02-03-2017 02:37 AM - edited 03-12-2019 06:16 AM
Hi experts,
I have a question about API capability for pcap file.
I want to deploy the following workflow system.
1, Firepower filter and capture malformed packets in accordance with IPS rule.
2, Firepower management center sends syslog alert to SIEM system about the filtering or capturing.
3, The SIEM gets the pcap file that related to the syslog alert via API.
[Q]
Does firepower management center support the API to get pcap file?
Regards,
Kenjiro Kanemaki
02-03-2017 07:42 AM
There two ways I know of to obtain the PCAP for a specific Snort (IDS/IPS) event.
1. Request packets through the eStreamer API. You'll get all the packets all the time. It is possible to request a specific PCAP through estreamer but I'm not entirely sure how thats done. Arcsight does using the timestamp for the Snort event but this approach is prone to error (see no.2).
2. Using the JDBC interface you can request a packet using Timestamp, Event ID and device name from the Snort event. This tuple of information assures that you'll get _the_ correct packet and is a better way to implement option 1.
02-03-2017 08:54 AM
Thank you very much for your quick answer! I'll consider it with the two ways.
01-23-2019 01:27 PM
Do you have any further instructions on retrieving the PCAP via JDBC? I can't seem to retrieve a usable capture at this time - just the hex. The binary pull doesn't supply anything that is viewable.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide