topic Fetching PCAP via API in R80.30 JHF 111 in API / CLI Discussion

Fetching PCAP via API in R80.30 JHF 111

Tim_Otis — Mon, 06 Jan 2020 20:41:56 GMT

Howdy.

With JHF 111 for R80.30 we can now fetch pcaps associated to threat prevention alerts (IPS/AB/etc) via API!

Handy for SOCs and IR teams.

Basically:
1. Log Exporter was modified to send an Attachment ID.
2. That Attachment ID can be leveraged via the get-attachment API call to fetch the goods.

Wanted to share the attached python script (in .7z + screenshot) as an example.

Tim Otis - Check Point Incident Response Team

Re: Fetching PCAP via API in R80.30 JHF 111

Kim_Moberg — Tue, 07 Jan 2020 05:26:19 GMT

Pretty need. Thanks for sharing

Re: Fetching PCAP via API in R80.30 JHF 111

Jon_Goldman — Tue, 07 Jan 2020 15:17:47 GMT

Nice!

Re: Fetching PCAP via API in R80.30 JHF 111

Norbert_Anderss — Tue, 07 Apr 2020 07:33:19 GMT

I'm using a MDM-MLM setup.

If a pcap file must be fetched via an API, will the pcap request go to a particular CMA or a CLM?

/Norbert

Re: Fetching PCAP via API in R80.30 JHF 111

Tim_Otis — Wed, 08 Apr 2020 20:31:04 GMT

Hi, It will be an API connection to the management server.

Re: Fetching PCAP via API in R80.30 JHF 111

Tomas_Vobruba — Mon, 27 Jul 2020 13:09:57 GMT

Hello Tim, could you specify on which version of python it is working? Thank you

Re: Fetching PCAP via API in R80.30 JHF 111

Lithin_Mathew — Mon, 28 Sep 2020 02:34:04 GMT

Hi @Tim_Otis ,

Thanks for sharing this script.

Could you confirm how would I get the "LOG_ATTACHMENT_UID".

Re: Fetching PCAP via API in R80.30 JHF 111

PhoneBoy — Mon, 28 Sep 2020 02:48:49 GMT

Believe it's in the log entry itself.

Re: Fetching PCAP via API in R80.30 JHF 111

Martin_Valenta — Tue, 16 Feb 2021 14:08:13 GMT

Code reviewed to work with python3 and r80.40 API version 1.6

#!/usr/bin/python import requests, json, binascii, time, base64, email, shlex user="" password="" mgmtServer="" port="443" import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def api_call(command, json_payload, sid): url = 'https://' + mgmtServer + ':' + port + '/web_api/' + command if sid == '': request_headers = {'Content-Type' : 'application/json'} else: request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid} r = requests.post(url,data=json.dumps(json_payload), headers=request_headers, verify=False) return r.json() def login(user,password): payload = {'user':user, 'password' : password} response = api_call('login',payload, '') return response["sid"] # Login print("Authenticating...") sid = login(user,password) print("Got Session id: " + sid) # Get the log_attachment_uid, package up, call API and keep the TaskID log_attachment_uid = "" post_data = {} post_data['attachment-id'] = log_attachment_uid print("Calling API for pcap with log_attachment_uid: " + log_attachment_uid) taskID = api_call('get-attachment',post_data, sid) print("Got TaskID: ",taskID) # Define a function to parse the '.eml' message that contains the actual pcap def parseEml(emlData): print("Parsing .eml formatted data...") mgs = base64.standard_b64decode(emlData) capMsg = email.message_from_bytes(mgs) contentTypeHdr = capMsg.get('Content-Type', '') hdrParts = shlex.split(contentTypeHdr,";") # print(contentTypeHdr) # print(hdrParts) # print(capMsg.get('attachment','')) for part in hdrParts: # print(part) if part.startswith('name'): longFilename = part.split("=")[1] filename = longFilename.split("/")[-1] pcapBase64 = capMsg.get_payload() return filename,pcapBase64 # Define a function to write the pcap data to disk using the filename defined in the .eml's content-type header def writePcap(filename,pcapBase64): with open(filename, "wb") as fh: fh.write(base64.standard_b64decode(pcapBase64)) print("Wrote pcap file :", filename) # Check on our TaskID # - 10 tries with a 5 second sleep betwixt each for x in range(10): # Call the API and check for 'succeeded' status print("Calling API to check on taskID:", taskID) response = api_call('show-task',taskID, sid) #print response status = response['tasks'][0]['status'] print("Status:", status) if status == "succeeded": print("Recieved packet data...") # The base64 blob in the log decodes to the standard '.eml' format, that .eml msg has a base64 email body which is the pcap content captureData = response['tasks'][0]['task-details'][0]['attachments'][0]['base64-data'] # print(captureData) # print (type(captureData)) captureData = str(captureData) filename,pcapBase64 = parseEml(captureData) writePcap(filename,pcapBase64) break time.sleep(5) print("Done.") print()