Get pcap data file via API

Unanswered Question
Feb 3rd, 2017
User Badges:
  • Cisco Employee,

Hi experts,


I have a question about API capability for pcap file.


I want to deploy the following workflow system.

  1, Firepower filter and capture malformed packets in accordance with IPS rule.

  2, Firepower management center sends syslog alert to SIEM system about the filtering or capturing.

  3, The SIEM gets the pcap file that related to the syslog alert via API.

[Q]

Does firepower management center support the API to get pcap file?


Regards,

Kenjiro Kanemaki


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dohurd Fri, 02/03/2017 - 07:42
User Badges:
  • Cisco Employee,

There two ways I know of to obtain the PCAP for a specific Snort (IDS/IPS) event.


1. Request packets through the eStreamer API.  You'll get all the packets all the time.  It is possible to request a specific PCAP through estreamer but I'm not entirely sure how thats done. Arcsight does using the timestamp for the Snort event but this approach is prone to error (see no.2).

2. Using the JDBC interface you can request a packet using Timestamp, Event ID and device name from the Snort event.  This tuple of information assures that you'll get _the_ correct packet and is a better way to implement option 1.

Kenjiro Kanemaki Fri, 02/03/2017 - 08:54
User Badges:
  • Cisco Employee,

Thank you very much for your quick answer! I'll consider it with the two ways.

Actions

This Discussion