Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
0
Helpful
1
Replies

Interfaces for querying file disposition by hash

steve.bade
Level 1
Level 1

‎08-03-2017 12:48 PM - edited ‎03-12-2019 06:28 AM

I have a customer who wants me to implement a workflow based on our product's findings for malicious content.   The workflow involves querying various tools (sourcefire being one) for knowledge of a file by its hash, and alternatively notifying the tools that a file is malicious.  So i'm effectively looking to see if there are 2 interfaces available into sourcefilre

a) query file state by hash - returning a disposition of the file from sourcefire's perspective

and

b) notify sourcefire of a file hash that is to be considered malicious.

Reviewing some of the documentation,  I could mimic the first interface (I think) using EStreamer with my app requesting file event notifications and then caching the disposition for a hash, to then look up the hash when my product sees a file to determine the sourcefire disposition.   Obviously this is not as desireable as a realtime query since i'll be dealing with the chance that my caching has not caught up with my detection.

Any hints, ideas or pointers would be greatly appreciated.

Labels:
0 Helpful
1 Reply 1

dohurd
Cisco Employee
Cisco Employee

‎08-04-2017 11:02 AM

Ho,

Please shoot me an email to dohurd@cisco with a phone number.  This is tricky to cover in an email.

Doug

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card