Integration of Kaspersky security solution with Extreme Networks through the Distributed IPS Connect module

  • 1
  • 3
  • Article
  • Updated 11 months ago
I've made a quick lab on the integration between the Kaspersky security solution and the Extreme Networks solution using the Distributed IPS connect module present on the EMC server.

I share with you my lab results and settings.

For my lab environment I've used:
Extreme Management Center (EMC) version
ExtremeControl version
Kaspersky Security Center (KSC) version 10.4.343
Kaspersky Endpoint Security (KES) 10 SP2 for Windows version

First of all we need to configure our Kaspersky Security Center in manner to export via syslog the relevant security events to EMC server.
To do this, in the Events section of KSC we need to configure the export events section, as the following

in my lab example.
Than in the policy applied to the KES clients we select the relevants events to export, in my example I select the following:
Events: Malicious object detected

Events: Disinfection impossible, Cannot be deleted

and in similar manner for the other events we want to export...
By default the KSC export the syslog events with the hostname of the source client, but we need to have the IP address of the source client, and to do this, is necessary to do the following patch on KSC ( ):
1. Stop KSC service
2. Replace the "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center\klcssrv.dll" with the  files (klcssrv_10.4.343.dll.7z - 10.4.343, klcssrv_10.4.3027.dll.7z - 10.4.343 patch A) made for KSC version 10.4.343 (so if you have a different KSC version is necessary to ask to Kaspersky a different path, but in the release of KES 11 this option will be integrated). 
3. After that, use klscflag utility from the provided archive with the following parameters: 
klscflag -fset -pvklserver -n KLSRV_SPLG_SYSLOG_USE_IP_IN_HEADER -t d -v 1 
4. And finally, disable and enable the SIEM integration functionality.
(Thanks to Konstantin Antonov of Kaspersky Lab for the patch for KSC 10.4.343).

Now we try to download on the client a sample malware (for example the eicar test file)

On the EMC we receive for KSC the following syslog messages captured with tcpdump

The same events are collected and stored on the EMC server and we can see it in OneView

We need to configure on EMC an instance of the Distributed IPS connect module, that reacts to these syslog messages received from Kaspersky Security Center and in my example first of all is necessary to define the Distributed IPS end-system group of type ip address where put the clients triggered by the event:

Then we define the instance of the Distributed IPS connect module as follow:

(Thanks to Leo Lam of Extreme Networks for his help on the regular expressions)

Now when the EMC receive the syslog message from Kaspersky KSC, the source IP is added to the Distributed_IPS End-System Group that also force the reauthentication of this IP address

so the ExtremeControl can apply the new policy rule to this client and in my example will be applied the quantine policy

In the same manner, we can extend the same procedure and define several instances of the Distributed IPS connect module for react to other syslog messages of other components of the Kaspersy Security solution.

For example, we can send to EMC events from the Kaspersky Security for Virtualization solution, we define in the Properties of the policy applied to Kaspersky Security for Virtualization 4.0 Light Agent for Windows, the syslogs events to sent to EMC, for example

If I download a test eicar file from a virtual machine where is applied this policy, I receive on EMC the following event

So if we define on EMC a new istance of the Distributed IPS connect module in the following way

we can manage in the proper way these events too 

In similar manner is possible to manage every type of events of other software of the Kaspersky Security solution, and react with EMC to these.

Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb

Posted 11 months ago

  • 1
  • 3
Photo of Kurt Semba

Kurt Semba, Employee

  • 1,438 Points 1k badge 2x thumb
great work Antonio and thanks for sharing!
Photo of Drew C.

Drew C., Community Manager

  • 40,218 Points 20k badge 2x thumb
This is great! Thanks for posting!
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,834 Points 5k badge 2x thumb
wow. cool thanks for sharing!