public static Dictionary <string, string> PaloAltoBadGuyReturn(FidoReturnValues lFidoReturnValues, MD5Hashes md5Hashes, URLs urls, Dictionary <string, string> replacements)
{
if (lFidoReturnValues.PaloAlto.VirusTotal != null)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn != null)
{
for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn.Count(); i++)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn[i].Positives > 0)
{
lFidoReturnValues.BadHashs += 1;
md5Hashes.lBadMD5Hashes.Add(lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn[i].Permalink);
}
else
{
md5Hashes.lGoodMD5Hashes.Add(lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn[i].Permalink);
}
}
}
if (lFidoReturnValues.PaloAlto.VirusTotal.URLReturn != null)
{
for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.URLReturn.Count(); i++)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.URLReturn[i].Positives > 0)
{
lFidoReturnValues.BadUrLs += 1;
urls.lBadURLs.Add(lFidoReturnValues.PaloAlto.VirusTotal.URLReturn[i].Permalink);
}
else
{
urls.lGoodURLs.Add(lFidoReturnValues.PaloAlto.VirusTotal.URLReturn[i].Permalink);
}
}
}
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn != null)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedCommunicatingSamples != null)
{
for (var i = 0;
i < lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedCommunicatingSamples.Count();
i++)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedCommunicatingSamples[i].Positives > 0)
{
lFidoReturnValues.BadDetectedComms += 1;
}
}
}
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedDownloadedSamples != null)
{
for (var i = 0;
i < lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedDownloadedSamples.Count();
i++)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedDownloadedSamples[i].Positives > 0)
{
lFidoReturnValues.BadDetectedDownloads += 1;
}
}
}
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedUrls != null)
{
for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedUrls.Count(); i++)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedUrls[i].Positives > 0)
{
lFidoReturnValues.BadDetectedUrls += 1;
}
}
}
}
}
//Check Bit9 for values
replacements.Add("%bit9threat%", "Not Configured");
replacements.Add("%bit9trust%", "Not Configured");
replacements = PaloAltoBadGuyReplacements(lFidoReturnValues, replacements);
return(replacements);
}
public static Dictionary <string, string> ProtectWiseBadGuyReturn(FidoReturnValues lFidoReturnValues, MD5Hashes md5Hashes, URLs urls, Dictionary <string, string> replacements)
{
if (lFidoReturnValues.ProtectWise.VirusTotal != null)
{
if (lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn != null)
{
for (var i = 0; i < lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn.Count(); i++)
{
if (lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn[i].Positives > 0)
{
lFidoReturnValues.BadHashs += 1;
md5Hashes.lBadMD5Hashes.Add(lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn[i].Permalink);
}
else
{
md5Hashes.lGoodMD5Hashes.Add(lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn[i].Permalink);
}
}
}
if (lFidoReturnValues.ProtectWise.VirusTotal.URLReturn != null)
{
for (var i = 0; i < lFidoReturnValues.ProtectWise.VirusTotal.URLReturn.Count(); i++)
{
if (lFidoReturnValues.ProtectWise.VirusTotal.URLReturn[i].Positives > 0)
{
lFidoReturnValues.BadUrLs += 1;
urls.lBadURLs.Add(lFidoReturnValues.ProtectWise.VirusTotal.URLReturn[i].Permalink);
}
else
{
urls.lGoodURLs.Add(lFidoReturnValues.ProtectWise.VirusTotal.URLReturn[i].Permalink);
}
}
}
if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn != null)
{
if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedCommunicatingSamples != null)
{
for (var i = 0;
i < lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedCommunicatingSamples.Count();
i++)
{
if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedCommunicatingSamples[i].Positives > 0)
{
lFidoReturnValues.BadDetectedComms += 1;
}
}
}
if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedDownloadedSamples != null)
{
for (var i = 0;
i < lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedDownloadedSamples.Count();
i++)
{
if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedDownloadedSamples[i].Positives > 0)
