AnsweredAssumed Answered

Using SA REST interface to extract files from network collection

Question asked by RSA Admin Employee on Oct 16, 2015
Latest reply on Oct 19, 2015 by RSA Admin

Good afternoon all!


I apologize if this topic has been beaten to death previously, but I am trying to figure out how to use SA's REST API to extract files from network collect (like attachments in unencrypted email, files downloaded in HTTP, etc.). So far I haven't found any documentation on the URL that will actually extract the files.


My current method is going along the lines of:

1) issue the query "http://x.x.x.x:50105/sdk?msg=query&id1=0&id2=0&size=10&query=select+ip.src,ip.dst,attachment+where+time=%27"+time1+"%27-%27"+time2+"%27+AND+attachment+exists&force-content-type=application/json" Here I have some python code that will automatically put in the correct time parameters based off of however long I'm looking. Because I put in '0' for id1 and id2, i pull the values for them in the results to get the real starting id1/id2 that I should be using.

2) Then I iterate through all of the id values querying "http://x.x.x.x:50105/sdk?msg=query&id1={legitId1}&id2={legitId2}&size=100&query=select+ip.src,ip.dst,attachment+where+time=%27"+time1+"%27-%27"+time2+"%27+AND+attachment+exists&force-content-type=application/json" This will pull 100 results at a time where i can grab some info about each of the sessions that has an attachment.

3) Here I'd *like* to be able to take all of the session id's that had attachments associated with them from the above queries, and go back and use them to pull the files from the sessions, but I'm not sure what syntax i'd need to be able to do that.


Of course, if I seem to be going about this the wrong way, I am completely open to suggestion on a better way to do this.


Thank you all for your help!