This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tim_Otis
Employee
Employee
‎2020-01-06 12:41 PM

Fetching PCAP via API in R80.30 JHF 111

Howdy. 

With JHF 111 for R80.30 we can now fetch pcaps associated to threat prevention alerts (IPS/AB/etc) via API!

Handy for SOCs and IR teams.

Basically:
1. Log Exporter was modified to send an Attachment ID.
2. That Attachment ID can be leveraged via the get-attachment API call to fetch the goods.

Wanted to share the attached python script (in .7z + screenshot) as an example.

Tim Otis - Check Point Incident Response Team

Fetch_PCAP_via_API.7z
119 KB
8 Replies
Kim_Moberg
Advisor
‎2020-01-06 09:26 PM

Pretty need. Thanks for sharing

Best Regards
Kim
0 Kudos
Jon_Goldman
Employee
Employee
‎2020-01-07 07:17 AM

Nice!

0 Kudos
Norbert_Anderss
Explorer
‎2020-04-07 12:33 AM
In response to Jon_Goldman

Hi

 

I'm using a MDM-MLM setup.

If a pcap file must be fetched via an API, will the pcap request go to a particular CMA or a CLM?

/Norbert

0 Kudos
Tim_Otis
Employee
Employee
‎2020-04-08 01:31 PM
In response to Norbert_Anderss

Hi, It will be an API connection to the management server.
0 Kudos
Tomas_Vobruba
Employee
Employee
‎2020-07-27 06:09 AM

Hello Tim, could you  specify on which version of python it is working? Thank you

0 Kudos
Lithin_Mathew
Contributor
‎2020-09-27 07:34 PM

Hi @Tim_Otis ,

Thanks for sharing this script.

Could you confirm how would I get the "LOG_ATTACHMENT_UID".

0 Kudos
PhoneBoy
Admin
Admin
‎2020-09-27 07:48 PM
In response to Lithin_Mathew

Believe it's in the log entry itself.

Martin_Valenta
Advisor
‎2021-02-16 06:08 AM

Code reviewed to work with python3 and r80.40 API version 1.6

#!/usr/bin/python
import requests, json, binascii, time, base64, email, shlex
user=""
password=""
mgmtServer=""
port="443"

import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def api_call(command, json_payload, sid):
 url = 'https://' + mgmtServer  + ':' + port + '/web_api/' + command
 if sid == '':
  request_headers = {'Content-Type' : 'application/json'}
 else:
  request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
 r = requests.post(url,data=json.dumps(json_payload), headers=request_headers, verify=False)
 return r.json()

def login(user,password):
 payload = {'user':user, 'password' : password}
 response = api_call('login',payload, '')
 return response["sid"]

# Login
print("Authenticating...")
sid = login(user,password)
print("Got Session id: " + sid)

# Get the log_attachment_uid, package up, call API and keep the TaskID
log_attachment_uid = ""
post_data = {} 
post_data['attachment-id'] = log_attachment_uid
print("Calling API for pcap with log_attachment_uid: " + log_attachment_uid)
taskID = api_call('get-attachment',post_data, sid)
print("Got TaskID: ",taskID)

# Define a function to parse the '.eml' message that contains the actual pcap
def parseEml(emlData):
 print("Parsing .eml formatted data...")
 mgs = base64.standard_b64decode(emlData)

 capMsg = email.message_from_bytes(mgs)


 contentTypeHdr = capMsg.get('Content-Type', '')
 hdrParts = shlex.split(contentTypeHdr,";")
 # print(contentTypeHdr)
 # print(hdrParts)
 # print(capMsg.get('attachment',''))
 for part in hdrParts:
  # print(part)
  if part.startswith('name'):
   longFilename = part.split("=")[1]
   filename = longFilename.split("/")[-1]
 pcapBase64 = capMsg.get_payload()
 return filename,pcapBase64

# Define a function to write the pcap data to disk using the filename defined in the .eml's content-type header
def writePcap(filename,pcapBase64):
  with open(filename, "wb") as fh:
   fh.write(base64.standard_b64decode(pcapBase64))
  print("Wrote pcap file :", filename)

# Check on our TaskID
# - 10 tries with a 5 second sleep betwixt each
for x in range(10):
 # Call the API and check for 'succeeded' status
 print("Calling API to check on taskID:", taskID)
 response = api_call('show-task',taskID, sid)
 #print response
 status = response['tasks'][0]['status']
 print("Status:", status)
 if status == "succeeded":
  print("Recieved packet data...")
  # The base64 blob in the log decodes to the standard '.eml' format, that .eml msg has a base64 email body which is the pcap content
  captureData = response['tasks'][0]['task-details'][0]['attachments'][0]['base64-data']
  # print(captureData)
  # print (type(captureData))
  captureData = str(captureData)
  filename,pcapBase64 = parseEml(captureData)
  writePcap(filename,pcapBase64)
  break
 time.sleep(5)

print("Done.")
print()
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