🏏 👨🏼‍🚀 🦍 通过API与Check Point SandBlast进行交互 📐 💻 ⚗️

对于熟悉文件仿真（威胁仿真）和主动清除文件（威胁提取）技术的Check Point技术的人员，并希望迈出使这些任务自动化的一步，本文将非常有用。Check Point具有可在云和本地设备上运行的Threat Prevention API，其功能与检查web / smtp / ftp / smb / nfs流量流中的文件相同。本文部分是作者对官方文档中的一组文章的解释，但是基于我自己的操作经验和我自己的示例。同样在本文中，您将找到作者的Postman集合以使用Threat Prevention API。

基本缩写

Threat Prevention API , API :

av - Anti-Virus, .

te - Threat Emulation, , (malicious)/(benign) .

extraction - Threat Extraction, ( ), /.

API

Threat Prevention API 4 - upload, query, download quota. API , Authorization. , , Management API, upload query . Threat Prevention /.

, Threat Prevention API - 1.0, URL API v1 , . Management API, API URL , .

Anti-Virus (te, extraction) query md5 . Threat Emulation Threat Extraction sha1 sha256 .

! , . / .

reports(reportss)

{ "request":  [  

		{	
			"sha256": {{sha256}},
			"features": ["te"] , 
			"te": {
				"images": [
                    {
                        "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
                        "revision": 1
                    }
                ],
                reportss: ["tar", "pdf", "xml"]
            }
		}
	] 
}

{
  "response": [
    {
      "status": {
        "code": 1001,
        "label": "FOUND",
        "message": "The request has been fully answered."
      },
      "sha256": "9cc488fa6209caeb201678f8360a6bb806bd2f85b59d108517ddbbf90baec33a",
      "file_type": "pdf",
      "file_name": "",
      "features": [
        "te"
      ],
      "te": {
        "trust": 10,
        "images": [
          {
            "report": {
              "verdict": "malicious"
            },
            "status": "found",
            "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
            "revision": 1
          }
        ],
        "score": -2147483648,
        "combined_verdict": "malicious",
        "severity": 4,
        "confidence": 3,
        "status": {
          "code": 1001,
          "label": "FOUND",
          "message": "The request has been fully answered."
        }
      }
    }
  ]
}

reports

{ "request":  [  

		{	
			"sha256": {{sha256}},
			"features": ["te"] , 
			"te": {
				"images": [
                    {
                        "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
                        "revision": 1
                    }
                ],
                reports: ["tar", "pdf", "xml"]
            }
		}
	] 
}

, id

{
  "response": [
    {
      "status": {
        "code": 1001,
        "label": "FOUND",
        "message": "The request has been fully answered."
      },
      "sha256": "9cc488fa6209caeb201678f8360a6bb806bd2f85b59d108517ddbbf90baec33a",
      "file_type": "pdf",
      "file_name": "",
      "features": [
        "te"
      ],
      "te": {
        "trust": 10,
        "images": [
          {
            "report": {
              "verdict": "malicious",
              "full_report": "b684066e-e41c-481a-a5b4-be43c27d8b65",
              "pdf_report": "e48f14f1-bcc7-4776-b04b-1a0a09335115",
              "xml_report": "d416d4a9-4b7c-4d6d-84b9-62545c588963"
            },
            "status": "found",
            "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
            "revision": 1
          }
        ],
        "score": -2147483648,
        "combined_verdict": "malicious",
        "severity": 4,
        "confidence": 3,
        "status": {
          "code": 1001,
          "label": "FOUND",
          "message": "The request has been fully answered."
        }
      }
    }
  ]
}

/ API , 403.

SandBlast API:

API Check Point, (blade) Threat Emulation. ip/url 18194 ( - https://10.10.57.19:18194/tecloud/api/v1/file/query). , . API Authorization .

API CheckPoint te.checkpoint.com ( - https://te.checkpoint.com/tecloud/api/v1/file/query). API 60 , Check Point .

Threat Extraction Threat Prevention API Threat Prevention API for Security Gateway ( ).

quota.

