Jump to content

如何分析KATA收集脚本输出日志 [KATA/KEDRE]


Recommended Posts

收集脚本输出对于大多数与KATA相关的问题和疑问来说是必须的。

哪些信息

哪些文件

如何发现和拦截

举例说明

 

     

КАТА version and role: CN/PCN/SCN/Sensor

/config/apt-va

文件包含人类可读的版本和角色。此外,您还可以在“migrate”行中查看节点是否从之前的KATA版本升级而来

Primary CN 

[product]

name=kata-cn

title=Kaspersky Anti Targeted Attack Platform

version=3.5.0-1269

release=release

master = yes

sensor = yes

timestamp = 1568700994

migrate =

cn_role = pcn

Standalone CN 

[product]

 

name=kata-cn

 

title=Kaspersky Anti Targeted Attack Platform

 

version=3.6.1-713

 

release=release

 

master = yes

 

sensor = yes

 

timestamp =1572445307.01

 

migrate =

 

cn_role = cn

Sensor node 

[product]

 

name=kata-cn

 

title=Kaspersky Anti Targeted Attack Platform

 

version=3.6.1-713

 

release=release

 

master = no

 

sensor = yes

 

timestamp =1583845362.98

 

migrate =

 

cn_role =

Virtual or hardware?

/environment/dmesg.txt

OR

/var/log/messages

OR

/var/log/boot.log

在文件中搜索“DMI”条目。

Physical server 

0.000000] DMI: HPE ProLiant DL560 Gen10/ProLiant DL560 Gen10, BIOS U34 06/20/2018

Virtual server 

0.000000] DMI: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016

CPU

/environment/cpuinfo.txt

滚动到文件底部。列出的每个处理器不是物理核心,而是虚拟线程,因此,例如,具有超线程功能的8核物理CPU在文件中将有16CPU。请记住,CPU是从0开始计数的,因此对于16线程CPU,最后一个条目将为15

 

processor : 15

 

vendor_id : GenuineIntel

 

cpu family : 6

 

model : 79

 

model name : Intel(R) Xeon(R) Platinum 8158 CPU @ 3.00GHz

 

stepping : 0

 

microcode : 0x2000050

 

cpu MHz : 2992.968

 

cache size : 25344 KB

 

physical id : 0

 

siblings : 16

 

core id : 15

 

cpu cores : 16

 

apicid : 15

 

initial apicid : 15

 

fpu : yes

 

fpu_exception : yes

 

cpuid level : 13

 

wp : yes

 

flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ibrs ibpb stibp fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 invpcid rtm rdseed adx smap xsaveopt arat spec_ctrl intel_stibp arch_capabilities

 

bogomips : 5985.93

 

clflush size : 64

 

cache_alignment : 64

 

address sizes : 43 bits physical, 48 bits virtual

 

power management:

RAM

/environment/memory.txt

文件显示了free命令的输出。值以兆字节为单位,请注意“total”“available”列。注意!忽略“free”列:尽管它的名字是free,但它实际上并没有显示可用RAM,而是显示了“available”列。

 

total used free shared buff/cache available

 

Mem: 197308 63869 3634 6738 129804 125558

 

Swap: 0 0 0

 

 

HDD

/environment/hdd.txt

请注意分区 /dev/sda* /dev/sdb*

如果存在 /dev/sdb* 分区,则您正在处理双磁盘安装,否则,它是一个磁盘安装。

注意!请务必检查硬盘分区大小和可用空间!KATA需要大量磁盘空间才能正常工作。

最重要的分区是:

/dev/sda4 1.2T 894G 224G 80% /data←用于处理队列和隔离,KATA的主分区

/dev/sdb1 2.7T 1.4T 1.3T 52% /data/var/lib/kaspersky/storage ← 用于 EDR 数据:(来自端点传感器的遥测数据)

 

 

Filesystem      Size  Used Avail Use% Mounted on

/dev/sda3       367G   14G  335G   4% /

devtmpfs        126G     0  126G   0% /dev

tmpfs           126G  252K  126G   1% /dev/shm

tmpfs           126G  4.1G  122G   4% /run

tmpfs           126G     0  126G   0% /sys/fs/cgroup

/dev/sda2       232M   32M  189M  15% /boot

/dev/sda1       237M  5.5M  232M   3% /boot/efi

/dev/sda4       1.5T  435G  955G  32% /data

/dev/sdb1       2.7T  1.4T  1.3T  52% /data/var/lib/kaspersky/storage

tmpfs            26G     0   26G   0% /run/user/998

tmpfs            26G     0   26G   0% /run/user/1002

tmpfs            26G     0   26G   0% /run/user/1001

 

