public static List <FileReport> ParseHash(string[] sMD5Hash)
{
//todo: The below is a placeholder for when this will be encrypted.
//var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null);
var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null);
var vtLogin = new VirusTotal(sVTKey);
var sVirusTotalHash = new List <FileReport>();
var fidoDB = new SqLiteDB();
var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal"));
//todo: remove all the sleeps with a configurable option of whether to sleep AND a
//configurable integer value for the timer. Currently putting these in for the free
//API, but need to account for someone having access to the paid API.
try
{
if (sMD5Hash.Any())
{
if (sMD5Hash.Count() < 4)
{
if (!isPaidFeed)
{
Thread.Sleep(1000);
}
sVirusTotalHash.AddRange(sMD5Hash.Where(sHash => !string.IsNullOrEmpty(sHash)).Select(vtLogin.GetFileReport).Where(sVtmd5Return => sVtmd5Return != null));
}
else if (sMD5Hash.Count() >= 4)
{
if (!isPaidFeed)
{
Thread.Sleep(1000);
}
for (var i = 0; i < sMD5Hash.Count(); i++)
{
Console.WriteLine(@"Processing hash #" + (i + 1) + @" of " + sMD5Hash.Count() + @" " + sMD5Hash[i] + @".");
sVirusTotalHash.Add(vtLogin.GetFileReport(sMD5Hash[i]));
if (!isPaidFeed)
{
Console.WriteLine(@"Pausing 17 seconds to not overload VT.");
Thread.Sleep(17000);
}
}
}
return(sVirusTotalHash);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT Hash area:" + e);
}
return(sVirusTotalHash);
}
public bool CheckFidoWhitelist(string sDstIP, List <string> sHash, string sDomain, List <string> sUrl)
{
var isFound = false;
var sqlQuery = new SqLiteDB();
if (!string.IsNullOrEmpty(sDstIP))
{
var qDstIPReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + sDstIP + "'");
if (!string.IsNullOrEmpty(qDstIPReturn))
{
isFound = true;
}
}
if (sHash != null)
{
foreach (var hash in sHash)
{
var qHashReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + hash + "'");
if (!string.IsNullOrEmpty(qHashReturn))
{
isFound = true;
}
}
}
if (!string.IsNullOrEmpty(sDomain))
{
var qDomainReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + sDomain + "'");
if (!string.IsNullOrEmpty(qDomainReturn))
{
isFound = true;
}
}
if (sUrl != null)
{
foreach (var url in sUrl)
{
var qUrlReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + url + "'");
if (!string.IsNullOrEmpty(qUrlReturn))
{
isFound = true;
}
}
}
return(isFound);
}
private static DataTable GetThreatGridTable(string query)
{
var fidoSQlite = new SqLiteDB();
var fidoData = new DataTable();
try
{
fidoData = fidoSQlite.GetDataTable(query);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e);
}
return(fidoData);
}
private static ParseCBConfigs ParseDetectorConfigs(string detect)
{
//todo: move this to the database, assign a variable to 'detect' and replace being using in GEtFidoConfigs
var query = @"SELECT * from configs_sysmgmt_carbonblack WHERE api_call = '" + detect + @"'";
var fidoSQlite = new SqLiteDB();
var fidoData = new DataTable();
var cbReturn = new ParseCBConfigs();
try
{
fidoData = fidoSQlite.GetDataTable(query);
cbReturn = CBConfigs(fidoData);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e);
}
return(cbReturn);
}
private static T GetResults<T>(RestRequest request, bool applyHack = false)
{
_client.BaseUrl = new Uri("http://www.virustotal.com/vtapi/v2/", UriKind.Absolute);
_client.Proxy = null;
_client.FollowRedirects = false;
T results;
var fidoDB = new SqLiteDB();
var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal"));
var response = (RestResponse)_client.Execute(request);
if (applyHack)
{
//Warning: Huge hack... sorry :(
response.Content = Regex.Replace(response.Content, "\"([\\w\\d -\\._]+)\": \\{\"detected\":", "{\"name\": \"$1\", \"detected\":", RegexOptions.Compiled | RegexOptions.CultureInvariant);
response.Content = response.Content.Replace("scans\": {", "scans\": [");
response.Content = response.Content.Replace("}}", "}]");
}
IDeserializer deserializer = new JsonDeserializer();
if (response.StatusCode == HttpStatusCode.NoContent)
{
//todo: move integer value to db
if (!isPaidFeed) Thread.Sleep(30000);
results = GetResults<T>(request, true);
return results;
}
//throw new RateLimitException("You have reached the 5 requests pr. min. limit of VirusTotal");
if (response.StatusCode == HttpStatusCode.Forbidden)
throw new AccessDeniedException("You don't have access to the service. Make sure your API key is working correctly.");
try
{
results = deserializer.Deserialize<T>(response);
}
catch (SerializationException)
{
//retry request.
