I have a customer who wants me to implement a workflow based on our product's findings for malicious content. The workflow involves querying various tools (sourcefire being one) for knowledge of a file by its hash, and alternatively notifying the tools that a file is malicious. So i'm effectively looking to see if there are 2 interfaces available into sourcefilre
a) query file state by hash - returning a disposition of the file from sourcefire's perspective
and
b) notify sourcefire of a file hash that is to be considered malicious.
Reviewing some of the documentation, I could mimic the first interface (I think) using EStreamer with my app requesting file event notifications and then caching the disposition for a hash, to then look up the hash when my product sees a file to determine the sourcefire disposition. Obviously this is not as desireable as a realtime query since i'll be dealing with the chance that my caching has not caught up with my detection.
Any hints, ideas or pointers would be greatly appreciated.