 

DNS name

/environment/hostname.txt

文件包含具体的主机名称

kata-cn

IP address

/environment/ipa.txt

/environment/ifconfig.txt

这两个文件都包含有关网络接口和分配的IP地址的信息。

ifconfig命令被社区认为已经过时,但它可能很有用:它有助于识别SPAN接口。SPAN接口通常没有分配IP地址,但流量很大。此外,SPAN接口始终处于混杂模式:<UPBROADCASTRUNNINGPROMISCMULTICAST>

 

ipa.txt 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

 

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

 

inet 127.0.0.1/8 scope host lo

 

valid_lft forever preferred_lft forever

 

inet6 ::1/128 scope host

 

valid_lft forever preferred_lft forever

 

2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

 

link/ether 00:50:56:9f:0e:77 brd ff:ff:ff:ff:ff:ff

 

inet 10.200.178.85/23 brd 10.200.179.255 scope global ens192

 

valid_lft forever preferred_lft forever

 

inet6 fe80::250:56ff:fe9f:e77/64 scope link

 

valid_lft forever preferred_lft forever

 

3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

 

link/ether 00:50:56:9f:db:4d brd ff:ff:ff:ff:ff:ff

 

inet6 fe80::250:56ff:fe9f:db4d/64 scope link

 

valid_lft forever preferred_lft forever

 

 

ifconfig.txt 

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 10.200.178.85 netmask 255.255.254.0 broadcast 10.200.179.255

inet6 fe80::250:56ff:fe9f:e77 prefixlen 64 scopeid 0x20<link>

ether 00:50:56:9f:0e:77 txqueuelen 1000 (Ethernet)

RX packets 604911116 bytes 747444631331 (696.1 GiB)

RX errors 0 dropped 26 overruns 0 frame 0

TX packets 368814032 bytes 353073760300 (328.8 GiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

 

ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet6 fe80::250:56ff:fe9f:db4d prefixlen 64 scopeid 0x20<link>

ether 00:50:56:9f:db:4d txqueuelen 1000 (Ethernet)

RX packets 437 bytes 135823 (132.6 KiB)

RX errors 0 dropped 1125 overruns 0 frame 0

TX packets 8 bytes 656 (656.0 B)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

 

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

inet6 ::1 prefixlen 128 scopeid 0x10<host>

loop txqueuelen 1000 (Local Loopback)

RX packets 19418334689 bytes 12053991732736 (10.9 TiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 19418334689 bytes 12053991732736 (10.9 TiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

SPAN interface 

eno2: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500

 

inet6 fe80::42f2:e9ff:fecc:4343 prefixlen 64 scopeid 0x20<link>

 

ether 40:f2:e9:cc:43:43 txqueuelen 1000 (Ethernet)

 

RX packets 122540697216 bytes 104768065608116 (95.2 TiB)

 

RX errors 0 dropped 0 overruns 0 frame 0

 

TX packets 7 bytes 586 (586.0 B)

 

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

 

device memory 0xbd5a0000-bd5bffff

 

 

 

Sandbox server information

/config/apt-agents-id

文件的底部包含有关连接的沙盒节点的信息:IP地址、证书指纹和状态:沙盒可能已连接,但已禁用。

 

[sandbox_node.sandbox1]

 

host = 172.16.0.151

 

enable = yes

 

fingerprint = C0:15:18:C8:11:46:11:BC:23:50:16:95:10:2D:FF:FA:4E:06:21:90:20:AA:CC:36:53:27:B8:BF:CF:5A:1A:9C

Enabled integrations(SPAN, ICAP, etc)

/config/preprocessor.conf

预处理器是负责主要KATA集成的组件:SPANSMTPICAPPOP3

你应该在 preprocessor.conf 中查找相应的部分:

西班牙语:[流量]

SMTP: [smtp_proxy]

ICAP[icap]

POP3: [pop3]

对于每个部分,都有一行定义是否启用此集成:

启用=/

其他集成,如KSMG/KLMS/neneneba API,不容易通过收集脚本输出进行检查

 

Only SPAN is enabled 

[app]

use_syslog=no

trace_level=ERR

cache_socket=localhost:6379

collector_url=http://centralnode:8081/apt/collector

license_remote=no

 

#this section applicable for sections: pop3, smtp_proxy and for traffic section but only for smtp preprocessor

[mail]

extract_urls=yes

#file extensions of attachments which format recognizer is not used for

file_extensions=dll,exe,com,java,js,jse,wsf,wsh,vbs,vbe,msi,deb,rpm,apk,zip,7z,rar,iso,cab,jar,bz2,gz,tgz,ace,arj,dmg,xsr,rtf,pdf,msg,eml,vsd,vdx,xps,xsn,odt,ods,odp,sxw,doc,dot,docx,docb,dotx,docm,dotm,xls,xlt,xlm,xla,xll,xlw,xlsx,xltx,xlsm,xltm,xlam,xlsb,ppt,pot,pps,ppam,sldx,sldm,thmx,pptx,potx,pptm,potm,ppsx,ppsm,pub,html,htm,hta,swf,jpg,jpeg,gif,png,tiff,chm,mht,cpl,ocx,pif,scr,bat,cmd,ps1,lnk,reg,msu,msp,z

 

[traffic]

enable=yes

network_interfaces=ens6f0,ens6f1,ens5f1,ens5f0,ens5f3,ens5f2,eno1,ens3f1,ens3f0

pcap_snaplen=1600

pcap_cores=

pcap_filter=

checksum_validation=no

buffer_size_limit=4096

tcp_threads_number=16

enable_dns=yes

enable_http=yes

enable_ftp=yes

enable_ssl=yes

enable_smtp=yes

ftp_data_expired_timeout_in_seconds=60

ftp_data_supposed_max_size_in_bytes=10485760

 

[ksn]

enable=yes

#possible values of type are KSN or KPSN

type=KSN

timeout=500

non_dl_formats=GeneralHtml,GeneralTxt,ExecutableJs,ImageGif,ImageJpeg,ImagePng,ArchiveCab

ksn_adapter_interfaces=

# Change cache entries only you know what are doing.

0 - disables cache

cache_entries=3600100

request_threads=4

 

[snmp]

enable=yes

master_agent_address=tcp:localhost:705

ping_interval_in_seconds=15

 

[icap]

enable=no

listen_interfaces=ens3f3:1344,ens3f2:1344,eno2:1344

allow204=yes

max_connections=5000

respmod_url=av/respmod

header_client_ip=X-Client-IP

header_client_port=X-Client-Port

extract_user=no

header_username=X-Authenticated-User

base64_decode_username=yes

 

[filter]

file_size_limit=100000000

dns_lookup_enable=yes

dns_timeout=500

html_filter=/var/opt/kaspersky/apt/update/bases/htmlre.txt

 

[snort]

enable=yes

alerts_socket=/var/log/kaspersky/snort/snort_alert

 

[pop3]

enable=no

server=

port=

user=

password=

cipher_list=ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:!DSS:!KRB5:!PSK:!RC4:!SRP:!CAMELLIA:!IDEA:!SEED:!3DES:@STRENGTH:!kDH:!kECDH

encrypted=yes

check_interval_in_seconds=2

accept_any_certificates=no

accept_untrusted_self_signed_certificate=yes

process_msgs_per_session=3000

request_timeout_in_seconds=60

 

[smtp_proxy]

enable=no

max_threads=20

socket_in=inet:10025@127.0.0.1

#RFC 1123 suggests 10 min

timeout_in_seconds=600

 

[stat_engine]

enable=yes

db=kafka:centralnode:9092?topic=network

oltp_bulk_size=1000

subnets=

taa_skip_header_proxy_auth=status-code: 407

oltp_raw_data_limit=0

 

[proxy]

enable=no

bypass_local_addresses=yes

host=

port=

user=

password=

Connected Endpoint Sensors

/config/aapt_info

您可以通过搜索“Agent Status”找到Endpoint Sensors列表的开头。要找到连接的传感器的数量,您需要计算行数;但是很难实现自动化,因为行数没有明显的独特匹配属性。但是,使用“Microsoft Windows”将为您提供足够的精度(它会从上次检测信息中给出一些额外的匹配)。

Sample entry for 1 agent 

ae5290b1-c490-404b-beec-ee553d5d64ee | DXB00079395.*.corp    | 2019-09-24 08:41:51.579011 10.56.14.170   3.5.435.0     2019-09-23 03:21:26.883616 2019-09-24 03:15:28.642816 | t            | Microsoft Windows 10   |                            |                                                                                                                                                                                                                                                                                                                 | 2346c7a2-a395-4dc4-bc5c-ea99fa488386 |                6 | 568b01b8-4497-decf-7f8c-671bbf8ad8cc

KSN/KPSN connection

/config/preprocessor.conf

从收集脚本中,你只能确定是否设置了KATA来接收来自云的判决,并了解它是哪种云——全球KSN还是私有KPSN。在preprocessor.conf中查找[ksn]部分,它非常容易理解。关于如何在KATA 控制台当中查看KSN的可用性,请参照这篇文章:

Quote

 

[ksn]

enable=yes

#possible values of type are KSN or KPSN

type=KSN

 

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...