public static void InsertEventToDB(FidoReturnValues lFidoReturnValues)
{
var iKeepAlive = Object_Fido_Configs.GetAsInt("fido.application.unnownkeepalive", 0);
var db = new SqLiteDB();
var data = new Dictionary <String, String>
{
{ "timer", iKeepAlive.ToString(CultureInfo.InvariantCulture) },
{ "ip_address", lFidoReturnValues.SrcIP },
{ "hostname", lFidoReturnValues.Hostname.ToLower() },
{ "timestamp", Convert.ToDateTime(lFidoReturnValues.TimeOccurred).ToString(CultureInfo.InvariantCulture) },
{ "previous_score", lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) },
{ "alert_id", lFidoReturnValues.AlertID }
};
try
{
//insert event to primary alert table
db.Insert("event_alerts", data);
const string eventAlerts = @"select count() from event_alerts";
var newRow = db.ExecuteScalar(eventAlerts);
//if there is threat data then insert otherwise
//todo: figure out a better way to find out if a detector is empty
if (lFidoReturnValues.Bit9 != null | lFidoReturnValues.Antivirus != null | lFidoReturnValues.FireEye != null |
lFidoReturnValues.Cyphort != null | lFidoReturnValues.ProtectWise != null | lFidoReturnValues.PaloAlto != null)
{
UpdateThreatToDB(lFidoReturnValues, newRow);
}
//if there is machine data then insert otherwise
if ((lFidoReturnValues.Landesk != null) | (lFidoReturnValues.Jamf != null))
{
UpdateMachineToDB(lFidoReturnValues, newRow);
}
//if there is user data then insert otherwise
if (lFidoReturnValues.UserInfo != null)
{
UpdateUserToDB(lFidoReturnValues, newRow);
}
//if there is detailed threat data insert
//if there is histiorical url data insert
UpdateHistoricalURLInfo(lFidoReturnValues);
UpdateHistoricalHashInfo(lFidoReturnValues);
UpdateHistoricalIPInfo(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error",
"Fido Failed: {0} Exception caught in insert of event alert to fidodb:" + e);
}
}
private void SetupSyslog()
{
//Load fido configs from database
Object_Fido_Configs.LoadConfigFromDb("config");
//Setup syslog
var server1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost");
var port1 = Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514);
var facility1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1");
var sender1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido");
var layout1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)");
//SysLogger.Setup(server1, port1, facility1, sender1, layout1);
}
private Dictionary <string, string> GetSysLogParams()
{
var result = new Dictionary <string, string>();
result.add("server", Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost"));
result.add("port", Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514));
result.add("facility", Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1"));
result.add("sender", Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido"));
result.add("layout", Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)"));
result.add("isParamTest", Object_Fido_Configs.GetAsBool("fido.application.teststartup", true));
result.add("detectors", Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(','));
return(result);
}
//The load will grab configurations for what FIDO is monitoring,
//then go to each configured external system to parse any alerts.
//Finally, FIDO is configured to pause per iteration on a
//configurable timed basis.
private void Fido_Load(object sender, EventArgs aug)
{
DisableCurrentTime();
CheckIfFidoConfigurationExists();
//Load fido configs from database
Object_Fido_Configs.LoadConfigFromDb("config");
var sysLogParams = GetSysLogParams();
try
{
Console.WriteLine(isParamTest ? @"Running test configs." : @"Running production configs.");
foreach (var detect in sysLogParams[detectors])
{
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs(detect);
//Get the detector, ie, email, log, web service, etc.
var sDetectorType = parseConfigs.DetectorType;
switch (sDetectorType)
{
case "api":
Console.WriteLine(@"Loading webservice receiver.");
Recieve_API.DirectToEngine(sDetectorType, detect);
break;
case "log":
Console.WriteLine(@"Loaded log receiver.");
var sDefaultServer = parseConfigs.Server;
var sDefaultFile = parseConfigs.File;
var sVendor = parseConfigs.Vendor;
Receive_Logging.DirectToEngine(detect, sVendor, sDefaultServer, sDefaultFile, isParamTest);
break;
case "sql":
Console.WriteLine(@"Loaded sql receiver.");
Receive_SQL.DirectToEngine(sDetectorType, detect);
break;
case "email":
Console.WriteLine(@"Loaded email receiver.");
var sEmailVendor = Object_Fido_Configs.GetAsString("fido.email.vendor", "imap");
var sDetectorsEmail = parseConfigs.EmailFrom;
var sDetectorsFolder = parseConfigs.Folder;
Receive_Email.ReadEmail(sEmailVendor, sDetectorsFolder, null, sDetectorsEmail, isParamTest);
break;
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in fidomain area:" + e);
}
//Sleep for X # of seconds per iteration specified in Fido configuration
Application.DoEvents();
var iSleep = Object_Fido_Configs.GetAsInt("fido.application.sleepiteration", 5);
Console.WriteLine(@"Fido processing complete... sleeping for " + (iSleep / 1000).ToString(CultureInfo.InvariantCulture) + @" seconds.");
Thread.Sleep(iSleep);
timer1.Enabled = true;
}
//ReadEmail is the handler for email based detectors. It is designed
//to retrieve email from a configured email service and parse the alerts
public static void ReadEmail(string sVendor, string sFolderName, string sFolderNameTest, string sDetectorEmail, bool isParamTest)
{
switch (sVendor)
{
//Outlook based email plugin which requires the Outlook client to be installed.
