How to get WF verdicts for URLs

Ian.Baxter — Wed, 21 Mar 2018 20:16:03 GMT

I’ve been able to successfully submit files for analysis and file hashes for verdicts, that works fine, but I am now trying to submit a URL for a verdict, instead of a file. So I send this:

Submit Google Link to WF using API

curl -F 'apikey=<apikey>' -F 'link=https://www.google.com' 'https://wildfire.paloaltonetworks.com/publicapi/submit/link'

Response from WF:

<?xml version="1.0" encoding="UTF-8"?>

<submit-link-info>

<url>https://www.google.com</url>

<md5>8ffdefbdec956b595d257f0aaeefd623</md5>

</submit-link-info>

</wildfire>

I then try to get a verdict from WF

curl -F 'apikey=<apikey>' -F 'hash=8ffdefbdec956b595d257f0aaeefd623' 'https://wildfire.paloaltonetworks.com/publicapi/get/verdict'

Response from WF:

<?xml version="1.0" encoding="UTF-8"?>

<get-verdict-info>

<md5>8ffdefbdec956b595d257f0aaeefd623</md5>

</get-verdict-info>

</wildfire>

As you can see I get a “-102” response which means "unknown, cannot find sample record in the database". I've done this for multiple links, both HTTP and HTTPS over a number of days but always get the -102 verdict. Am I doing this correctly to get a verdict for a URL? I have opened a TAC case but they don't have any answers for me other than they'll get back to me and that it may take some time...

Re: How to get WF verdicts for URLs

OtakarKlier — Wed, 21 Mar 2018 21:41:30 GMT

Hello,

I have also received a similar response from TAC regarding URL's or files submitted via a URL. What I do is double check with 3rd party sites such as virustotal or hybrid-analysis to see what they have to say about it as well. It's good to get second or thrid opinions.

Regards,

topic How to get WF verdicts for URLs in Automation/API Discussions

How to get WF verdicts for URLs

Re: How to get WF verdicts for URLs