How to exclude protocol from SPAN traffic in KATA 5.x CN with Sensor role [KATA/KEDRE]

[Igor Akhmetov]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

 

Issue

In KATA 4.1, when Central Node was used as Sensor, it was possible to access Traffic Capture and disable protocol, e.g SMTP.

CN-Sensor - https://support.kaspersky.com/help/KATA/4.1/en-US/199500.htm
Standalone Sensor - https://support.kaspersky.com/help/KATA/4.1/en-US/199500_1.htm

In KATA 5.0, this possibility is missing from docs and from CN and only available on Standalone Sensor:

 

Solution

Workaround is to use CLI and access predecessor configuration directly:

Settings section

#console-settings-updater get /kata/configuration/product/preprocessor_span | python3 -m json.tool | grep \"traffic\" -A 23  "traffic": {         "buffer_size_limit": 4096,         "checksum_validation": false,         "enable": true,         "enable_dns": true,         "enable_ftp": true,         "enable_http": true,         "enable_smtp": false,         "enable_ssl": true,         "ftp_data_expired_timeout": "PT60S",         "ftp_data_supposed_max_size_bytes": 10485760,         "iface_groups": [             {                 "ifaces": [                     "ens192"                 ],                 "core_id": null             }         ],         "pcap_filter": "",         "pcap_snaplen": 1600,         "pcap_timeout": 10,         "tcp_threads_number": 16     },

Example disable SMTP, enable the rest

#console-settings-updater set --merge /kata/configuration/product/preprocessor_span '{"traffic": {"enable_dns": true, "enable_ftp": true, "enable_http": true, "enable_smtp": false}}'

Example change

#console-settings-updater get /kata/configuration/product/preprocessor_span | python3 -m json.tool  > /tmp/preprocessor_span.json #vim /tmp/preprocessor_span.json #console-settings-updater set /kata/configuration/product/preprocessor_span @/tmp/preprocessor_span.json