Hello,

When I try to open a live response session using the job-based api for a machine offline, even when the machine comes back online, it doesn't execute the job, nor the job timeouts.

Steps to reproduce:
1 - Configure the credentials.reponse as per instruction
2 - Find a machine that is offline on the console, in my case, offline for half an hour, more or less
3 - Run the sample code below
4 - Wait a the timeout period (I've waited for 10 minutes), no timeout error), no exception is raised
5 - Start the machine
6 - The code will show that the machine is offline, but the job still won't start.

Let me know if I can provide more information.

======= Related code =======
import time
from cbapi.response import Process, CbResponseAPI, Sensor
from cbapi.response.models import Sensor as CB_Sensor

class Test():
def run(self, session):
return session.list_directory("c:\")

def main():
hostnames = ["DESKTOP-90N8EBG"]
cb = CbResponseAPI()

sensor = cb.select(Sensor).where("hostname:"+hostnames[0]).first()

a = Test()
job = cb.live_response.submit_job(a.run, sensor.id)

try:
    while True:
        time.sleep(20)
        sensor.refresh()
        print(job, sensor.status)
except KeyboardInterrupt:
    print("Exiting event loop")

if name == 'main':
main()

In cbapi - add_feed_from_url does not support all the options via UI yet, ie U/P, ssl cert, ssl key
once those are added, modify feed_add.py to support the extra functionality

this command:

python feed_action_add.py -c https://cbserver -a "API" -n -i 15 -t 3 -e "[email protected] <[email protected]>"

results int he following in watchlist_action_settings:

cb=# select * from watchlist_action_settings where id=15;
 id | group_id | watchlist_id | action_type |                            action_data
----+----------+--------------+-------------+--------------------------------------------------------------------
 15 |       15 |              |           3 | {"email_recipients":[m,e@,e,x,a,m,p,l,e,.,c,o,m]}

trying to delete the feed via api fails and rendering of the feeds page in the UI also fails. CB Server API should not allow that to occur, but the example script should/could be more defensive as well.

Calls to processes() and events() share the blame.

It looks like not all raw messages have all the header messages like process_path and process_md5.

Here's an example https://github.com/carbonblack/cbapi/blob/master/server_apis/proto/README.md the childproc os x messages do not have those values.

There is a typo in the python cb client api setup.py file the version line is missing a closing ' and a , so the install fails.

Not sure if this is a feature or flaw.

(submitted via email)

I'm using the event bulk collection, and running into a problem. On procend events for the Mac client, I'm getting a weird value for the path variable -- they're all numbers (they look like process ids).

Here's a sample:

[root@carbonblack w]# grep procend event.json | grep OSX | ./pp.py | grep path
    "path": "-7660539029780326271", 
    "path": "-7660539029780326271", 
    "path": "-7212331537172153238", 
    "path": "-3294827462833805279", 
    "path": "199146793856254102", 
    "path": "-7212331537172153238", 
    "path": "-7212331537172153238", 
    "path": "-1347130033407843210", 
    "path": "-7212331537172153238", 

It appears that this script is trying to call get_login_caps() from cbapi but I cannot find that function in cbapi.py

I noticed a typo in this enum: https://github.com/carbonblack/cbapi/blob/6ee0f634609f57bed436cdcd25760b05ee243492/server_apis/proto/sensor_events.proto#L102

I believe it should be filetypeUniversalBin, not filetypeUniverasalBin.

Is this typo propagated elsewhere at the moment, or is it merely a mistake here? Just want to know if this can/should be fixed or is "a feature" set in stone at this point.

Line 441 have following code

    if (opts.quit is not None):
        sessid = int(opts.quit)
        postdata = {"id": sessid, "status" : "close"}
        url = "%s/api/v1/cblr/session/%d" % (self.url, sessid)

        self._doPut(url, postdata)

        ret = self._session_list()
        for s in ret:
            if (s['id'] == sessid):
                print "Session: %d\n  status: %s\n" % (s['id'], s['status'])

Which probably is wishful thinking since this url doesn't support PUT method. Which is what error say and so is your documentation.

It looks like comms_ip and interface_ip are actually both reported in the docs objects for watchlist.hit.process which is not reflected in the table.

These values appear to be signed longs in NETWORK byte order (which is a little strange since the number values for the IPs in netconn data structures are actually reported in documentation as being in network byte order).

You have this in your documentation, and we've verified this.

Sensor query strings are case-sensitive substring searches, for both hostname and ip fields. If both hostname and ip fields are specified, only ip is used.

I see no reason for this to be case-sensitive. Neither DNS nor NetBIOS are case-sensitive, so this just forces us to know what the case sensitivity was when the sensor was added. Can you change that to be case-insensitive?

for session in self.live_response_session_list():
            if session.get('sensor_id') == sensor_id and session.get('status') == "active":
                target_session = session
                break

In this code block on 5.1.0 I saw 'sensor_id' == u'9'. If the sensor_id passed in by the user is an integer the conditional fails. Continuing on we try to create a new session, but there is already an active one available, so CBER returns a 404.

Proposed fix:

for session in self.live_response_session_list():
            if int(session.get('sensor_id')) == sensor_id and session.get('status') == "active":
                target_session = session
                break

Right now the script will block for every regmod modify that matches the regexes. Need to thread it so that the processing happens in the background - and this should apply more generally to anyone who uses the live response bindings.

This example script calls cbapi functions that don't appear to exist.

Would it be possible to publish a Swagger specification for Carbon Black's JSON API? The reason we ask is that this would allow multiple languages to code-generate API bindings using swagger-codegen or something similar

This would be handy, as cbinit provides a self-signed cert by default.