Upload API

- POST

- https://<service_address>/tecloud/api/v1/file/upload

(form-data): / .

, . , , :

upload

HTTP POST	https://<service_address>/tecloud/api/v1/file/upload
Headers:	Authorization: <api_key>
Body	{ "request": { } }
File	File

: - te, - Win XP Win 7, .

file_name file_type , . API , md5/sha1/sha256 hash .

file_name file_type

{

"request": {

"file_name": "",

"file_type": "",

}

}

features - , - av (Anti-Virus), te (Threat Emulation), extraction (Threat Extraction). , - te(Threat Emulation).

, API .

av, te extraction

{ "request":  [  

		{	
			"sha256": {{sha256}},
			"features": ["av", "te", "extraction"]  
		}
	] 
}

te

images - , id , . ID .

Available OS Image ID	Revision	Image OS and Application
e50e99f3-5963-4573-af9e-e3f4750b55e2	1	Microsoft Windows: XP - 32bit SP3 Office: 2003, 2007 Adobe Acrobat Reader: 9.0 Flash Player 9r115 and ActiveX 10.0 Java Runtime: 1.6.0u22
7e6fe36e-889e-4c25-8704-56378f0830df	1	Microsoft Windows: 7 - 32bit Office: 2003, 2007 Adobe Acrobat Reader: 9.0 Flash Player: 10.2r152 (Plugin& ActiveX) Java Runtime: 1.6.0u0
8d188031-1010-4466-828b-0cd13d4303ff	1	Microsoft Windows: 7 - 32bit Office: 2010 Adobe Acrobat Reader: 9.4 Flash Player: 11.0.1.152 (Plugin & ActiveX) Java Runtime: 1.7.0u0
5e5de275-a103-4f67-b55b-47532918fa59	1	Microsoft Windows: 7 - 32bit Office: 2013 Adobe Acrobat Reader: 11.0 Flash Player: 15 (Plugin & ActiveX) Java Runtime: 1.7.0u9
3ff3ddae-e7fd-4969-818c-d5f1a2be336d	1	Microsoft Windows: 7 - 64bit Office: 2013 (32bit) Adobe Acrobat Reader: 11.0.01 Flash Player: 13 (Plugin & ActiveX) Java Runtime: 1.7.0u9
6c453c9b-20f7-471a-956c-3198a868dc92	1	Microsoft Windows: 8.1 - 64bit Office: 2013 (64bit) Adobe Acrobat Reader: 11.0.10 Flash Player: 18.0.0.160 (Plugin & ActiveX) Java Runtime: 1.7.0u9
10b4a9c6-e414-425c-ae8b-fe4dd7b25244	1	Microsoft Windows: 10 Office: Professional Plus 2016 en-us Adobe Acrobat Reader: DC 2015 MUI Flash Player: 20 (Plugin & ActiveX) Java Runtime: 1.7.0u9

images , , Check Point ( Win XP Win 7). catch rate.

reports - , , . :

summary - .tar.gz , image' ( html , , , json, ). - summary_report .
pdf - image, Smart Console. - pdf_report .
xml - image, . - xml_report .
tar - .tar.gz , image' ( html , , , json, ). - full_report .

