I whipped together a cli and simplified wrapper library for accessing some of the REST SDK endpoints (query, values, packets, content, timeline). It has turned out to be pretty useful so far. It can dump query results via json, export pcaps and extract session files from the command line. I also added a simplified CEF interface so that you can run queries and export the results directly as CEF syslog messages.
If you've got a ruby runtime installed, just type gem install nwsdk
once you've got the gem installed, you can use the cli driver like so:
Commands:
nw cef CONDITIONS --loghost=LOGHOST # send cef alerts for query conditions
nw configure /path/to/config.json # write out a template configuration file
nw content CONDITIONS # extract files for given query conditions
nw help [COMMAND] # Describe available commands or one specific command
nw pcap CONDITIONS # extract PCAP for given query conditions
nw query CONDITIONS # execute SDK query
nw timeline # get a time-indexed histogram of sessions/packets/...
nw values CONDITIONS # get value report for specific meta key
Options:
[--config=CONFIG] # JSON file with endpoint info & credentials
# Default: $HOME/.nwsdk.json
[--host=HOST] # hostname for broker or concentrator
[--port=N] # REST port for broker/concentrator
# Default: 50103
[--span=N] # max timespan in seconds
# Default: 3600
[--limit=N] # max number of sessions
# Default: 10000
[--start=START] # start time for query
# Default: '1 hour ago'
[--end=END] # end time for query
[--debug], [--no-debug] # extra info
Source is at https://github.com/ryanbreed/nwsdk. Open an issue or send a pull request if you run into any trouble.
