How to: Filter KATA IDS traffic

Egor Erastov · 2025-04-03T07:08:52+0000

Step-by-step guide KATA 3.7.2 Connect to central node/sensor node which processing SPAN traffic via ssh; Proceed to Technical support mode; Become root with command: Turn on wrapCopy as text # sudo -i Create file /etc/suricata/capture-filter.bpf with line containing traffic filtering conditions (syntax is the same as in tcpdump conditions), below you can see filter for example: Example: Turn on wrapCopy as text # cat /etc/suricata/capture-filter.bpf not ((src 10.21.68.247 and dst 10.21.60.155 or 10.21.60.14 or 10.21.60.15 or 10.21.60.80 or 10.21.60.212 or 10.20.72.48 and port 1433) or (src 10.21.65.113 or 10.20.75.142 and dst 212.250.153.80 or 212.250.153.81 or 194.72.254.216 or 194.72.254.217 and port 22)) Change owner/group for created file with command: Turn on wrapCopy as text # chown kluser:root /etc/suricata/capture-filter.bpf Edit file /usr/bin/apt-suri-start, find line: Turn on wrapCopy as text /sbin/suricata -c /etc/suricata/suricata.yaml $OPTIONS || { And change it to: Turn on wrapCopy as text /sbin/suricata -F /etc/suricata/capture-filter.bpf -c /etc/suricata/suricata.yaml $OPTIONS || { Restart suricata.service with command: Turn on wrapCopy as text # systemctl restart suricata.service Check absence of errors in system journal related to suricata service restart with commands: Turn on wrapCopy as text # systemctl status suricata.service # journalctl -u suricata.service Done! KATA 5+ Connect to central node/sensor node which processing SPAN traffic via ssh; Proceed to Technical support mode; Become root with command: Turn on wrapCopy as text sudo -i Run the following command, replacing it with your rule with your rule in tcpdump syntax, for example "not ((src 10.10.0.1 or src 10.10.0.13 or src 10.10.0.11 or src 10.10.0.14) and (dst 10.10.6.13 or dst 10.10.6.11 or dst 10.10.6.12))":n on wrapCopy as text console-settings-updater set --merge /kata/configuration/product/preprocessor_span '{"traffic": {"storage_settings": {"bpf_filter": "your rule"}}}'

By Egor Erastov
19 hours ago in Advice and solutions for Kaspersky Anti Targeted Attack & EDR Expert

https://forum.kaspersky.com/topic/how-to-filter-kata-ids-traffic-54541/

Followers 1

Step-by-step guide

KATA 3.7.2

Connect to central node/sensor node which processing SPAN traffic via ssh;
Proceed to Technical support mode;
Become root with command:

Turn on wrapCopy as text
# sudo -i
Create file /etc/suricata/capture-filter.bpf with line containing traffic filtering conditions (syntax is the same as in tcpdump conditions), below you can see filter for example:

Example:

Turn on wrapCopy as text
# cat /etc/suricata/capture-filter.bpf not ((src 10.21.68.247 and dst 10.21.60.155 or 10.21.60.14 or 10.21.60.15 or 10.21.60.80 or 10.21.60.212 or 10.20.72.48 and port 1433) or (src 10.21.65.113 or 10.20.75.142 and dst 212.250.153.80 or 212.250.153.81 or 194.72.254.216 or 194.72.254.217 and port 22))
Change owner/group for created file with command:

Turn on wrapCopy as text
# chown kluser:root /etc/suricata/capture-filter.bpf
Edit file /usr/bin/apt-suri-start, find line:

Turn on wrapCopy as text
/sbin/suricata -c /etc/suricata/suricata.yaml $OPTIONS || {

And change it to:

Turn on wrapCopy as text
/sbin/suricata -F /etc/suricata/capture-filter.bpf -c /etc/suricata/suricata.yaml $OPTIONS || {
Restart suricata.service with command:

Turn on wrapCopy as text
# systemctl restart suricata.service
Check absence of errors in system journal related to suricata service restart with commands:

Turn on wrapCopy as text
# systemctl status suricata.service # journalctl -u suricata.service
Done!

KATA 5+

Connect to central node/sensor node which processing SPAN traffic via ssh;
Proceed to Technical support mode;
Become root with command:

Turn on wrapCopy as text
sudo -i
Run the following command, replacing it with your rule with your rule in tcpdump syntax, for example "not ((src 10.10.0.1 or src 10.10.0.13 or src 10.10.0.11 or src 10.10.0.14) and (dst 10.10.6.13 or dst 10.10.6.11 or dst 10.10.6.12))":n on wrapCopy as text

console-settings-updater set --merge /kata/configuration/product/preprocessor_span '{"traffic": {"storage_settings": {"bpf_filter": "your rule"}}}'

How to: Filter KATA IDS traffic

Recommended Posts

Egor Erastov

Step-by-step guide

KATA 3.7.2

KATA 5+

Please sign in to comment

Forum

Products

Support

Personal Account