try
{
_retryCounter--;
if (_retryCounter <= 0)
{
_retryCounter = Retry;
return default(T);
}
results = GetResults<T>(request, applyHack);
}
catch (SerializationException ex)
{
throw new Exception("Failed to deserialize request.", ex);
}
}
//reset retry counter
_retryCounter = Retry;
return results;
}
private static List<UrlReport> ParseUrl(IEnumerable<string> sURL)
{
//The below is a placeholder for when this will be encrypted.
//var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null);
var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null);
var vtLogin = new VirusTotal(sVTKey);
var isRateLimited = Object_Fido_Configs.GetAsBool("fido.securityfeed.virustotal.ratelimited", false);
List<UrlReport> sVirusTotalUrl = null;
var sVTURLreturn = new List<UrlReport>();
var newurl = string.Empty;
var url = sURL as IList<string> ?? sURL.ToList();
var fidoDB = new SqLiteDB();
var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal"));
try
{
if (sURL != null)
{
for (var i = 0; i < url.Count(); i++)
{
if (!url[i].Contains("http://"))
{
newurl = "http://" + url[i];
}
else
{
newurl = url[i];
}
if (!isPaidFeed) Thread.Sleep(15000);
var sVTURLtemp = new List<UrlReport> { vtLogin.GetUrlReport(newurl) };
if (!isPaidFeed) Thread.Sleep(20000);
var icount = 1;
if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object")
{
Console.WriteLine(sVTURLtemp[0].VerboseMsg);
Console.WriteLine(newurl);
sVTURLreturn.Add(sVTURLtemp[0]);
continue;
}
while (sVTURLtemp[0].VerboseMsg == "The requested resource is not among the finished, queued or pending scans" && icount <= 3)
{
Console.WriteLine(sVTURLtemp[0].VerboseMsg);
Console.WriteLine(newurl);
sVTURLtemp.RemoveAt(0);
vtLogin.ScanUrl(newurl);
//todo: move sleep integer to db
Thread.Sleep(120000);
icount++;
sVTURLtemp.Add(vtLogin.GetUrlReport(newurl));
if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object")
{
Console.WriteLine(sVTURLtemp[0].VerboseMsg);
Console.WriteLine(newurl);
sVTURLreturn.Add(sVTURLtemp[0]);
}
}
//if (icount == 1)
//{
// sVTURLreturn.Add(sVTURLtemp[0]);
//}
}
if (sVTURLreturn.Any())
{
sVirusTotalUrl = sVTURLreturn;
return sVirusTotalUrl;
}
}
}
catch (Exception e)
{
if (e.Message == "You have reached the 5 requests pr. min. limit of VirusTotal")
{
if (!isPaidFeed) Thread.Sleep(60000);
sVirusTotalUrl = ParseUrl(url);
return sVirusTotalUrl;
}
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT URL area:" + e);
}
return sVirusTotalUrl;
}
internal static void LoadConfigFromDb(string table)
{
var fidoSQLite = new SqLiteDB();
_dict = fidoSQLite.GetDataTable("select key, value from " + table).AsEnumerable().ToDictionary <DataRow, string, string>(row => row.Field <string>(0), row => row.Field <string>(1));
}
private static void ParseCarbonBlackAlert(Object_CarbonBlack_Alert_Class.CarbonBlack cbReturn)
{
var cbHost = string.Empty;
var cbHostInt = 0;
foreach (var cbEvent in cbReturn.Results)
{
Console.WriteLine(@"Formatting CarbonBlack event for: " + cbEvent.Hostname + @".");
try
{
//initialize generic variables for CB values
var lFidoReturnValues = new FidoReturnValues();
