This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tim_Otis
Employee
Employee
‎2020-01-06 12:41 PM

Fetching PCAP via API in R80.30 JHF 111

Howdy. 

With JHF 111 for R80.30 we can now fetch pcaps associated to threat prevention alerts (IPS/AB/etc) via API!

Handy for SOCs and IR teams.

Basically:
1. Log Exporter was modified to send an Attachment ID.
2. That Attachment ID can be leveraged via the get-attachment API call to fetch the goods.

Wanted to share the attached python script (in .7z + screenshot) as an example.

Tim Otis - Check Point Incident Response Team

Fetch_PCAP_via_API.7z
119 KB
8 Replies
Kim_Moberg
Advisor
‎2020-01-06 09:26 PM

Pretty need. Thanks for sharing

Best Regards
Kim
0 Kudos
Jon_Goldman
Employee
Employee
‎2020-01-07 07:17 AM

Nice!

0 Kudos
Norbert_Anderss
Explorer
‎2020-04-07 12:33 AM
In response to Jon_Goldman

Hi

 

I'm using a MDM-MLM setup.

If a pcap file must be fetched via an API, will the pcap request go to a particular CMA or a CLM?

/Norbert

0 Kudos
Tim_Otis
Employee
Employee
‎2020-04-08 01:31 PM
In response to Norbert_Anderss

Hi, It will be an API connection to the management server.
0 Kudos
Tomas_Vobruba
Employee
Employee
‎2020-07-27 06:09 AM

Hello Tim, could you  specify on which version of python it is working? Thank you

0 Kudos
Lithin_Mathew
Contributor
‎2020-09-27 07:34 PM

Hi @Tim_Otis ,

Thanks for sharing this script.

Could you confirm how would I get the "LOG_ATTACHMENT_UID".

0 Kudos
PhoneBoy
Admin
Admin
‎2020-09-27 07:48 PM
In response to Lithin_Mathew

Believe it's in the log entry itself.

Martin_Valenta
Advisor
‎2021-02-16 06:08 AM

Code reviewed to work with python3 and r80.40 API version 1.6

#!/usr/bin/python
import requests, json, binascii, time, base64, email, shlex
user=""
password=""
mgmtServer=""
port="443"

import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def api_call(command, json_payload, sid):
 url = 'https://' + mgmtServer  + ':' + port + '/web_api/' + command
 if sid == '':
  request_headers = {'Content-Type' : 'application/json'}
 else:
  request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
 r = requests.post(url,data=json.dumps(json_payload), headers=request_headers, verify=False)
 return r.json()

def login(user,password):
 payload = {'user':user, 'password' : password}
 response = api_call('login',payload, '')
 return response["sid"]

# Login
print("Authenticating...")
sid = login(user,password)
print("Got Session id: " + sid)

# Get the log_attachment_uid, package up, call API and keep the TaskID
log_attachment_uid = ""
post_data = {} 
post_data['attachment-id'] = log_attachment_uid
print("Calling API for pcap with log_attachment_uid: " + log_attachment_uid)
taskID = api_call('get-attachment',post_data, sid)
print("Got TaskID: ",taskID)

# Define a function to parse the '.eml' message that contains the actual pcap
def parseEml(emlData):
 print("Parsing .eml formatted data...")
 mgs = base64.standard_b64decode(emlData)

 capMsg = email.message_from_bytes(mgs)


 contentTypeHdr = capMsg.get('Content-Type', '')
 hdrParts = shlex.split(contentTypeHdr,";")
 # print(contentTypeHdr)
 # print(hdrParts)
 # print(capMsg.get('attachment',''))
 for part in hdrParts:
  # print(part)
  if part.startswith('name'):
   longFilename = part.split("=")[1]
   filename = longFilename.split("/")[-1]
 pcapBase64 = capMsg.get_payload()
 return filename,pcapBase64

# Define a function to write the pcap data to disk using the filename defined in the .eml's content-type header
def writePcap(filename,pcapBase64):
  with open(filename, "wb") as fh:
   fh.write(base64.standard_b64decode(pcapBase64))
  print("Wrote pcap file :", filename)

# Check on our TaskID
# - 10 tries with a 5 second sleep betwixt each
for x in range(10):
 # Call the API and check for 'succeeded' status
 print("Calling API to check on taskID:", taskID)
 response = api_call('show-task',taskID, sid)
 #print response
 status = response['tasks'][0]['status']
 print("Status:", status)
 if status == "succeeded":
  print("Recieved packet data...")
  # The base64 blob in the log decodes to the standard '.eml' format, that .eml msg has a base64 email body which is the pcap content
  captureData = response['tasks'][0]['task-details'][0]['attachments'][0]['base64-data']
  # print(captureData)
  # print (type(captureData))
  captureData = str(captureData)
  filename,pcapBase64 = parseEml(captureData)
  writePcap(filename,pcapBase64)
  break
 time.sleep(5)

print("Done.")
print()
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events