp_raw_data_limit=0
[proxy]
enable=no
bypass_local_addresses=yes
host=
port=
user=
password=
Connected Endpoint Sensors
/config/aapt_info
您可以通过搜索“Agent Status”找到Endpoint Sensors列表的开头。要找到连接的传感器的数量,您需要计算行数;但是很难实现自动化,因为行数没有明显的独特匹配属性。但是,使用“Microsoft Windows”将为您提供足够的精度(它会从上次检测信息中给出一些额外的匹配)。
Sample entry for 1 agent
ae5290b1-c490-404b-beec-ee553d5d64ee | DXB00079395.*.corp | 2019-09-24 08:41:51.579011 | 10.56.14.170 | 3.5.435.0 | 2019-09-23 03:21:26.883616 | 2019-09-24 03:15:28.642816 | t | Microsoft Windows 10 | | | 2346c7a2-a395-4dc4-bc5c-ea99fa488386 | 6 | 568b01b8-4497-decf-7f8c-671bbf8ad8cc
KSN/KPSN connection
/config/preprocessor.conf
从收集脚本中,你只能确定是否设置了KATA来接收来自云的判决,并了解它是哪种云——全球KSN还是私有KPSN。在preprocessor.conf中查找[ksn]部分,它非常容易理解。关于如何在KATA 控制台当中查看KSN的可用性,请参照这篇文章:
[ksn]
enable=yes
#possible values of type are KSN or KPSN
type=KSN