Re: Fetching PCAP via API in R80.30 JHF 111

Tim_Otis · ‎2020-01-06

Howdy.

With JHF 111 for R80.30 we can now fetch pcaps associated to threat prevention alerts (IPS/AB/etc) via API!

Handy for SOCs and IR teams.

Basically:
1. Log Exporter was modified to send an Attachment ID.
2. That Attachment ID can be leveraged via the get-attachment API call to fetch the goods.

Wanted to share the attached python script (in .7z + screenshot) as an example.

Tim Otis - Check Point Incident Response Team

Kim_Moberg · ‎2020-01-06

Pretty need. Thanks for sharing

Best Regards
Kim

Jon_Goldman · ‎2020-01-07

Nice!

Norbert_Anderss · ‎2020-04-07

Hi

I'm using a MDM-MLM setup.

If a pcap file must be fetched via an API, will the pcap request go to a particular CMA or a CLM?

/Norbert

Tim_Otis · ‎2020-04-08

Hi, It will be an API connection to the management server.

Tomas_Vobruba · ‎2020-07-27

Hello Tim, could you specify on which version of python it is working? Thank you

Lithin_Mathew · ‎2020-09-27

Hi @Tim_Otis ,

Thanks for sharing this script.

Could you confirm how would I get the "LOG_ATTACHMENT_UID".

PhoneBoy · ‎2020-09-27

Believe it's in the log entry itself.

Martin_Valenta

Code reviewed to work with python3 and r80.40 API version 1.6

#!/usr/bin/python
import requests, json, binascii, time, base64, email, shlex
user=""
password=""
mgmtServer=""
port="443"

import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def api_call(command, json_payload, sid):
 url = 'https://' + mgmtServer  + ':' + port + '/web_api/' + command
 if sid == '':
  request_headers = {'Content-Type' : 'application/json'}
 else:
  request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
 r = requests.post(url,data=json.dumps(json_payload), headers=request_headers, verify=False)
 return r.json()

def login(user,password):
 payload = {'user':user, 'password' : password}
 response = api_call('login',payload, '')
 return response["sid"]

# Login
print("Authenticating...")
sid = login(user,password)
print("Got Session id: " + sid)

# Get the log_attachment_uid, package up, call API and keep the TaskID
log_attachment_uid = ""
post_data = {} 
post_data['attachment-id'] = log_attachment_uid
print("Calling API for pcap with log_attachment_uid: " + log_attachment_uid)
taskID = api_call('get-attachment',post_data, sid)
print("Got TaskID: ",taskID)

# Define a function to parse the '.eml' message that contains the actual pcap
def parseEml(emlData):
 print("Parsing .eml formatted data...")
 mgs = base64.standard_b64decode(emlData)

 capMsg = email.message_from_bytes(mgs)


 contentTypeHdr = capMsg.get('Content-Type', '')
 hdrParts = shlex.split(contentTypeHdr,";")
 # print(contentTypeHdr)
 # print(hdrParts)
 # print(capMsg.get('attachment',''))
 for part in hdrParts:
  # print(part)
  if part.startswith('name'):
   longFilename = part.split("=")[1]
   filename = longFilename.split("/")[-1]
 pcapBase64 = capMsg.get_payload()
 return filename,pcapBase64

# Define a function to write the pcap data to disk using the filename defined in the .eml's content-type header
def writePcap(filename,pcapBase64):
  with open(filename, "wb") as fh:
   fh.write(base64.standard_b64decode(pcapBase64))
  print("Wrote pcap file :", filename)

# Check on our TaskID
# - 10 tries with a 5 second sleep betwixt each
for x in range(10):
 # Call the API and check for 'succeeded' status
 print("Calling API to check on taskID:", taskID)
 response = api_call('show-task',taskID, sid)
 #print response
 status = response['tasks'][0]['status']
 print("Status:", status)
 if status == "succeeded":
  print("Recieved packet data...")
  # The base64 blob in the log decodes to the standard '.eml' format, that .eml msg has a base64 email body which is the pcap content
  captureData = response['tasks'][0]['task-details'][0]['attachments'][0]['base64-data']
  # print(captureData)
  # print (type(captureData))
  captureData = str(captureData)
  filename,pcapBase64 = parseEml(captureData)
  writePcap(filename,pcapBase64)
  break
 time.sleep(5)

print("Done.")
print()