private FidoReturnValues SetIFidoReturnValues(FidoReturnValues lFidoReturnValues, string[][] array, string message)
{
if (array[i][4].Contains(":"))
{
continue;
}
lFidoReturnValues.SrcIP = array[i][4];
lFidoReturnValues.MalwareType = array[i][19] + message;
lFidoReturnValues.DstIP = array[i][16];
lFidoReturnValues.Cyphort.DstIP = array[i][16];
lFidoReturnValues.TimeOccurred = Convert.ToDateTime(array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Cyphort.EventID = array[i][1];
lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID;
lFidoReturnValues.Cyphort.URL = new List <string> {
array[i][12]
};
lFidoReturnValues.Url = new List <string> {
array[i][12]
};
lFidoReturnValues.Cyphort.Domain = new List <string> {
array[i][11]
};
lFidoReturnValues.Cyphort.MD5Hash = new List <string> {
array[i][7]
};
lFidoReturnValues.Hash = new List <string> {
array[i][7]
};
lFidoReturnValues.CurrentDetector = "cyphortv2";
return(lFidoReturnValues);
}
private static FidoReturnValues ProtectWiseHash(FidoReturnValues lFidoReturnValues)
{
//if ProtectWise has hashes send to threat feeds
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
if ((lFidoReturnValues.ProtectWise != null) && (lFidoReturnValues.ProtectWise.MD5 != null) && (lFidoReturnValues.ProtectWise.MD5.Any()))
{
if (lFidoReturnValues.ProtectWise.VirusTotal == null)
{
lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Sending ProtectWise hashes to VirusTotal.");
var MD5Hash = new List <string> {
lFidoReturnValues.ProtectWise.MD5
};
lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(MD5Hash);
}
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
Console.WriteLine(@"Sending ProtectWise hashes to ThreatGRID.");
lFidoReturnValues = SendProtectWiseToThreatGRID(lFidoReturnValues);
}
return(lFidoReturnValues);
}
private static void UpdateUserToDB(FidoReturnValues lFidoReturnValues, string row)
{
var db = new SqLiteDB();
var data = new Dictionary <String, String>
{
{ "username", lFidoReturnValues.Username.ToLower() },
{ "fullname", lFidoReturnValues.UserInfo.Username.ToLower() },
{ "email", lFidoReturnValues.UserInfo.UserEmail.ToLower() },
{ "title", lFidoReturnValues.UserInfo.Title.ToLower() },
{ "dept", lFidoReturnValues.UserInfo.Department.ToLower() },
{ "emp_type", lFidoReturnValues.UserInfo.EmployeeType.ToLower() },
{ "emp_phone", lFidoReturnValues.UserInfo.MobileNumber },
{ "cube", lFidoReturnValues.UserInfo.CubeLocation.ToLower() },
{ "city_state", lFidoReturnValues.UserInfo.City.ToLower() + "\\" + lFidoReturnValues.UserInfo.State.ToLower() },
{ "manager", lFidoReturnValues.UserInfo.ManagerName.ToLower() },
{ "manager_title", lFidoReturnValues.UserInfo.ManagerTitle.ToLower() },
{ "manager_email", lFidoReturnValues.UserInfo.ManagerMail.ToLower() },
{ "manager_phone", lFidoReturnValues.UserInfo.MobileNumber },
{ "user_score", lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture) }
};
try
{
db.Update("event_user", data, "primkey = " + row);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update user area of fidodb:" + e);
}
}
private static Dictionary <string, string> MPSBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements)
{
//todo: need to filter this section based on detector (ie., not just lfidoreturnvalues.cyphort.virustotal, ldfidoreturnvalues.fireeye.virustotal, etc)
if (lFidoReturnValues.CurrentDetector == "mps")
{
if (lFidoReturnValues.BadDetectedComms > 0)
{
replacements.Add("%cncip%", "<a href='" + lFidoReturnValues.FireEye.VirusTotal.IPUrl + "'>" + lFidoReturnValues.BadDetectedComms + " Detected!</a>");
}
else
{
replacements.Add("%cncip%", "<a href='" + lFidoReturnValues.FireEye.VirusTotal.IPUrl + "'>None Detected</a>");
}
if (lFidoReturnValues.BadDetectedDownloads > 0)
{
replacements.Add("%totaldetectedip%", "<a href='" + lFidoReturnValues.FireEye.VirusTotal.IPUrl + "'>" + lFidoReturnValues.BadDetectedDownloads + " Detected!</a>");
}
else
{
replacements.Add("%totaldetectedip%", "<a href='" + lFidoReturnValues.FireEye.VirusTotal.IPUrl + "'>None Detected</a>");
}
if (lFidoReturnValues.BadDetectedUrls > 0)
{
replacements.Add("%totaldetectedurl%", "<a href='" + lFidoReturnValues.FireEye.VirusTotal.IPUrl + "'>" + lFidoReturnValues.BadDetectedUrls + " Detected!</a>");
}
else
{
replacements.Add("%totaldetectedurl%", "<a href='" + lFidoReturnValues.FireEye.VirusTotal.IPUrl + "'>None Detected</a>");
}
}
return(replacements);
}
private static void GetCyphortIncident(FidoReturnValues lFidoReturnValues)
{
Console.WriteLine(@"Pulling Cyphort incident details.");
//currently needed to bypass site without a valid cert.