{
lFidoReturnValues.BadDetectedDownloads += 1;
}
}
}
if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedUrls != null)
{
for (var i = 0; i < lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedUrls.Count(); i++)
{
if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedUrls[i].Positives > 0)
{
lFidoReturnValues.BadDetectedUrls += 1;
}
}
}
}
}
//Check AlienVault for values
if (lFidoReturnValues.ProtectWise.AlienVault != null)
{
replacements.Add("%alienrisk%", lFidoReturnValues.ProtectWise.AlienVault.Risk.ToString(CultureInfo.InvariantCulture));
replacements.Add("%alienreliable%", lFidoReturnValues.ProtectWise.AlienVault.Reliability.ToString(CultureInfo.InvariantCulture));
replacements.Add("%alienactivity%", lFidoReturnValues.ProtectWise.AlienVault.Activity ?? string.Empty);
}
else
{
replacements.Add("%alienrisk%", "Not Found");
replacements.Add("%alienreliable%", "Not Found");
replacements.Add("%alienactivity%", string.Empty);
}
//Check Bit9 for values
replacements.Add("%bit9threat%", "Not Configured");
replacements.Add("%bit9trust%", "Not Configured");
replacements = ProtectWiseBadGuyReplacements(lFidoReturnValues, replacements);
return(replacements);
}
private static Dictionary <string, string> VTReplacements(FidoReturnValues lFidoReturnValues, MD5Hashes md5Hashes, URLs urls, Dictionary <string, string> replacements)
{
if (md5Hashes.lBadMD5Hashes.Count() == 1)
{
replacements.Add("%totalbadfiles%", "<a href='" + md5Hashes.lBadMD5Hashes[0] + "'>" + lFidoReturnValues.BadHashs.ToString(CultureInfo.InvariantCulture) + "</a>");
}
else if (lFidoReturnValues.BadHashs > 1)
{
var sBadReplacement = string.Empty;
for (var i = 0; i < lFidoReturnValues.BadHashs; i++)
{
if (i == (lFidoReturnValues.BadHashs - 1))
{
sBadReplacement += "<a href='" + md5Hashes.lBadMD5Hashes[i] + "'>" + (i + 1).ToString(CultureInfo.InvariantCulture) + "</a>";
}
else
{
sBadReplacement += "<a href='" + md5Hashes.lBadMD5Hashes[i] + "'>" + (i + 1).ToString(CultureInfo.InvariantCulture) + "</a>, ";
}
}
replacements.Add("%totalbadfiles%", sBadReplacement);
}
else
{
replacements.Add("%totalbadfiles%", "0");
}
if (md5Hashes.lGoodMD5Hashes.Count() == 1)
{
replacements.Add("%totalgoodfiles%", "<a href='" + md5Hashes.lGoodMD5Hashes[0] + "'>1</a>");
}
else if (md5Hashes.lGoodMD5Hashes.Count() > 1)
{
string sGoodReplacement;
sGoodReplacement = "<a href=''>1.." + md5Hashes.lGoodMD5Hashes.Count + "</a>";
replacements.Add("%totalgoodfiles%", sGoodReplacement);
}
else
{
replacements.Add("%totalgoodfiles%", "0");
}
if (urls.lBadURLs.Count() == 1)
{
replacements.Add("%totalbadurls%", "<a href='" + urls.lBadURLs[0] + "'>1</a>");
}
else if (lFidoReturnValues.BadUrLs > 1)
{
var sNewReplacement = string.Empty;
for (var i = 0; i < lFidoReturnValues.BadUrLs - 1; i++)
{
if (i == (urls.lBadURLs.Count() - 1))
{
sNewReplacement += "<a href='" + urls.lBadURLs[i] + "'>" + (i + 1).ToString(CultureInfo.InvariantCulture) + "</a>";
}
else
{
sNewReplacement += "<a href='" + urls.lBadURLs[i] + "'>" + (i + 1).ToString(CultureInfo.InvariantCulture) + "</a>, ";
}
}
replacements.Add("%totalbadurls%", sNewReplacement);
}
else
{
replacements.Add("%totalbadurls%", "0");
}
if (urls.lGoodURLs.Count() == 1)
{
replacements.Add("%totalgoodurls%", "<a href='" + urls.lGoodURLs[0] + "'>1</a>");
}
else if (urls.lGoodURLs.Count() > 1)
{
var sGoodReplacement = string.Empty;
sGoodReplacement += "<a href=''>1.." + urls.lGoodURLs.Count + "</a>";
replacements.Add("%totalgoodurls%", sGoodReplacement);
}
else
{
replacements.Add("%totalgoodurls%", "0");
}
return(replacements);
}
public static Dictionary <string, string> StartReplacements(FidoReturnValues lFidoReturnValues, string[] detectors, MD5Hashes md5Hashes, URLs urls, Dictionary <string, string> replacements)
{
try
{
//todo: put the following switch into its own function
foreach (var detector in detectors)
{
switch (detector)
{
case "cyphortv2":
if (lFidoReturnValues.Cyphort != null)
{
replacements = Notification_Cyphort_Helper.CyphortBadGuyReturn(lFidoReturnValues, md5Hashes, urls, replacements);
replacements = VTReplacements(lFidoReturnValues, md5Hashes, urls, replacements);
}
break;
case "cyphortv3":
if (lFidoReturnValues.Cyphort != null)
{
