Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Interfaces for querying file disposition by hash

I have a customer who wants me to implement a workflow based on our product's findings for malicious content.   The workflow involves querying various tools (sourcefire being one) for knowledge of a file by its hash, and alternatively notifying the tools that a file is malicious.  So i'm effectively looking to see if there are 2 interfaces available into sourcefilre

a) query file state by hash - returning a disposition of the file from sourcefire's perspective

and

b) notify sourcefire of a file hash that is to be considered malicious.

Reviewing some of the documentation,  I could mimic the first interface (I think) using EStreamer with my app requesting file event notifications and then caching the disposition for a hash, to then look up the hash when my product sees a file to determine the sourcefire disposition.   Obviously this is not as desireable as a realtime query since i'll be dealing with the chance that my caching has not caught up with my detection.

Any hints, ideas or pointers would be greatly appreciated.

  • Firepower API
1 REPLY
Cisco Employee

Ho,

Ho,

Please shoot me an email to dohurd@cisco with a phone number.  This is tricky to cover in an email.

Doug

6
Views
0
Helpful
1
Replies
This widget could not be displayed.