case "outlook":
#region Microsoft Outlook Plugin
//try
//{
// //Setup connection information to mailstore
// //If logon information is null then mailstore must be open already
// //var oApp = new Microsoft.Office.Interop.Outlook.Application();
// //var sFolder = new Microsoft.Office.Interop.Outlook.Folder(sFolderName);
// //var oNameSpace = oApp.GetNamespace("MAPI");
// //oNameSpace.Logon(null, null, true, true);
// //var oInboxFolder = oNameSpace.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderInbox);
// //Outlook.Folder oFolder = oInboxFolder.Folder[sFolderName];
// //logging
// //Logging_Fido.Main.RunLogging("Running FIDO on file " + sFolderName);
// ////attach to folder and for each item in the folder then loop. During loop assign subject, body and detect malware type
// //foreach (var item in sFolder.Items)
// //{
// // var oMailItem = item as Microsoft.Office.Interop.Outlook._MailItem;
// // if (oMailItem != null)
// // {
// // var sMessageBody = oMailItem.Body;
// // }
// // if (oMailItem != null)
// // {
// // var sSubject = oMailItem.Subject;
// // }
// //List<string> sERet = scan_email(sSubject, sMessageBody, sFolderName);
// // if (sERet.First() == "Test Email")
// // {
// // oMailItem.Delete();
// // }
// // else
// // {
// // fido.Form1.Run_FIDO(sMessageBody, sERet, "fubar", false, false, true, sVendor);//MalwareType
// // oMailItem.Delete();
// // }
// }
#endregion
//}
//catch (Exception e)
//{
// Fido_Modules.Fido.Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Outlook emailreceive area:" + e);
//}
break;
case "exchange":
#region Microsoft Exchange Plugin
//still need to build out direct Exchange access
#endregion
break;
//IMAP based email plugin which has been verified to work with Gmail
case "imap":
#region IMAP Plugin
try
{
//get encrypted password and decrypt
//then login
var sfidoemail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var sfidopwd = Object_Fido_Configs.GetAsString("fido.email.fidopwd", null);
var sfidoacek = Object_Fido_Configs.GetAsString("fido.email.fidoacek", null);
var sImapServer = Object_Fido_Configs.GetAsString("fido.email.imapserver", null);
var iImapPort = Object_Fido_Configs.GetAsInt("fido.email.imapport", 0);
sfidoacek = Aes_Crypto.DecryptStringAES(sfidoacek, "1");
sfidopwd = Aes_Crypto.DecryptStringAES(sfidopwd, sfidoacek);
IImapClient gLogin = new ImapClient(sImapServer, iImapPort, sfidoemail, sfidopwd, AuthMethod.Login, true);
var sSeperator = new[] { "," };
gLogin.DefaultMailbox = isParamTest ? sFolderNameTest : sFolderName;
var listUids = new List <uint>();
//seperate out list of email addresses handed to emailreceive
//then run query based on each email from the specified folder
//and finally convert to array
string[] aryInboxSearch = sDetectorEmail.Split(sSeperator, StringSplitOptions.RemoveEmptyEntries);
foreach (var search in aryInboxSearch)
{
listUids.AddRange(gLogin.Search(SearchCondition.From(search)).ToList());
}
var uids = listUids.ToArray();
uids = uids.Take(50).ToArray();
var msg = gLogin.GetMessages(uids);
var mailMessages = msg as MailMessage[] ?? msg.ToArray();
for (var i = 0; i < mailMessages.Count(); i++)
{
var sMessageBody = mailMessages[i].Body;
var sSubject = mailMessages[i].Subject;
var sERet = ScanEmail(sSubject, sMessageBody, sFolderName, isParamTest);
if (sERet == "Test Email")
{
Console.WriteLine(@"Test email found, putting in processed folder.");
gLogin.MoveMessage(uids[i], "Processed");
}
else
{
Console.WriteLine(@"Finished processing email alert, puttig in processed folder.");
gLogin.MoveMessage(uids[i], "Processed");
}
}
#endregion
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in IMAP emailreceive area:" + e);
}
Console.WriteLine(@"Finished processing email alerts.");
break;
}
}
//The load will grab configurations for what FIDO is monitoring,
//then go to each configured external system to parse any alerts.
