I have a customer who wants me to implement a workflow based on our product's findings for malicious content. The workflow involves querying various tools (sourcefire being one) for knowledge of a file by its hash, and alternatively notifying the tools that a file is malicious. So i'm effectively looking to see if there are 2 interfaces available into sourcefilre
a) query file state by hash - returning a disposition of the file from sourcefire's perspective
b) notify sourcefire of a file hash that is to be considered malicious.
Reviewing some of the documentation, I could mimic the first interface (I think) using EStreamer with my app requesting file event notifications and then caching the disposition for a hash, to then look up the hash when my product sees a file to determine the sourcefire disposition. Obviously this is not as desireable as a realtime query since i'll be dealing with the chance that my caching has not caught up with my detection.
Any hints, ideas or pointers would be greatly appreciated.
This article describes how to re-generate the licenses for
crashed/re-image FireSIGHT Management Center Virtual Appliance. If
Virtual FireSIGHT manager crashed and which has to be re-deploy using
Vmware OVF file. At this situation, license key will be cha...
This article describes the basic steps and best practices for creating
and configuring an RNA policy in 4.10. Before you can begin to generate
RNA events, or gather RNA data, you need to make sure you have done the
following: 1) The sensor must be managed...