//todo: make ssl bypass configurable
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); };
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv3");
var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey;
request = request.Replace("%incidentid%", lFidoReturnValues.Cyphort.IncidentID);
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Method = "GET";
try
{
using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK)
{
lFidoReturnValues = getResponseStream(cyphortResponse.GetResponseStream(), lFidoReturnValues);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector getting json:" + e);
}
}
private static void GetCyphortIncident(FidoReturnValues lFidoReturnValues)
{
Console.WriteLine(@"Pulling Cyphort incident details.");
//currently needed to bypass site without a valid cert.
//todo: make ssl bypass configurable
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); };
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv3");
var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey;
request = request.Replace("%incidentid%", lFidoReturnValues.Cyphort.IncidentID);
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Method = "GET";
try
{
using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (cyphortResponse == null || cyphortResponse.StatusCode != HttpStatusCode.OK)
{
return;
}
using (var respStream = cyphortResponse.GetResponseStream())
{
if (respStream == null)
{
return;
}
var cyphortReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = cyphortReader.ReadToEnd();
var cyphortReturn = JsonConvert.DeserializeObject <Object_Cyphort_Class.CyphortIncident>(stringreturn);
if (cyphortReturn.Incident == null)
{
return;
}
lFidoReturnValues.Cyphort.IncidentDetails = new Object_Cyphort_Class.CyphortIncident();
lFidoReturnValues.Cyphort.IncidentDetails = cyphortReturn;
ChangeDNSName(lFidoReturnValues);
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_download == "1")
{
lFidoReturnValues = FormatDownloadReturnValues(lFidoReturnValues);
}
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_infection == "1")
{
lFidoReturnValues = FormatInfectionReturnValues(lFidoReturnValues);
}
DoesNotChangeAnyThing(lFidoReturnValues);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector getting json:" + e);
}
}
private static void ChangeDNSName(FidoReturnValues lFidoReturnValues)
{
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_name != null)
{
lFidoReturnValues.DNSName = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_name.Replace(".", "(.)");
}
}
private static void HandleCyphortIncident(FidoReturnValues lFidoReturnValues, Stream respStream)
{
var cyphortReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = cyphortReader.ReadToEnd();
var cyphortReturn = JsonConvert.DeserializeObject <Object_Cyphort_Class.CyphortIncident>(stringreturn);
if (cyphortReturn.Incident == null)
{
return;
}
lFidoReturnValues.Cyphort.IncidentDetails = new Object_Cyphort_Class.CyphortIncident();
lFidoReturnValues.Cyphort.IncidentDetails = cyphortReturn;
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_name != null)
{
lFidoReturnValues.DNSName = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_name.Replace(".", "(.)");
}
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_download == "1" ||
lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_infection == "1")
{
lFidoReturnValues = FormatDownloadReturnValues(lFidoReturnValues);
}
}
private static FidoReturnValues FireEyeHash(FidoReturnValues lFidoReturnValues)
{
//if FireEye has hashes send to threat feeds
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any()))
{
if (lFidoReturnValues.FireEye.VirusTotal == null)
{
lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Sending FireEye hashes to VirusTotal.");
lFidoReturnValues.FireEye.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.FireEye.MD5Hash);
}
}
//todo: decide if FireEye should go to ThreatGRID
//if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
//{
// Console.WriteLine(@"Sending FireEye hashes to ThreatGRID.");
// lFidoReturnValues = SendFireEyeToThreatGRID(lFidoReturnValues);
//}
return(lFidoReturnValues);
}
