AnsweredAssumed Answered

NwSDK wrapper/cli ruby gem

Question asked by RSA Admin Employee on Sep 3, 2015
Latest reply on Nov 20, 2016 by Kenny Kim

I whipped together a cli and simplified wrapper library for accessing some of the REST SDK endpoints (query, values, packets, content, timeline). It has turned out to be pretty useful so far. It can dump query results via json, export pcaps and extract session files from the command line. I also added a simplified CEF interface so that you can run queries and export the results directly as CEF syslog messages.


If you've got a ruby runtime installed, just type gem install nwsdk


once you've got the gem installed, you can use the cli driver like so:


  nw cef CONDITIONS --loghost=LOGHOST  # send cef alerts for query conditions

  nw configure /path/to/config.json    # write out a template configuration file

  nw content CONDITIONS                # extract files for given query conditions

  nw help [COMMAND]                    # Describe available commands or one specific command

  nw pcap CONDITIONS                   # extract PCAP for given query conditions

  nw query CONDITIONS                  # execute SDK query

  nw timeline                          # get a time-indexed histogram of sessions/packets/...

  nw values CONDITIONS                 # get value report for specific meta key




  [--config=CONFIG]        # JSON file with endpoint info & credentials

                           # Default: $HOME/.nwsdk.json

  [--host=HOST]            # hostname for broker or concentrator

  [--port=N]               # REST port for broker/concentrator

                           # Default: 50103

  [--span=N]               # max timespan in seconds

                           # Default: 3600

  [--limit=N]              # max number of sessions

                           # Default: 10000

  [--start=START]          # start time for query

                           # Default: '1 hour ago'

  [--end=END]              # end time for query

  [--debug], [--no-debug]  # extra info


Source is at Open an issue or send a pull request if you run into any trouble.