This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dana_Traversie
Employee
Employee
‎2019-07-18 12:57 PM

How-to fetch endpoint forensics reports on R80.20 programmatically

Fetching packet captures and reports via API is a feature supported in R80.10 JHF 112 and 121 only. The feature is expected in R80.10 JHF 169 and R80.20 JHF 47.

For those who simply cannot wait, I present the following stopgap solution:

  1. Authenticate to the smartlog server service listening on localhost to obtain an "FWMToken" value
    [Expert@stack-mgmt-a0:0]# netstat -antp |grep 18242
tcp        0      0 127.0.0.1:18242             0.0.0.0:*                   LISTEN      3247/smartlog_serve
[Expert@stack-mgmt-a0:0]#​
    # authenticate and obtain FWMToken value
curl_cli -v -d @fwm-login.xml 'http://127.0.0.1:18242/login' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" -o fwm-login-resp.xml
fwm_token=`xmllint --format --shell fwm-login-resp.xml <<< "cat //root/token/text()" |tail -n +2 |head -n -1`​
    Content of fwm-login.xml:
    <login><user><![CDATA[admin]]></user><magic_number><![CDATA[CP_Etude_2055]]></magic_number><password><![CDATA[admin123]]></password><sso_token><![CDATA[]]></sso_token><get_all_columns_def /></login>
  2. Authenticate using mgmt_cli to obtain a "CPMToken" value
    # authenticate and obtain CPMToken value
cpm_token=`mgmt_cli login -u admin -p admin123 --port 4434 |grep sid |awk -F ': ' '{print $2}' |sed 's:"::g'`
  3. Fetch an XML report blog from the smartlog server service
    uid=A8571015-BF9A-492B-81D0-1D9EBCD6EB3F
timestamp=`date -d '07/09/2019 12:00:00' +"%s"`

     

    # $1 - report uid
# $2 - date - a unix timestamp that equals noon on the same day the event was created
# fetch the XML report blob
export FETCH_PCAP_COOKIE="FWMToken=$fwm_token&CPMToken=$cpm_token"
curl_cli -v 'http://127.0.0.1:18242/packet_capture?session_id=0&product=Forensics&module_name=stack-mgmt-a0&incid...' --user-agent
 "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" --cookie "${FETCH_PCAP_COOKIE}" -o $1.xml

    The complete request parameters:

    '?session_id=0&product=Forensics&module_name=stack-mgmt-a0&incident_uid='"$1"'&date='"$2"'&service=ignore&log_server=10.0.0.14'

    Note: Pay attention to the parameters that must be modified to match a different management server.

  4. Extract and decode XML report blob content
    # extract the XML report blob and decode it
xmllint --nocdata --format --shell $1.xml <<< "cat //blob/text()" |tail -n +2 |head -n -2 |base64 -d |base64 -d > $1.zip
0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events