private static Dictionary <string, string> CyphortGEOReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements)
{
if (lFidoReturnValues.Cyphort.ThreatGRID.IPInfo != null)
{
if (lFidoReturnValues.Cyphort.ThreatGRID.IPInfo.Data_Array.ASN_Array.ASN == null)
{
replacements.Add("%asninfo%", string.Empty);
replacements.Add("%city%", string.Empty);
replacements.Add("%region%", string.Empty);
replacements.Add("%country%", string.Empty);
}
else
{
replacements.Add("%asninfo%", lFidoReturnValues.Cyphort.ThreatGRID.IPInfo.Data_Array.ASN_Array.ASN + ":" + lFidoReturnValues.Cyphort.ThreatGRID.IPInfo.Data_Array.ASN_Array.Org);
replacements.Add("%city%", lFidoReturnValues.Cyphort.ThreatGRID.IPInfo.Data_Array.Location_Array.City);
replacements.Add("%region%", lFidoReturnValues.Cyphort.ThreatGRID.IPInfo.Data_Array.Location_Array.Region);
replacements.Add("%country%", lFidoReturnValues.Cyphort.ThreatGRID.IPInfo.Data_Array.Location_Array.Country);
}
}
else if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_country_code != null)
{
replacements.Add("%city%", string.Empty);
replacements.Add("%region%", lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_country_code);
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_country_name != null)
{
replacements.Add("%country%", lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_country_name);
}
}
return(replacements);
}
private static void AntiVirusToBit9(FidoReturnValues lFidoReturnValues)
{
var lBit9ReturnValues = new Bit9ReturnValues();
var sFileInfo = lFidoReturnValues.Antivirus.FilePath.Split('\\');
if ((sFileInfo != null) && (sFileInfo.Length != 0))
{
Console.WriteLine(@"Antivirus detector found! Cross-referencing with Bit9.");
lBit9ReturnValues.FileName = sFileInfo[sFileInfo.Length - 1];
lFidoReturnValues.Antivirus.FileName = lBit9ReturnValues.FileName;
for (var i = 0; i < sFileInfo.Length - 1; i++)
{
if (i == sFileInfo.Length - 2)
{
lBit9ReturnValues.FilePath += sFileInfo[i];
}
else
{
if (!sFileInfo[i].Contains("'"))
{
lBit9ReturnValues.FilePath += sFileInfo[i] + "\\";
}
else
{
break;
}
}
}
lBit9ReturnValues.HostName = lFidoReturnValues.Hostname;
var lBit9Info = Detect_Bit9.GetFileInfo(null, lBit9ReturnValues);
}
}
private static void AddRecommentdation(FidoReturnValues lFidoReturnValues, List <string> recommendation)
{
switch (lFidoReturnValues.Antivirus.Status.ToLower())
{
case "cleanable":
recommendation.Add("Action required");
recommendation.Add("Antivirus was unable to remove the threat, but this malware is cleanable.");
break;
case "cleanup failed":
recommendation.Add("Action required");
recommendation.Add(
"Antivirus attempted to cleanup malware, but failed. Make sure system is offline and attempt cleanup again.");
break;
case "restart required":
recommendation.Add("Action required");
recommendation.Add(
"Antivirus attempted to cleanup malware, but requires a reboot to complete remediation.");
break;
case "not cleanable":
recommendation.Add("Re-image");
recommendation.Add(
"Antivirus is not capable of removing this malware and the system will need to be rebuilt.");
break;
}
}
public static FidoReturnValues HostDetection(FidoReturnValues lFidoReturnValues, string sHostname, string sSrcIP)
{
Console.WriteLine(@"Attempting host detection for " + sSrcIP + @".");
//attempt to directly communicate with the device
//assume Windows first, then Mac second
lFidoReturnValues.RemoteRegHostname = RemoteRegHost(sSrcIP);
if (lFidoReturnValues.RemoteRegHostname == null || lFidoReturnValues.RemoteRegHostname == "Not able to connect")
{
lFidoReturnValues.SSHHostname = SshHost(sSrcIP);
if (!String.IsNullOrEmpty(lFidoReturnValues.SSHHostname))
{
sHostname = lFidoReturnValues.SSHHostname;
}
}
else
{
if (!String.IsNullOrEmpty(lFidoReturnValues.RemoteRegHostname))
{
sHostname = lFidoReturnValues.RemoteRegHostname;
lFidoReturnValues.Hostname = sHostname;
}
}
//if remote registry and ssh fail then NMAP the host
if ((sHostname == null) && (sHostname == String.Empty))
{
Console.WriteLine(@"Cannot detect hostname, attempting to NMAP " + sSrcIP + @".");
//todo: not currently doing anything wint nmap other
//assigning it to a variable.