summary

full_report, pdf_report, xml_report

{
  "response": [
    {
      "status": {
        "code": 1001,
        "label": "FOUND",
        "message": "The request has been fully answered."
      },
      "sha256": "9e6f07d03b37db0d3902bde4e239687a9e3d650e8c368188c7095750e24ad2d5",
      "file_type": "html",
      "file_name": "",
      "features": [
        "te"
      ],
      "te": {
        "trust": 10,
        "images": [
          {
            "report": {
              "verdict": "malicious",
              "full_report": "8d18067e-b24d-4103-8469-0117cd25eea9",
              "pdf_report": "05848b2a-4cfd-494d-b949-6cfe15d0dc0b",
              "xml_report": "ecb17c9d-8607-4904-af49-0970722dd5c8"
            },
            "status": "found",
            "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
            "revision": 1
          },
          {
            "report": {
              "verdict": "malicious",
              "full_report": "d7c27012-8e0c-4c7e-8472-46cc895d9185",
              "pdf_report": "488e850c-7c96-4da9-9bc9-7195506afe03",
              "xml_report": "e5a3a78d-c8f0-4044-84c2-39dc80ddaea2"
            },
            "status": "found",
            "id": "6c453c9b-20f7-471a-956c-3198a868dc92",
            "revision": 1
          }
        ],
        "score": -2147483648,
        "combined_verdict": "malicious",
        "severity": 4,
        "confidence": 3,
        "status": {
          "code": 1001,
          "label": "FOUND",
          "message": "The request has been fully answered."
        }
      }
    }
  ]
}

summary_report -

{
  "response": [
    {
      "status": {
        "code": 1001,
        "label": "FOUND",
        "message": "The request has been fully answered."
      },
      "sha256": "d57eadb7b2f91eea66ea77a9e098d049c4ecebd5a4c70fb984688df08d1fa833",
      "file_type": "exe",
      "file_name": "",
      "features": [
        "te"
      ],
      "te": {
        "trust": 10,
        "images": [
          {
            "report": {
              "verdict": "malicious",
              "full_report": "c9a1767b-741e-49da-996f-7d632296cf9f",
              "xml_report": "cc4dbea9-518c-4e59-b6a3-4ea463ca384b"
            },
            "status": "found",
            "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
            "revision": 1
          },
          {
            "report": {
              "verdict": "malicious",
              "full_report": "ba520713-8c0b-4672-a12f-0b4a1575b913",
              "xml_report": "87bdb8ca-dc44-449d-a9ab-2d95e7fe2503"
            },
            "status": "found",
            "id": "6c453c9b-20f7-471a-956c-3198a868dc92",
            "revision": 1
          }
        ],
        "score": -2147483648,
        "combined_verdict": "malicious",
        "severity": 4,
        "confidence": 3,
        "summary_report": "7e7db12d-5df6-4e14-85f3-2c1e29cd3e34",
        "status": {
          "code": 1001,
          "label": "FOUND",
          "message": "The request has been fully answered."
        }
      }
    }
  ]
}

tar xml pdf, summary tar xml. summary pdf .

extraction

threat extraction :

method - pdf( pdf, ) clean( ).

extracted_parts_codes - , clean

Code	Description
1025	Linked Objects
1026	Macros and Code
1034	Sensitive Hyperlinks
1137	PDF GoToR Actions
1139	PDF Launch Actions
1141	PDF URI Actions
1142	PDF Sound Actions
1143	PDF Movie Actions
1150	PDF JavaScript Actions
1151	PDF Submit Form Actions
1018	Database Queries
1019	Embedded Objects
1021	Fast Save Data
1017	Custom Properties
1036	Statistic Properties
1037	Summary Properties

query ( ) , hash extraction . id query - extracted_file_download_id. , , query id .

query extracted_file_download_id

{ "request":  [  

		{	
			"sha256": "9a346005ee8c9adb489072eb8b5b61699652962c17596de9c326ca68247a8876",
			"features": ["extraction"] , 
			"extraction": {
		        "method": "pdf"
            }
		}
	] 
}

query ( extracted_file_download_id)

