Found the example in the Developer’s Guide useful and easy to understand
https://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Developers_Guide.pdf
As per 8.1.2:
curl -X POST https://PF_MANAGEMENT_IP:9999/api/v1/login \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "{\"username\":\"admin\",\"password\":\"admin\"}" \
--insecure |
python -m json.tool
I’m really no developer, have this so far created a new user with node manager
access rights and would like to now place :
[Expert@checkpoint-management:0]# cat $RTDIR/bin/ext_commands/block_on_pf
#!/bin/bash
INPUT=$(cat);
CURL_OUTPUT='';
EVENT="${INPUT//[^a-zA-Z0-9 ().,:;+_-]}";
USERID=`echo "$EVENT" | sed -r "/user_name/ s/.*user_name:
([[:alnum:]_-]+).*/\1/"`;
USERIP=`echo "$EVENT" | sed -r "/; IP:/ s/.*; IP: ([0-9.]+).*/\1/"`;
if [ ${#USERID} -ge 4 ] && [ ${#USERID} -le 40 ]; then
TOKEN=`curl_cli -X POST https://packetfence.redacted.com:1443/api/v1/login \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d
"{\"username\":\"checkpoint_smartevents\",\"password\":\"***************\"}" \
| jq -r .token`;
[ $? -ne 0 ] && exit 1;
curl_cli -X GET https://packetfence.redacted.com:1443/api/v1/login \
-H "accept: application/json" \
-H "Authorization: $TOKEN" \
-d '{\n "query": {\n "op": "and",\n "values": [\n {\n
"field": "ipv4",\n "value": "'$USERIP'"\n }\n ]\n }\n}'
#CURL_OUTPUT=`curl_cli -X POST -H 'Content-type: application/json' --data
'{"text":"Hello, World!"}'
https://hooks.slack.com/services/RANDOMSTRINGPROVIDEDBYSLACK --fail --silent
--show-error 2>&1`;
fi
#if [ ${#CURL_OUTPUT} -gt 0 ]; then
# echo -e "User: $USERID - Curl debug data:\n$CURL_OUTPUT" >> /tmp/block_on_pf
#else
# echo -e "Curl return code: $? - Sanitised event data:\n$EVENT" >>
/tmp/block_on_pf;
#fi
I’m having a problem searching though, has someone perhaps already done this,
to essentially put the last active node to match the provided IPv4 address and
then place it in the isolation network?
I’ll soldier on in the meantime… 😉 Just having some hickups:
[davidh@linux-test ~]$ USERIP=192.168.5.17;
[davidh@linux-test ~]$ DATA='{\n "query": {\n "values": [\n {\n
"field": "ipv4",\n "op": "equals",\n "value": "'$USERIP'"\n
}\n ]\n }\n}';
[davidh@linux-test ~]$ curl -X POST
https://packetfence.redacted.com:1443/api/v1/ip4logs/search -H "accept:
application/json" -H "Authorization: $TOKEN" -d "$DATA";
{"message":"Bad Request. One of the submitted parameters has an invalid
format","status":400}
[davidh@linux-test ~]$ echo -e "$DATA";
{
"query": {
"values": [
{
"field": "ipv4",
"op": "equals",
"value": "192.168.5.17"
}
]
}
}
I’m guessing on the ‘ipv4’ field, is there an index somewhere or could I
inspect the web UI to get hints somehow?
Regards
David Herselman
From: David Herselman via PacketFence-users
<[email protected]>
Sent: Thursday, 22 December 2022 11:09
To: [email protected]
Cc: David Herselman <[email protected]>
Subject: [PacketFence-users] Unregistering user's devices via API call?
Hi,
We have a CheckPoint firewall which has been configured to replace DNS queries
to known malicious destinations with a bogus DNS trap IP, when devices then
subsequently attempt to connect to that DNS trap IP a reaction script can be
triggered. We are essentially looking for guidance on a web GET/POST/whatever
that we could then initiate to unregister all devices associated with a given
username.
NB: The CheckPoint wouldn’t know the MAC address of the node involved in the
abuse.
To debug the event information from CheckPoint I temporarily simply made the
script log all data it receives:
[Expert@checkpoint-management:0]# cat $RTDIR/bin/ext_commands/block_on_clearpass
#!/bin/bash
EVENT=$(cat)
echo $EVENT >> /tmp/block_on_clearpass
Herewith a sanitised sample:
[Expert@checkpoint-management:0]# tail -n 1 /tmp/block_on_clearpass
(StartTime: 20Dec2022 11:10:26; Uuid: deadbeef-dead-beef-dead-beef00000000;
rowid: ENdeadbeef-dead-beef-dead-beef00000000; id_generated_by_indexer: false;
first: true; sequencenum: 1; log_id: 2000; DisplayName: IP_Block_from_DNS_Trap;
Category: User Defined Events; cu_rule_id:
DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF; is_correlated: 1; num_of_updates: 0;
is_last: 0; event_start_time: 1671534625; detection_time: 2022-12-20T09:10:26Z;
time_interval: 60; max_num_count_detected: 2; cu_log_count: 2;
cu_detected_by_hostname: checkpoint-management; cu_detected_by: 172.254.254.23;
users_repetitions: 2; aba_customer: SMC User; source_repetitions: 2;
origin_repetitions: 2; destination_repetitions: 2; service_repetitions: 2;
Severity: High; type: Correlated; ProductName: VPN-1 & FireWall-1;
product_family: Access; Destination: (hostname: laptop-joed; countryname:
Israel; IP: 62.0.58.94; repetitions: 1) ; Origin: (IP: 0; hostname:
redacted-fw01; repetitions: 1) ; Service: (port: 443; protocol: 6; servicename:
https; repetitions: 1) ; Source: (user_name: joed; IP: 172.254.254.23;
machine_name: laptop-joed; repetitions: 1) ; logid: 392281947) ;
I’m essentially hoping for a way that I can unregister all nodes belonging to
‘joed’ in the above example…
[cid:[email protected]]<https://www.syrex.com/>
David Herselman | Managing Director
e:
[email protected]<mailto:[email protected]> | o: 086 11 79739<tel:+27117211900> | c:
082 784 7222<tel:082%20784%207222>
a:
turnberry office park, 48 grosvenor road, bryanston,
2021<https://maps.google.com/?q=Syrex>
www.syrex.com<https://www.syrex.com/> /
accreditations<https://www.syrex.com/accreditations>
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this email. Please notify the sender
immediately by email if you have received this email by mistake and delete it
from your system. If you are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in reliance on the
contents of this information is strictly prohibited. Think before you print.
[cid:[email protected]]<https://www.facebook.com/syrexsa>
[cid:[email protected]]<https://twitter.com/syrexsa>
[cid:[email protected]]<https://www.linkedin.com/company/1723334>
CHANGE OF BANKING DETAILS
We have not changed our banking details recently. We will not just send an
email to inform you of a change, should we ever do so.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