lFidoReturnValues.NmapHostname = NmapHost(sSrcIP);
}
return(lFidoReturnValues);
}
private static void GetCyphortIncident(FidoReturnValues lFidoReturnValues)
{
Console.WriteLine(@"Pulling Cyphort incident details.");
var alertRequest = CreateHttpWebRequest(lFidoReturnValues);
try
{
using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (cyphortResponse == null || cyphortResponse.StatusCode != HttpStatusCode.OK)
{
return;
}
using (var respStream = cyphortResponse.GetResponseStream())
{
if (respStream == null)
{
return;
}
HandleCyphortIncident(lFidoReturnValues, respStream);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector getting json:" + e);
}
}
private static Dictionary <string, string> PaloAltoGeoReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements)
{
if (lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo != null)
{
if (lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.ASN_Array.ASN == null)
{
replacements.Add("%asninfo%", "No ASN Found");
}
else
{
replacements.Add("%asninfo%", lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.ASN_Array.ASN + ":" + lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.ASN_Array.Org);
}
if (lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array != null)
{
if (lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array.City != null)
{
replacements.Add("%city%", lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array.City);
}
if (lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array.Country != null)
{
replacements.Add("%country%", lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array.Country);
}
if (lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array.Region != null)
{
replacements.Add("%region%", lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array.Region);
}
}
}
return(replacements);
}
private static Dictionary <string, string> CarbonBlackBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements)
{
try
{
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
replacements = CarbonBlackVTReplacements(lFidoReturnValues, replacements);
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
replacements = CarbonBlackGeoReplacements(lFidoReturnValues, replacements);
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
replacements = CarbonBlackThreatGRIDReplacements(lFidoReturnValues, replacements);
}
return(replacements);
}
catch (Exception e)
{
throw e;
}
}
public static FidoReturnValues SQLFidoReturnValues(FidoReturnValues lFidoReturnValues, string sSrcIP, string sHostname)
{
//go to our sysmgmt data sources in the XML to get SQL queries and strings
var sSQLSource = SQL_Queries.GetSqlSources();
var sLandeskSrcIP = String.Empty;
foreach (var source in sSQLSource)
{
// ReSharper disable once RedundantAssignment
var lQuery = new List <string>();
var lHostInfo = new List <string>();
string sNewSource = null;
var sSplitSource = source.Split('-');
sNewSource = sSplitSource.Length > 1 ? sSplitSource[0] : source;
switch (sNewSource)
{
case "landesk":
sLandeskSrcIP = SourceLandesk(ref lFidoReturnValues, sSrcIP, sHostname, sNewSource, sLandeskSrcIP, source, lHostInfo);
continue;
case "jamf":
//if nmap or ssh is null use IP
SetHostInfo(sHostname, sSrcIP, source, lHostInfo);
//if return has values assign to lFidoReturnValues
if (lHostInfo[0] != "unknown")
{
if ((lFidoReturnValues.Landesk != null) && !String.IsNullOrEmpty(lFidoReturnValues.Landesk.Hostname))
{
var LandeskDateTime = Convert.ToDateTime(lFidoReturnValues.Landesk.LastUpdate);
var JamfDateTime = FromEpochTime(lHostInfo[3]);
if (LandeskDateTime.ToUniversalTime() > JamfDateTime)
{
continue;
}
}
lFidoReturnValues.Hostname = lHostInfo[1];
lFidoReturnValues.Username = lHostInfo[11];
if (lFidoReturnValues.Jamf == null)
{
lFidoReturnValues.Jamf = new JamfReturnValues();
}
lFidoReturnValues.Jamf = Jamf2FidoValues.Convert(lFidoReturnValues, lHostInfo);
}
continue;
default:
continue;
}
}
return(lFidoReturnValues);
}
//This function is designed get the incidents from an event, then determine if the
//incidents have already been processed. If they have not, they will be handed off
//to the GetCyphortIncident function to gather necessary information before being
//sent to TheDirector.
private static void ParseCyphort(Object_Cyphort_Class.CyphortEvent cyphortReturn)
{
try
{
if (cyphortReturn.Event_Array.Any())
{
cyphortReturn.Event_Array = cyphortReturn.Event_Array.Reverse().ToArray();
for (var i = 0; i < cyphortReturn.Event_Array.Count(); i++)
{
Console.WriteLine(@"Processing Cyphort event " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.Event_Array.Count().ToString(CultureInfo.InvariantCulture) + @".");
//We don't currently process IPv6, so if detected exit and process next alert
if ((cyphortReturn.Event_Array[i].Endpoint_ip != null) && (cyphortReturn.Event_Array[i].Endpoint_ip.Contains(":")))
{
continue;
}
//initialize generic variables for Cyphort values
var lFidoReturnValues = new FidoReturnValues();
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.Cyphort == null)
{
lFidoReturnValues.Cyphort = new CyphortReturnValues();
}
//Convert Cyphort classifications to more readable values
if (cyphortReturn.Event_Array[i].Event_type == "http")
{
lFidoReturnValues.MalwareType = "Malware downloaded: " + cyphortReturn.Event_Array[i].Event_name + " Type: " + cyphortReturn.Event_Array[i].Event_category;
}
else if (cyphortReturn.Event_Array[i].Event_type == "cnc")
{
lFidoReturnValues.MalwareType = "CNC Detected: " + cyphortReturn.Event_Array[i].Event_name;
}
//Assign generic event deatils for use in TheDirector
lFidoReturnValues.CurrentDetector = "cyphortv3";
lFidoReturnValues.Cyphort.IncidentID = cyphortReturn.Event_Array[i].Incident_id;
lFidoReturnValues.SrcIP = cyphortReturn.Event_Array[i].Endpoint_ip;
lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.Event_Array[i].Last_activity_time).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.Event_Array[i].Last_activity_time).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.DstIP = cyphortReturn.Event_Array[i].Source_ip;
lFidoReturnValues.Cyphort.DstIP = cyphortReturn.Event_Array[i].Source_ip;
//Send information gathered thus far to function to gather incident details
//and further parsing to determine if sending to TheDirector is needed.
GetCyphortIncident(lFidoReturnValues);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector parse:" + e);
}
}
//This function will attempt to assign alerts to the AntivirusReturnValues object
//before returning it to the FidoReturnValues object.
public static FidoReturnValues SophoslFidoValues(List <string> lHostInfo)
{
var lFidoReturnValues = new FidoReturnValues();
var lSophosReturnValues = new AntivirusReturnValues();
for (var x = 0; x < lHostInfo.Count; x++)
{
switch (x)
{
case 0:
lSophosReturnValues.ReceivedTime = lHostInfo[0];
break;
case 1:
lSophosReturnValues.EventTime = lHostInfo[1];
lFidoReturnValues.TimeOccurred = lHostInfo[1];
break;
case 2:
lSophosReturnValues.ActionTaken = lHostInfo[2];
break;
case 3:
lSophosReturnValues.Username = lHostInfo[3];
lFidoReturnValues.Username = getUsername(lHostInfo[3].Split('\\'));
break;
case 4:
lSophosReturnValues.Status = lHostInfo[4];
break;
case 5:
lSophosReturnValues.ThreatType = lHostInfo[5];
break;
case 6:
lSophosReturnValues.ThreatName = lHostInfo[6];
lFidoReturnValues.MalwareType = lHostInfo[6];
break;
case 7:
lSophosReturnValues.FilePath = lHostInfo[7];
break;
case 8:
lSophosReturnValues.HostName = lHostInfo[8];
lFidoReturnValues.Hostname = lHostInfo[8];
break;
case 9:
lFidoReturnValues.SrcIP = lHostInfo[9];
break;
}
}
lFidoReturnValues.Antivirus = lSophosReturnValues;
return(lFidoReturnValues);
}
private void PrepareFidoReturnValues(FidoReturnValues lFidoReturnValues)
{
lFidoReturnValues = SummaryEmail(lFidoReturnValues);
lFidoReturnValues.Recommendation = ReturnRecommendation(lFidoReturnValues);
lFidoReturnValues.SummaryEmail = ReplacingValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
lFidoReturnValues.SummaryEmail = ReplacingBadGuyValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
lFidoReturnValues.IsTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
}
private static Dictionary <string, string> PaloAltoThreatGRIDReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements)
{
if (lFidoReturnValues.PaloAlto.ThreatGRID.ThreatScore > 0)
{
replacements.Add("%threatgridscore%", lFidoReturnValues.PaloAlto.ThreatGRID.ThreatScore.ToString(CultureInfo.InvariantCulture));
}
else
{
replacements.Add("%threatgridscore%", "0");
}
if (lFidoReturnValues.PaloAlto.ThreatGRID.ThreatSeverity > 0)
{
if ((lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo != null) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count > 0) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items.Any()))
{
replacements.Add("%threatgridseverity%", "<a href='%url_location%'>" + lFidoReturnValues.PaloAlto.ThreatGRID.ThreatSeverity.ToString(CultureInfo.InvariantCulture) + "</a>");
}
else
{
replacements.Add("%threatgridseverity%", lFidoReturnValues.PaloAlto.ThreatGRID.ThreatSeverity.ToString(CultureInfo.InvariantCulture));
}
}
else
{
replacements.Add("%threatgridseverity%", "0");
}
if (lFidoReturnValues.PaloAlto.ThreatGRID.ThreatConfidence > 0)
{
if ((lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo != null) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count > 0) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items.Any()))
{
replacements.Add("%threatgridconfidence%", "<a href='%url_location%'>" + lFidoReturnValues.PaloAlto.ThreatGRID.ThreatConfidence.ToString(CultureInfo.InvariantCulture) + "</a>");
}
else
{
replacements.Add("%threatgridconfidence%", lFidoReturnValues.PaloAlto.ThreatGRID.ThreatConfidence.ToString(CultureInfo.InvariantCulture));
}
}
else
{
replacements.Add("%threatgridconfidence%", "0");
}
if (lFidoReturnValues.PaloAlto.ThreatGRID.ThreatIndicators > 0)
{
if ((lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo != null) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count > 0) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items.Any()))
{
replacements.Add("%threatgridindicators%", "<a href='%url_location%'>" + lFidoReturnValues.PaloAlto.ThreatGRID.ThreatIndicators.ToString(CultureInfo.InvariantCulture) + "</a>");
}
else
{
replacements.Add("%threatgridindicators%", lFidoReturnValues.PaloAlto.ThreatGRID.ThreatIndicators.ToString(CultureInfo.InvariantCulture));
}
}
else
{
replacements.Add("%threatgridindicators%", "0");
}
return(replacements);
}
private static FidoReturnValues SendProtectWiseToVirusTotal(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
return(lFidoReturnValues);
}
var sIPToCheck = new List <string>();
if (lFidoReturnValues.ProtectWise.VirusTotal == null)
{
lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues();
}
//send ProtectWise return to VT URL API
if (lFidoReturnValues.ProtectWise.IncidentDetails.Data != null)
{
if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null)
{
Console.WriteLine(@"Sending ProtectWise URLs to VirusTotal.");
var URL = new List <string> {
lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url
};
var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL);
if (vtURLReturn != null)
{
lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn;
}
}
else if (lFidoReturnValues.ProtectWise.URL != null)
{
Console.WriteLine(@"Sending ProtectWise destination IP to VirusTotal.");
var URL = new List <string> {
lFidoReturnValues.ProtectWise.URL
};
var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL);
if (vtURLReturn != null)
{
lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn;
}
}
}
if (lFidoReturnValues.ProtectWise.DstIP != null)
{
sIPToCheck.Add(lFidoReturnValues.ProtectWise.DstIP);
}
sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();
//send ProtectWise return to VT IP API
if (sIPToCheck.Any())
{
Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
lFidoReturnValues.ProtectWise.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
//todo: move the url to the database
lFidoReturnValues.ProtectWise.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.ProtectWise.DstIP + "/information/";
}
return(lFidoReturnValues);
}
private static void UpdateDetailedThreatToDB(FidoReturnValues lFidoReturnValues, string row)
{
//todo: figure out best way to insert detailed reports to prevent having to query web services again
//var threatURL = lFidoReturnValues.FireEye.URL.Aggregate(string.Empty, (current, url) => current + (url + ","));
//threatURL = lFidoReturnValues.FireEye.ChannelHost.Aggregate(threatURL, (current, link) => current + (link + ","));
//data.Add("threat_url", threatURL);
//var threatMD5 = lFidoReturnValues.FireEye.MD5Hash.Aggregate(string.Empty, (current, md5) => current + (md5 + ","));
//data.Add("threat_hash", threatMD5);
}
public static JamfReturnValues Convert(FidoReturnValues lFidoReturnValues, List <string> lHostInfo)
{
var lJamfReturnValues = new JamfReturnValues
{
ComputerID = lHostInfo[0] ?? string.Empty, Hostname = lHostInfo[1] ?? string.Empty, ReportID = lHostInfo[2] ?? string.Empty, Username = lHostInfo[11], OSName = "OSX " + lHostInfo[9], LastUpdate = FromEpochTime(lHostInfo[3]).ToString()
};
return(lJamfReturnValues);
}
public static FidoReturnValues DetectorsToThreatFeeds(FidoReturnValues lFidoReturnValues)
{
lFidoReturnValues = FireEyeURL(lFidoReturnValues);
lFidoReturnValues = CyphortURL(lFidoReturnValues);
lFidoReturnValues = ProtectWiseURL(lFidoReturnValues);
lFidoReturnValues = PaloAltoURL(lFidoReturnValues);
return(lFidoReturnValues);
}
public static void InsertEventToDB(FidoReturnValues lFidoReturnValues)
{
var iKeepAlive = Object_Fido_Configs.GetAsInt("fido.application.unnownkeepalive", 0);
var db = new SqLiteDB();
var data = new Dictionary <String, String>
{
{ "timer", iKeepAlive.ToString(CultureInfo.InvariantCulture) },
{ "ip_address", lFidoReturnValues.SrcIP },
{ "hostname", lFidoReturnValues.Hostname.ToLower() },
{ "timestamp", Convert.ToDateTime(lFidoReturnValues.TimeOccurred).ToString(CultureInfo.InvariantCulture) },
{ "previous_score", lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) },
{ "alert_id", lFidoReturnValues.AlertID }
};
try
{
//insert event to primary alert table
db.Insert("event_alerts", data);
const string eventAlerts = @"select count() from event_alerts";
var newRow = db.ExecuteScalar(eventAlerts);
//if there is threat data then insert otherwise
//todo: figure out a better way to find out if a detector is empty
if (lFidoReturnValues.Bit9 != null | lFidoReturnValues.Antivirus != null | lFidoReturnValues.FireEye != null |
lFidoReturnValues.Cyphort != null | lFidoReturnValues.ProtectWise != null | lFidoReturnValues.PaloAlto != null)
{
UpdateThreatToDB(lFidoReturnValues, newRow);
}
//if there is machine data then insert otherwise
if ((lFidoReturnValues.Landesk != null) | (lFidoReturnValues.Jamf != null))
{
UpdateMachineToDB(lFidoReturnValues, newRow);
}
//if there is user data then insert otherwise
if (lFidoReturnValues.UserInfo != null)
{
UpdateUserToDB(lFidoReturnValues, newRow);
}
//if there is detailed threat data insert
//if there is histiorical url data insert
UpdateHistoricalURLInfo(lFidoReturnValues);
UpdateHistoricalHashInfo(lFidoReturnValues);
UpdateHistoricalIPInfo(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error",
"Fido Failed: {0} Exception caught in insert of event alert to fidodb:" + e);
}
}
private static bool SetUpPreviousAlerts(FidoReturnValues lFidoReturnValues, bool isRunDirector)
{
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues);
}
return(isRunDirector);
}
private static List <string> GetAttachmentList(FidoReturnValues lFidoReturnValues)
{
return(new List <string>
{
Application.StartupPath + "\\media\\gauge\\total" + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) + ".png",
Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture) + ".png",
Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture) + ".png",
Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture) + ".png"
});
}
private static Dictionary <string, string> ProtectWiseBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements)
{
replacements = ProtectWiseVTReplacements(lFidoReturnValues, replacements);
replacements = ProtectWiseGeoReplacements(lFidoReturnValues, replacements);
replacements = ProtectWiseThreatGRIDReplacements(lFidoReturnValues, replacements);
return(replacements);
}
private static Dictionary <string, string> PaloAltoBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements)
{
replacements = PaloAltoVTReplacements(lFidoReturnValues, replacements);
replacements = PaloAltoGeoReplacements(lFidoReturnValues, replacements);
replacements = PaloAltoThreatGRIDReplacements(lFidoReturnValues, replacements);
return(replacements);
}