//Finally, FIDO is configured to pause per iteration on a
//configurable timed basis.
private void Fido_Load(object sender, EventArgs aug)
{
//Disabled the current time during current iteration.
timer1.Enabled = false;
Hide();
if (!ConfigurationOK())
{
Application.Exit();
}
SetupSyslog();
//Beginning of primary area which starts parsing of alerts.
var isParamTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
var sDetectors = Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(',');
try
{
Console.WriteLine(isParamTest ? @"Running test configs." : @"Running production configs.");
foreach (var detect in sDetectors)
{
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs(detect);
//Get the detector, ie, email, log, web service, etc.
var sDetectorType = parseConfigs.DetectorType;
switch (sDetectorType)
{
case "api":
Console.WriteLine(@"Loading webservice receiver.");
Recieve_API.DirectToEngine(sDetectorType, detect);
break;
case "log":
Console.WriteLine(@"Loaded log receiver.");
var sDefaultServer = parseConfigs.Server;
var sDefaultFile = parseConfigs.File;
var sVendor = parseConfigs.Vendor;
Receive_Logging.DirectToEngine(detect, sVendor, sDefaultServer, sDefaultFile, isParamTest);
break;
case "sql":
Console.WriteLine(@"Loaded sql receiver.");
Receive_SQL.DirectToEngine(sDetectorType, detect);
break;
case "email":
Console.WriteLine(@"Loaded email receiver.");
var sEmailVendor = Object_Fido_Configs.GetAsString("fido.email.vendor", "imap");
var sDetectorsEmail = parseConfigs.EmailFrom;
var sDetectorsFolder = parseConfigs.Folder;
Receive_Email.ReadEmail(sEmailVendor, sDetectorsFolder, null, sDetectorsEmail, isParamTest);
break;
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in fidomain area:" + e);
}
//Sleep for X # of seconds per iteration specified in Fido configuration
Application.DoEvents();
var iSleep = Object_Fido_Configs.GetAsInt("fido.application.sleepiteration", 5);
Console.WriteLine(@"Fido processing complete... sleeping for " + (iSleep / 1000).ToString(CultureInfo.InvariantCulture) + @" seconds.");
Thread.Sleep(iSleep);
timer1.Enabled = true;
}
//The load will grab configurations for what FIDO is monitoring,
//then go to each configured external system to parse any alerts.
//Finally, FIDO is configured to pause per iteration on a
//configurable timed basis.
private void Fido_Load(object sender, EventArgs aug)
{
//Disabled the current time during current iteration.
timer1.Enabled = false;
Hide();
//Check to see if Fido configurations exists and if not
//fail with prompt that configurations are not found.
Console.Clear();
var sAppStartupPath = Application.StartupPath + @"\data\fido.db";
if (!File.Exists(sAppStartupPath))
{
Console.WriteLine(@"Failed to load FIDO DB.");
Application.Exit();
}
else
{
Console.WriteLine(@"Loaded FIDO DB successfully.");
}
//Load fido configs from database
Object_Fido_Configs.LoadConfigFromDb("config");
//Setup syslog
var server1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost");
var port1 = Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514);
var facility1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1");
var sender1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido");
var layout1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)");
//SysLogger.Setup(server1, port1, facility1, sender1, layout1);
//Beginning of primary area which starts parsing of alerts.
var isParamTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
var sDetectors = Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(',');
try
{
Console.WriteLine(isParamTest ? @"Running test configs." : @"Running production configs.");
foreach (var detect in sDetectors)
{
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs(detect);
//Get the detector, ie, email, log, web service, etc.
var sDetectorType = parseConfigs.DetectorType;
switch (sDetectorType)
{
case "api":
Console.WriteLine(@"Loading webservice receiver.");
Recieve_API.DirectToEngine(sDetectorType, detect);
break;
case "log":
Console.WriteLine(@"Loaded log receiver.");
var sDefaultServer = parseConfigs.Server;
var sDefaultFile = parseConfigs.File;
var sVendor = parseConfigs.Vendor;
Receive_Logging.DirectToEngine(detect, sVendor, sDefaultServer, sDefaultFile, isParamTest);
break;
case "sql":
Console.WriteLine(@"Loaded sql receiver.");
Receive_SQL.DirectToEngine(sDetectorType, detect);
break;
case "email":
Console.WriteLine(@"Loaded email receiver.");
var sEmailVendor = Object_Fido_Configs.GetAsString("fido.email.vendor", "imap");
var sDetectorsEmail = parseConfigs.EmailFrom;
var sDetectorsFolder = parseConfigs.Folder;
Receive_Email.ReadEmail(sEmailVendor, sDetectorsFolder, null, sDetectorsEmail, isParamTest);
break;
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in fidomain area:" + e);
}
//Sleep for X # of seconds per iteration specified in Fido configuration
Application.DoEvents();
var iSleep = Object_Fido_Configs.GetAsInt("fido.application.sleepiteration", 5);
Console.WriteLine(@"Fido processing complete... sleeping for " + (iSleep / 1000).ToString(CultureInfo.InvariantCulture) + @" seconds.");
Thread.Sleep(iSleep);
timer1.Enabled = true;
}