{
    "response": [
        {
            "status": {
                "code": 1001,
                "label": "FOUND",
                "message": "The request has been fully answered."
            },
            "sha256": "9a346005ee8c9adb489072eb8b5b61699652962c17596de9c326ca68247a8876",
            "file_type": "",
            "file_name": "",
            "features": [
                "extraction"
            ],
            "extraction": {
                "method": "pdf",
                "extract_result": "CP_EXTRACT_RESULT_SUCCESS",
                "extracted_file_download_id": "b5f2b34e-3603-4627-9e0e-54665a531ab2",
                "output_file_name": "kp-20-xls.cleaned.xls.pdf",
                "time": "0.013",
                "extract_content": "Macros and Code",
                "extraction_data": {
                    "input_extension": "xls",
                    "input_real_extension": "xls",
                    "message": "OK",
                    "output_file_name": "kp-20-xls.cleaned.xls.pdf",
                    "protection_name": "Potential malicious content extracted",
                    "protection_type": "Conversion to PDF",
                    "protocol_version": "1.0",
                    "risk": 5.0,
                    "scrub_activity": "Active content was found - XLS file was converted to PDF",
                    "scrub_method": "Convert to PDF",
                    "scrub_result": 0.0,
                    "scrub_time": "0.013",
                    "scrubbed_content": "Macros and Code"
                },
                "tex_product": false,
                "status": {
                    "code": 1001,
                    "label": "FOUND",
                    "message": "The request has been fully answered."
                }
            }
        }
    ]
}

API .

av , features.

Query API

- POST

- https://<service_address>/tecloud/api/v1/file/query

( upload), ( query) API , API . . - sha1/sha256/md5 hash . upload.

query

HTTP POST

https://<service_address>/tecloud/api/v1/file/query

Headers:

Authorization: <api_key>

Body

{

"request": {

"sha256": <sha256 hash sum>

}

upload, sha1/md5/sha256 hash

{
  "response": {
    "status": {
      "code": 1002,
      "label": "UPLOAD_SUCCESS",
      "message": "The file was uploaded successfully."
    },
    "sha1": "954b5a851993d49ef8b2412b44f213153bfbdb32",
    "md5": "ac29b7c26e7dcf6c6fdb13ac0efe98ec",
    "sha256": "313c0feb009356495b7f4a60e96737120beb30e1912c6d866218cee830aebd90",
    "file_type": "",
    "file_name": "kp-20-doc.doc",
    "features": [
      "te"
    ],
    "te": {
      "trust": 0,
      "images": [
        {
          "report": {
            "verdict": "unknown"
          },
          "status": "not_found",
          "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
          "revision": 1
        }
      ],
      "score": -2147483648,
      "status": {
        "code": 1002,
        "label": "UPLOAD_SUCCESS",
        "message": "The file was uploaded successfully."
      }
    }
  }
}

query hash , ( ) upload, "" ( query upload). , query , upload, .

query,

{
  "response": [
    {
      "status": {
        "code": 1006,
        "label": "PARTIALLY_FOUND",
        "message": "The request cannot be fully answered at this time."
      },
      "sha256": "313c0feb009356495b7f4a60e96737120beb30e1912c6d866218cee830aebd90",
      "file_type": "doc",
      "file_name": "",
      "features": [
        "te",
        "extraction"
      ],
      "te": {
        "trust": 10,
        "images": [
          {
            "report": {
              "verdict": "malicious",
              "pdf_report": "4e9cddaf-03a4-489f-aa03-3c18f8d57a52",
              "xml_report": "9c18018f-c761-4dea-9372-6a12fcb15170"
            },
            "status": "found",
            "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
            "revision": 1
          }
        ],
        "score": -2147483648,
        "combined_verdict": "malicious",
        "severity": 4,
        "confidence": 1,
        "status": {
          "code": 1001,
          "label": "FOUND",
          "message": "The request has been fully answered."
        }
      },
      "extraction": {
        "method": "pdf",
        "tex_product": false,
        "status": {
          "code": 1004,
          "label": "NOT_FOUND",
          "message": "Could not find the requested file. Please upload it."
        }
      }
    }
  ]
}

code label. status. "code": 1006 "label": "PARTIALLY_FOUND". , - te extraction. te , , extraction .

query

{ "request":  [  

		{	
			"sha256": {{sha256}},
			"features": ["te", "extraction"] , 
			"te": {
				"images": [
                    {
                        "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
                        "revision": 1
                    }
                ],
                "reports": [
                    "xml", "pdf"
                ]
            }
		}
	] 
}

query extraction

{ "request":  [  

		{	
			"sha256": {{sha256}},
			"features": ["te"] , 
			"te": {
				"images": [
                    {
                        "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
                        "revision": 1
                    }
                ],
                "reports": [
                    "xml", "pdf"
                ]
            }
		}
	] 
}