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.CB == null)
{
lFidoReturnValues.CB = new CarbonBlackReturnValues {
Alert = new CarbonBlackAlert()
};
}
lFidoReturnValues.CurrentDetector = "carbonblackv1";
lFidoReturnValues.CB.Alert.WatchListName = cbEvent.WatchlistName;
lFidoReturnValues.CB.Alert.AlertType = cbEvent.AlertType;
if (lFidoReturnValues.CB.Alert.WatchListName.Contains("binary") || lFidoReturnValues.CB.Alert.AlertType.Contains("binary"))
{
lFidoReturnValues.isBinary = true;
}
var dTable = new SqLiteDB();
var cbData = dTable.GetDataTable(@"Select * from configs_dictionary_carbonblack");
var cbDict = GetDict(cbData);
foreach (var label in cbDict)
{
if (cbEvent.WatchlistName == label.Key)
{
lFidoReturnValues.MalwareType = label.Value;
break;
}
}
if (lFidoReturnValues.MalwareType == null)
{
lFidoReturnValues.MalwareType = "Malicious file detected.";
}
lFidoReturnValues.CB.Alert.EventID = cbEvent.UniqueID;
lFidoReturnValues.AlertID = cbEvent.UniqueID;
lFidoReturnValues.CB.Alert.EventTime = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Hostname = cbEvent.Hostname;
//todo: this was supposed to limit the total # of alerts sent from a single host,
//however, it is poo and needs to be redone.
if (lFidoReturnValues.Hostname != cbHost)
{
cbHost = lFidoReturnValues.Hostname;
}
else
{
cbHostInt++;
}
if (cbHostInt >= 25)
{
CloseCarbonBlackAlert(lFidoReturnValues);
}
lFidoReturnValues.Username = cbEvent.Username;
lFidoReturnValues.Hash = new List <string> {
cbEvent.MD5
};
lFidoReturnValues.CB.Alert.MD5Hash = cbEvent.MD5;
lFidoReturnValues.CB.Inventory = SysMgmt_CarbonBlack.GetCarbonBlackHost(lFidoReturnValues, true);
if (string.IsNullOrEmpty(cbEvent.ProcessPath))
{
if (string.IsNullOrEmpty(cbEvent.ProcessPath))
{
lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ObservedFilename[0];
}
}
else
{
lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ProcessPath;
}
if ((cbEvent.ObservedHosts.HostCount != 0) && (cbEvent.ObservedHosts.HostCount != null))
{
lFidoReturnValues.CB.Alert.HostCount = cbEvent.ObservedHosts.HostCount.ToString(CultureInfo.InvariantCulture);
}
else
{
lFidoReturnValues.CB.Alert.HostCount = "0";
}
if ((cbEvent.NetconnCount != 0) && (cbEvent.NetconnCount != null))
{
lFidoReturnValues.CB.Alert.NetConn = cbEvent.NetconnCount.ToString(CultureInfo.InvariantCulture);
}
else
{
lFidoReturnValues.CB.Alert.NetConn = "0";
}
if (lFidoReturnValues.CB.Inventory != null)
{
var sFilter = new[] { "|", "," };
var sIP = lFidoReturnValues.CB.Inventory.NetworkAdapters.Split(sFilter, StringSplitOptions.RemoveEmptyEntries);
lFidoReturnValues.SrcIP = sIP[0];
}
var isRunDirector = false;
//Check to see if ID has been processed before
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.AlertID, lFidoReturnValues.TimeOccurred);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR"))
{
continue;
}
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
TheDirector.Direct(lFidoReturnValues);
//CloseCarbonBlackAlert(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black v1 Detector when formatting json:" + e);
}
}
}
