private void XX(FidoReturnValues fidoReturnValues, bool isWebInfection)
{
Logging_Fido.RunLogging(malwareType + "!");
fidoReturnValues = FireEyeParse(sEmailBody, isWebInfection);
if (!Fido_NetSegments.isEmptySrcIP(fidoReturnValues.SrcIP))
{
return;
}
fidoReturnValues.IsTargetOS = true;
//hand of process to get more information about the host
fidoReturnValues.MalwareType = sSubjectArray[0];
fidoReturnValues.CurrentDetector = "mps";
TheDirector.Direct(fidoReturnValues);
}
private static FidoReturnValues FormatIdsReturnValues(FidoReturnValues lFidoReturnValues)
{
try
{
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
TheDirector.Direct(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 IP reputation return:" + e);;
}
return(lFidoReturnValues);
}
private static FidoReturnValues FormatURLReturnValues(FidoReturnValues lFidoReturnValues)
{
try
{
lFidoReturnValues.ProtectWise.URL = lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url;
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
TheDirector.Direct(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 URL reputation return:" + e);;
}
return(lFidoReturnValues);
}
private static FidoReturnValues FormatInfectionReturnValues(FidoReturnValues lFidoReturnValues)
{
lFidoReturnValues.Cyphort.DstIP = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_ip;
lFidoReturnValues.Cyphort.Domain = new List <string>();
lFidoReturnValues.Cyphort.URL = new List <string>();
lFidoReturnValues.Cyphort.MD5Hash = new List <string>();
try
{
foreach (var infection in lFidoReturnValues.Cyphort.IncidentDetails.Incident.InfectionArray)
{
lFidoReturnValues.Cyphort.EventID = infection.Infection_id;
lFidoReturnValues.AlertID = infection.Infection_id;
lFidoReturnValues.Cyphort.URL.Add(string.Empty);
lFidoReturnValues.Cyphort.MD5Hash.Add(string.Empty);
lFidoReturnValues.Cyphort.Domain.Add(infection.Cnc_servers);
lFidoReturnValues.DNSName = infection.Cnc_servers.Replace(".", "(.)");
var isRunDirector = false;
//Check to see if ID has been processed before
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.Cyphort.EventID, lFidoReturnValues.Cyphort.EventTime);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR"))
{
continue;
}
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
Console.WriteLine(@"Processing CNC incident " + lFidoReturnValues.Cyphort.EventID + @" through to the Director.");
TheDirector.Direct(lFidoReturnValues);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 infection return:" + e);
}
return(lFidoReturnValues);
}
private static void ParsePan(Object_PaloAlto_Class.PanReturn panReturn)
{
try
{
foreach (var entry in panReturn.Result.Log.Logs.Entry)
{
if (entry.App == "dns")
{
continue;
}
Console.WriteLine(@"Processing PAN " + entry.SubType + @" event.");
//initialize generic variables for PAN values
var lFidoReturnValues = new FidoReturnValues();
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.PaloAlto == null)
{
lFidoReturnValues.PaloAlto = new PaloAltoReturnValues();
}
//Convert PAN classifications to more readable values
lFidoReturnValues.MalwareType = entry.Type + " " + entry.SubType;
lFidoReturnValues.CurrentDetector = "panv1";
lFidoReturnValues.PaloAlto.EventID = entry.EventID;
lFidoReturnValues.AlertID = entry.EventID;
if (entry.Direction == "client-to-server")
{
lFidoReturnValues.PaloAlto.isDst = true;
}
else
{
lFidoReturnValues.PaloAlto.isDst = false;
}
if (lFidoReturnValues.PaloAlto.isDst)
{
lFidoReturnValues.SrcIP = entry.SrcIP;
lFidoReturnValues.DstIP = entry.DstIP;
lFidoReturnValues.PaloAlto.DstIp = entry.DstIP;
}
else
{
lFidoReturnValues.SrcIP = entry.DstIP;
lFidoReturnValues.DstIP = entry.SrcIP;
lFidoReturnValues.PaloAlto.DstIp = entry.SrcIP;
}
if (!string.IsNullOrEmpty(entry.DstUser))
{
lFidoReturnValues.PaloAlto.DstUser = entry.DstUser.Replace(@"corp\", string.Empty);
lFidoReturnValues.Username = entry.DstUser;
}
lFidoReturnValues.PaloAlto.EventTime = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.TimeOccurred = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture);
var isRunDirector = false;
//Check to see if ID has been processed before
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues, lFidoReturnValues.PaloAlto.EventID, lFidoReturnValues.PaloAlto.EventTime);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR"))
{
continue;
}
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
Console.WriteLine(@"Processing PAN incident " + lFidoReturnValues.PaloAlto.EventID + @" through to the Director.");
TheDirector.Direct(lFidoReturnValues);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in PANv1 Detector parse:" + e);
}
}
//This function will attempt to go through the log looking for computers which
//the local client could not clean malicous malware.