("code": 1001, "label": "FOUND")

{
  "response": [
    {
      "status": {
        "code": 1001,
        "label": "FOUND",
        "message": "The request has been fully answered."
      },
      "sha256": "313c0feb009356495b7f4a60e96737120beb30e1912c6d866218cee830aebd90",
      "file_type": "doc",
      "file_name": "",
      "features": [
        "te"
      ],
      "te": {
        "trust": 10,
        "images": [
          {
            "report": {
              "verdict": "malicious",
              "pdf_report": "4e9cddaf-03a4-489f-aa03-3c18f8d57a52",
              "xml_report": "9c18018f-c761-4dea-9372-6a12fcb15170"
            },
            "status": "found",
            "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
            "revision": 1
          }
        ],
        "score": -2147483648,
        "combined_verdict": "malicious",
        "severity": 4,
        "confidence": 1,
        "status": {
          "code": 1001,
          "label": "FOUND",
          "message": "The request has been fully answered."
        }
      }
    }
  ]
}

, "label": "NOT_FOUND"

{
  "response": [
    {
      "status": {
        "code": 1004,
        "label": "NOT_FOUND",
        "message": "Could not find the requested file. Please upload it."
      },
      "sha256": "313c0feb009356495b7f4a60e96737120beb30e1912c6d866218cee830aebd91",
      "file_type": "",
      "file_name": "",
      "features": [
        "te"
      ],
      "te": {
        "trust": 0,
        "images": [
          {
            "report": {
              "verdict": "unknown"
            },
            "status": "not_found",
            "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
            "revision": 1
          }
        ],
        "score": -2147483648,
        "status": {
          "code": 1004,
          "label": "NOT_FOUND",
          "message": "Could not find the requested file. Please upload it."
        }
      }
    }
  ]
}

API . , .

query sha256

{ "request":  [  

		{	
			"sha256": "b84531d3829bf6131655773a3863d6b16f6389b7f4036aef9b81c0cb60e7fd81"
        },
        		{	
			"sha256": "b84531d3829bf6131655773a3863d6b16f6389b7f4036aef9b81c0cb60e7fd82"
        }
	] 
}

query sha256

{
  "response": [
    {
      "status": {
        "code": 1001,
        "label": "FOUND",
        "message": "The request has been fully answered."
      },
      "sha256": "b84531d3829bf6131655773a3863d6b16f6389b7f4036aef9b81c0cb60e7fd81",
      "file_type": "dll",
      "file_name": "",
      "features": [
        "te"
      ],
      "te": {
        "trust": 10,
        "images": [
          {
            "report": {
              "verdict": "malicious"
            },
            "status": "found",
            "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
            "revision": 1
          }
        ],
        "score": -2147483648,
        "combined_verdict": "malicious",
        "severity": 4,
        "confidence": 3,
        "status": {
          "code": 1001,
          "label": "FOUND",
          "message": "The request has been fully answered."
        }
      }
    },
    {
      "status": {
        "code": 1004,
        "label": "NOT_FOUND",
        "message": "Could not find the requested file. Please upload it."
      },
      "sha256": "b84531d3829bf6131655773a3863d6b16f6389b7f4036aef9b81c0cb60e7fd82",
      "file_type": "",
      "file_name": "",
      "features": [
        "te"
      ],
      "te": {
        "trust": 0,
        "images": [
          {
            "report": {
              "verdict": "unknown"
            },
            "status": "not_found",
            "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
            "revision": 1
          }
        ],
        "score": -2147483648,
        "status": {
          "code": 1004,
          "label": "NOT_FOUND",
          "message": "Could not find the requested file. Please upload it."
        }
      }
    }
  ]
}

hash query API .

Download API

- POST ( ), GET ( )

- https://<service_address>/tecloud/api/v1/file/download?id=<id>

API , - , id url .

query , , id . , , id .

