topic Re: Am I doing something wrong? in API / CLI Discussion

unsolved :( - Am I doing something wrong?

cstueckrath — Fri, 26 Oct 2018 12:37:13 GMT

Hi guys,

we are using a small Threat Emulation Appliance configured as an MTA to emulate and extract incoming e-mail attachments. It is currently running R80.20 with engine version 57.990002817.

I now want to have the ability to upload files to this appliance using e.g. powershell, so I tried to use the Threat Prevention API 1.0 Reference Guide to craft some JSON and upload a test file to be emulated.

At Accessing the API I learned, that I had to use port 18194, but my TE appliance doesn't even listen on this port.

I checked the Enable API box under Threat Extraction enabled the enable_scrub_web_service field following sk113599, but I'm not sure if this is even related to my problem.

How do I get this machine to listen to my requests? Is there some magic involved besides acceptibg traffic on this port?

Is /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini related to https://<service_address>/tecloud/api/1/file/ in any way?

Best regards,

Christian

Re: Am I doing something wrong?

PhoneBoy — Fri, 26 Oct 2018 22:00:59 GMT

SandBlast Agent for Browsers - working with Security Gateway or SandBlast Threat Emulation appliance specifies a couple things:

Setting enable_scrub_web_service to true via guidbedit (all instances of it)
Additional commands and modifications to TPAPI.ini depending on the version of software loaded on the Threat Emulation appliance.

Sounds like you did #1 but not #2.

Re: Am I doing something wrong?

cstueckrath — Mon, 29 Oct 2018 08:09:32 GMT

my TPAPI.ini:

tex_api_enabled = TRUE
scrub_service_portal_enabled = FALSE
logs_api_enabled = TRUE
api_key = <an API Key>
allowed_networks[]=0.0.0.0/0

if I enable the scrub service portal I can connect and use it, but this is for extraction only. I need emulation.

Re: unsolved :( - Am I doing something wrong?

PhoneBoy — Fri, 08 Feb 2019 23:20:46 GMT

So how are you calling the API?
What endpoint and what data are you passing?

Sounds like you're calling it with scrub_options (for Threat Extraction) instead of te_options (Threat Emulation).

Re: unsolved :( - Am I doing something wrong?

cstueckrath — Mon, 11 Feb 2019 07:55:46 GMT

no, we used te_options.

Here is a (incomplete) PS I used to pass a file to TE:

# Usage: Emulate-TransferFile.ps1 -TEFile Path-To-File -Action action
#
# action can be: upload, query, report
#
# return exit codes
#   1 == invalid arguments
#   2 == invalid action
#   3 == file invalid or does not exist
#   4 == AV only verdict without TE report
#   5 == Unknown verdict - report download failed

[CmdletBinding()]
Param(
[Parameter(
Mandatory=$true,
HelpMessage="Path to file to be emulated in TE.")]
[String]$TEFile,

[Parameter(
Mandatory=$true,
HelpMessage="upload, query or report")]
[String]$Action
)

#def
# TE emulator API
$TEServer = 'FQDN of TE:18194'
$TEApiKey = '<our API Key'

# TE images to be used for emulation
# add multiple images by adding GUIDs seperated by comma to TEIMAGES variable below
# Look for currently available images using [Expert@cp-te-1:0]# tecli s d i
#
# Win10 64-bit, Office2016: 10b4a9c6-e414-425c-ae8b-fe4dd7b25244
# Win7, Office 2013: 5e5de275-a103-4f67-b55b-47532918fa59 (available)
# WinXP, Office 2003/7: e50e99f3-5963-4573-af9e-e3f4750b55e2 (available)
# Win7, Office 2003/7: 7e6fe36e-889e-4c25-8704-56378f0830df
# Win7, Office 2010: 8d188031-1010-4466-828b-0cd13d4303ff
# Win7 64-bit, Office 2013: 3ff3ddae-e7fd-4969-818c-d5f1a2be336d
# Win8.1 64-bit, Office 2013: 6c453c9b-20f7-471a-956c-3198a868dc92

$TEImages = "e50e99f3-5963-4573-af9e-e3f4750b55e2,5e5de275-a103-4f67-b55b-47532918fa59"
$TEImageRev = "1"

if (-not (Test-Path $TEFile))
{
throw [System.IO.FileNotFoundException] "$TEFile not found."
}

# do magic byte check on filename
# ToDo: we need Get-FileSignature.ps1 from Skript Repository as psm1 on the Management Server
$TEFileType = Get-FileSignature -Path $TEFile

#We do not support Executables
if ($TEFileType.HexSignature -eq "4D5A")
{
throw [System.IO.FileFormatException] "$TEFile is an executable"
}

# we should have excluded all unsupported files and filesizes by now!
# calculate SHA1 from file
$TESHA1 = Get-FileHash -Path $TEFile -Algorithm SHA1
#Case Query (forums don't support formatting, the real ps1 is correctly formatted here):
$QueryBody = @{
request = @{
sha1 = $TESHA1
file_type = "zip"
features = "te", "av"
te = @{
reports = "pdf"
}
}
}

Invoke-RestMethod -Method Post -Uri "https://$TEServer/tecloud/api/v1/file/query" -Header @{"Authorization"=$TEApiKey} -Body (ConvertTo-Json $QueryBody) -SkipCertificateCheck

Re: unsolved :( - Am I doing something wrong?

PhoneBoy — Mon, 11 Feb 2019 21:48:42 GMT

What exactly do you get back from the API when you run this script?

Re: unsolved :( - Am I doing something wrong?

cstueckrath — Tue, 12 Feb 2019 07:42:56 GMT

Invoke-RestMethod : Authentication failed because the remote party has closed the transport stream.

btw: You'll need PS 6 to run this, because we need -SkipCertificateCheck in Invoke-RestMethod (see my other post here: How do I change the https certificate for Sandblast API?)

For Get-FileSignature you'll need Script Get-FileSignature, but you could just comment this out.

Re: unsolved :( - Am I doing something wrong?

PhoneBoy — Tue, 12 Feb 2019 17:53:16 GMT

What will be most helpful is to see:

What your script sent the API (what the raw JSON/HTTP Request looks like)
What the API actually responded with

There may be a log file on the Threat Emulation appliance we can look at--checking on this.

But if you can make your script log the raw API calls/responses somehow, that will help tremendously as well.

Re: unsolved :( - Am I doing something wrong?

cstueckrath — Wed, 13 Feb 2019 08:48:36 GMT

never mind, I just figured out that I posted the wrong version of the script.

And I found sk137032, which I was not aware of when I initially started to work on this...

I will try to follow the examples there and will report later.