replacements = Notification_Cyphort_Helper.CyphortBadGuyReturn(lFidoReturnValues, md5Hashes, urls, replacements);
replacements = VTReplacements(lFidoReturnValues, md5Hashes, urls, replacements);
}
break;
case "protectwisev1-event":
if (lFidoReturnValues.ProtectWise != null)
{
replacements = Notfication_ProtectWise_Helper.ProtectWiseBadGuyReturn(lFidoReturnValues, md5Hashes, urls, replacements);
replacements = VTReplacements(lFidoReturnValues, md5Hashes, urls, replacements);
}
break;
case "carbonblackv1":
if (lFidoReturnValues.CB.Alert != null)
{
replacements = Notification_CarbonBlack_Helper.CarbonBlackBadGuyReturn(lFidoReturnValues, md5Hashes, urls, replacements);
replacements = VTReplacements(lFidoReturnValues, md5Hashes, urls, replacements);
}
break;
case "panv1":
if (lFidoReturnValues.PaloAlto != null)
{
replacements = Notification_PaloAlto_Helper.PaloAltoBadGuyReturn(lFidoReturnValues, md5Hashes, urls, replacements);
replacements = VTReplacements(lFidoReturnValues, md5Hashes, urls, replacements);
}
break;
case "mps":
//Check Virustotal for values
if (lFidoReturnValues.FireEye != null)
{
replacements = MPSBadGuyReturn(lFidoReturnValues, md5Hashes, urls, replacements);
replacements = VTReplacements(lFidoReturnValues, md5Hashes, urls, replacements);
}
break;
case "antivirus":
break;
case "ids":
break;
case "bit9":
if (lFidoReturnValues.Bit9 != null)
{
if (lFidoReturnValues.Bit9.VTReport == null)
{
continue;
}
if (lFidoReturnValues.Bit9.VTReport[0].Positives > 0)
{
lFidoReturnValues.BadHashs += 1;
md5Hashes.lBadMD5Hashes.Add(lFidoReturnValues.Bit9.VTReport[0].Permalink);
}
else
{
md5Hashes.lGoodMD5Hashes.Add(lFidoReturnValues.Bit9.VTReport[0].Permalink);
}
//Check Bit9 for values
replacements.Add("%bit9threat%", lFidoReturnValues.Bit9.FileThreat);
replacements.Add("%bit9trust%", lFidoReturnValues.Bit9.FileTrust);
}
break;
}
}
return(replacements);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Notification Help:" + e);
}
return(replacements);
}
public static Dictionary <string, string> CyphortBadGuyReturn(FidoReturnValues lFidoReturnValues, MD5Hashes md5Hashes, URLs urls, Dictionary <string, string> replacements)
{
if (lFidoReturnValues.Cyphort.VirusTotal != null)
{
if (lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn != null)
{
for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn.Count(); i++)
{
if (lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn[i].Positives > 0)
{
lFidoReturnValues.BadHashs += 1;
md5Hashes.lBadMD5Hashes.Add(lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn[i].Permalink);
}
else
{
md5Hashes.lGoodMD5Hashes.Add(lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn[i].Permalink);
}
}
}
if (lFidoReturnValues.Cyphort.VirusTotal.URLReturn != null)
{
for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.URLReturn.Count(); i++)
{
if (lFidoReturnValues.Cyphort.VirusTotal.URLReturn[i].Positives > 0)
{
lFidoReturnValues.BadUrLs += 1;
urls.lBadURLs.Add(lFidoReturnValues.Cyphort.VirusTotal.URLReturn[i].Permalink);
}
else
{
urls.lGoodURLs.Add(lFidoReturnValues.Cyphort.VirusTotal.URLReturn[i].Permalink);
}
}
}
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn != null)
{
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedCommunicatingSamples != null)
{
for (var i = 0;
i < lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedCommunicatingSamples.Count();
i++)
{
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedCommunicatingSamples[i].Positives > 0)
{
lFidoReturnValues.BadDetectedComms += 1;
}
}
}
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedDownloadedSamples != null)
{
for (var i = 0;
i < lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedDownloadedSamples.Count();
i++)
{
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedDownloadedSamples[i].Positives > 0)
{
lFidoReturnValues.BadDetectedDownloads += 1;
}
}
}
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedUrls != null)
{
for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedUrls.Count(); i++)
{
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedUrls[i].Positives > 0)
{
lFidoReturnValues.BadDetectedUrls += 1;
}
}
}
}
}
replacements = CyphortBadGuyReplacements(lFidoReturnValues, replacements);
return(replacements);
}