, query, id :

summary_report
full_report
pdf_report
xml_report
extracted_file_download_id

, query , ( ) extraction ( )

Quota API

- POST

- https://<service_address>/tecloud/api/v1/file/quota

quota. .

quota

{
  "response": [
    {
      "remain_quota_hour": 1250,
      "remain_quota_month": 10000000,
      "assigned_quota_hour": 1250,
      "assigned_quota_month": 10000000,
      "hourly_quota_next_reset": "1599141600",
      "monthly_quota_next_reset": "1601510400",
      "quota_id": "TEST",
      "cloud_monthly_quota_period_start": "1421712300",
      "cloud_monthly_quota_usage_for_this_gw": 0,
      "cloud_hourly_quota_usage_for_this_gw": 0,
      "cloud_monthly_quota_usage_for_quota_id": 0,
      "cloud_hourly_quota_usage_for_quota_id": 0,
      "monthly_exceeded_quota": 0,
      "hourly_exceeded_quota": 0,
      "cloud_quota_max_allow_to_exceed_percentage": 1000,
      "pod_time_gmt": "1599138715",
      "quota_expiration": "0",
      "action": "ALLOW"
    }
  ]
}

Threat Prevention API for Security Gateway

API , Threat Prevention API . , Threat Extraction API. Threat Emulation Threat Prevention API. TP API for SG API sk113599. 6b https://<IPAddressofSecurityGateway>/UserCheck/TPAPI . url API . (upload/query) - request_name. - api_key ( ) protocol_version ( 1.1). API sk137032. , base64. / / base64 Postman , - https://base64.guru. encode decode.

te extraction API.

te te_options upload/query, te Threat Prevention API.

Win10

{
"request": [{
    "protocol_version": "1.1",
    "api_key": "<api_key>",
    "request_name": "UploadFile",
    "file_enc_data": "<base64_encoded_file>",
    "file_orig_name": "<filename>",
    "te_options": {
        "images": [
                {
                    "id": "10b4a9c6-e414-425c-ae8b-fe4dd7b25244",
                    "revision": 1
                }
            ],
        "reports": ["summary", "xml"]
    }
    }
    ]
}

extraction scrub_options. : PDF, Threat Prevention( ). API extraction , base64 ( query id )

    {
	"request": [{
		"protocol_version": "1.1",
		"api_key": "<API_KEY>",
		"request_name": "UploadFile",
		"file_enc_data": "<base64_encoded_file>",
		"file_orig_name": "hi.txt",
		"scrub_options": {
			"scrub_method": 2
		}
	}]
}

{
	"response": [{
		"protocol_version": "1.1",
		"src_ip": "<IP_ADDRESS>",
		"scrub": {
			"file_enc_data": "<base64_encoded_converted_to_PDF_file>",
			"input_real_extension": "js",
			"message": "OK",
			"orig_file_url": "",
			"output_file_name": "hi.cleaned.pdf",
			"protection_name": "Extract potentially malicious content",
			"protection_type": "Conversion to PDF",
			"real_extension": "txt",
			"risk": 0,
			"scrub_activity": "TXT file was converted to PDF",
			"scrub_method": "Convert to PDF",
			"scrub_result": 0,
			"scrub_time": "0.011",
			"scrubbed_content": ""
		}
	}]
}

, API , , form-data, Threat Prevention API.

Postman

Postman Threat Prevention API, Threat Prevention API for Security Gateway, API . , ip/url API , hash sha256 , ( Edit -> Variables): te_api( ), api_key( , TP API ), sha256 ( , TP API for SG ).

Postman Threat Prevention API

Postman Threat Prevention for Security Gateway API

Check Mates , Python, TP API, TP API for SG. Threat Prevention API , ( VirusTotal API, Check Point), , , , CRM .

通过API与Check Point SandBlast进行交互

基本缩写

API

SandBlast API:

Upload API

te

extraction

Query API

Download API

Quota API

Threat Prevention API for Security Gateway

Postman

More articles: