Skip to main content

McAfee ATD API - Monitoring a folder to submit files to ATD (atdsubmit.py)

McAfee Sandboxing solution is called McAfee Advanced Threat Defense. This solution has a strong API that allows interesting use cases beyond the out of the box integrations that the solution provides.

In this post I introduce a python application called atdsubmit.py, this is an unofficial not supported application that can help you understanding how the API works enabling you to build your own use cases.

The application is available on github. In nutshell the application gets through command line parameters the credentials to connect to ATD box and the folder to monitor, then it checks for any file creation event on the monitored folder and submit it to the ATD box.

The application is a multi-threaded application with different sets of threads in such a way that every single mayor action is isolated from the rest. The following diagram shows how the application works, colors represent the different sets of threads:





This is the help available on the repository:

atdsubmit

 Python app that monitors a folder submitting new files to McAfee ATD Sandboxing solution for inspection.

Usage
atdsubmit.py [-ip ATD_IP_Address] [-u ATD_Username] [-p ATD_Password] [-m folder_to_monitor]

 Description
atdsubmit.py is a multi-threaded application that uses a separate sets of threads for the following processes:


  1. Monitor the folder passed as an argument for new files.
  2. Calculate the period of time not connectig to the ATD and manage heartbeats connections to the ATD Server to maintain connection open.
  3. Submit samples to the ATD server

The application includes following feautures:


  • At first execution is able to detect current files on the folder to monitor to not upload them to the ATD box
  • When an new file detection event is detected, is able to detect if the file has been partially copied (for instance big files that take a while to complete the copy operation), delegating the submit operation of the file to a second process that executes every 5 minutes.
  • Every five minutes, pending files are analyzed and submitted to the ATD server, a maximum size filter (120MB) is also considered
  • If in a period of five minutes the application has not submitted any file to the ATD server, it heartbeats the ATD server to maintain conenction open.
  • All information related to the execution of the application is stored in a log file in the /log folder on the same path from where the application is launched.


I hope you can build your own use case with this solution
Thanks for reading

Labels:

Comments

Post a Comment

Popular posts from this blog

Working with McAfee SIEM API

McAfee SIEM has a strong API that allows to interact with the application programatically. This API offers a RESTful interface and its documentation is available in the following URL on a running ESM https://<ESM_IP>/rs/esm/help In this post, through a set of code snippets I will show you how to connect to the ESM API via RESTful and execute different API commands. 1) Initial connection to the API Server In this first code snippet we are authenticating against the API and we obtain a token in the response that we use in order to create an authenticated header that will be used for the rest of API connections. 2) Testing that we have all the authentication parameters needed. Getting the time of the system. In this second code snippet we use the just obtained authentication header in order to get the system time through the available command (essmgtGetESSTime)   3) Getting the version (builtstamp) of the system.   4) Other useful available ...
2 comments
Read more

Integrating McAfee SIEM with Apache Nifi Video 2/3

In this second video, I will show how to create a workflow blueprint. The workflow created, does the following steps: Collect information from twitter and filter them by some keywords, in order to do this certain credentials must be obtained from the twitter api (Consumer secret and access token secret), the sensible information is not shown on the video. Next step is pull key attributes, from the twitter json string, so we don't have to deal with the information we are not interested in, in this example I am extracting user name, language used and message information. Next, we check that it is in fact a twitter message and if so we route the information to the next step. Next , the traffic flow is transformed into a json string Last step is to send the information as the message string of a syslog event to the receiver. In the SIEM receiver we create a Data Source and log the unknown syslog information as unknown, in the next post I will create a parser so the...
13 comments
Read more

How to blacklist IPs on McAfee Network Security Platform

Python script that allows to blacklist IPs on McAfee Network Security Platform. The uses is quite straightforward, bellow you can see some examples Usage nsmcli.py [-h] -u USER -p PASSWORD -nsm NSM_IP [-get_sensors][-get_qhosts][-sensor SENSOR_NAME][-i IP_ADDRESS][-quarantine][-remove] [-t {15,30,45,60,240,480,720,960,999}][--version] Examples of usage Get the list of sensors managed by a Network Security Manager nsmcli.py -u admin -p admin123 -nsm 192.168.0.202 -get_sensors Name ID           Model   Sensor     IP                     SW Ver    Sigset Ver   Active M2750-4pocs   1001     M-2750   192.168.0.203   7.5.3.16   7.6.14.9       1 Get the list of quarantine IPs nsmcli.py -u admin -p admin123 -nsm 192.168.0.202 -get_qhosts Quarantined hosts for M2750-4pocs ...
1 comment
Read more