static void ParseLogs([NotNull] IEnumerable <string> sSophosAlerts)
{
if (sSophosAlerts == null)
{
throw new ArgumentNullException("sSophosAlerts");
}
var lSophosReturns = new List <string>();
try
{
//loop through new entries from log
foreach (var sSophosValues in from t in sSophosAlerts let sFilter = new[] { "INFO:", ";", "InsertedAt=", "EventTime=", "ActionTaken=", "UserName="******"Status=", "ThreatType=", "ThreatName=", "FullFilePath=", "ComputerName=", "ComputerIPAddress=" } select t.Split(sFilter, StringSplitOptions.RemoveEmptyEntries) into sSophosValues where (sSophosValues[18].Trim() == "Viruses/spyware") && ((sSophosValues[8].Trim() == "Partially Cleaned") || (sSophosValues[8].Trim() == "None")) && (sSophosValues[12].Trim() != "ScannerType=Web browser") && (sSophosValues[20].Trim() != "Shh/Updater-B") select sSophosValues)
{
//assign values to list
for (var x = 0; x < sSophosValues.Length; x++)
{
switch (x)
{
case 2:
lSophosReturns.Add(sSophosValues[2].Trim());
break;
case 5:
lSophosReturns.Add(sSophosValues[5].Trim());
break;
case 8:
lSophosReturns.Add(sSophosValues[8].Trim());
break;
case 10:
lSophosReturns.Add(sSophosValues[10].Trim());
break;
case 15:
lSophosReturns.Add(sSophosValues[15].Trim());
break;
case 18:
lSophosReturns.Add(sSophosValues[18].Trim());
break;
case 20:
lSophosReturns.Add(sSophosValues[20].Trim());
break;
case 22:
lSophosReturns.Add(sSophosValues[22].Trim());
break;
case 24:
lSophosReturns.Add(sSophosValues[24].Trim());
break;
case 27:
lSophosReturns.Add(sSophosValues[27].Trim());
break;
}
}
//convert list to fidoreturnvalues
var lFidoReturnValues = Sophos2FidoValues.SophoslFidoValues(lSophosReturns);
lFidoReturnValues.CurrentDetector = "antivirus";
TheDirector.Direct(lFidoReturnValues);
lSophosReturns.Clear();
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Sophos parselogs area:" + e);
}
}
private static FidoReturnValues FormatDownloadReturnValues(FidoReturnValues lFidoReturnValues)
{
lFidoReturnValues.Cyphort.DstIP = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_ip;
lFidoReturnValues.Cyphort.URL = new List <string>();
lFidoReturnValues.Cyphort.MD5Hash = new List <string>();
lFidoReturnValues.Cyphort.Domain = new List <string>();
try
{
foreach (var download in lFidoReturnValues.Cyphort.IncidentDetails.Incident.DownloadArray)
{
if (!string.IsNullOrEmpty(download.Event_id))
{
lFidoReturnValues.Cyphort.EventID = download.Event_id;
}
if (!string.IsNullOrEmpty(download.Event_id))
{
lFidoReturnValues.AlertID = download.Event_id;
}
if (!string.IsNullOrEmpty(download.Source_url))
{
lFidoReturnValues.Cyphort.URL.Add(download.Source_url);
lFidoReturnValues.Url = new List <string> {
download.Source_url
};
}
if (!string.IsNullOrEmpty(download.File_md5_string))
{
lFidoReturnValues.Cyphort.MD5Hash.Add(download.File_md5_string);
lFidoReturnValues.Hash = new List <string> {
download.File_md5_string
};
}
if (download.Req_headers != null)
{
lFidoReturnValues.Cyphort.Domain.Add(download.Req_headers.Host);
lFidoReturnValues.DNSName = download.Req_headers.Host.Replace(".", "(.)");
}
//Check to see if ID has been processed before
var isRunDirector = false;
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.Cyphort.EventID, lFidoReturnValues.Cyphort.EventTime);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR"))
{
continue;
}
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
Console.WriteLine(@"Processing download incident " + lFidoReturnValues.Cyphort.EventID + @" through to the Director.");
TheDirector.Direct(lFidoReturnValues);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 download return:" + e);
}
return(lFidoReturnValues);
}
//This function will grab the API information and build a query string.
//Then it will assign the json return to an object. If any of the objects
//have a value they will be sent to ParseCyphort helper function.
//public static void GetCyphortAlerts()
//{
// Console.WriteLine(@"Running Cyphort v2 detector.");
// //currently needed to bypass site without a valid cert.
// //todo: make ssl bypass configurable
// ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
// ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
// var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv2");
// var request = parseConfigs.Server + parseConfigs.Query + parseConfigs.APIKey;
// var alertRequest = (HttpWebRequest)WebRequest.Create(request);
// alertRequest.Method = "GET";
// try
// {
// using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse)
// {
// if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK)
// {
// using (var respStream = cyphortResponse.GetResponseStream())
// {
// if (respStream == null) return;
// var cyphortReader = new StreamReader(respStream, Encoding.UTF8);
// var stringreturn = cyphortReader.ReadToEnd();
// var cyphortReturn = JsonConvert.DeserializeObject<CyphortClass>(stringreturn);
// if (cyphortReturn.correlations_array.Any() | cyphortReturn.infections_array.Any() | cyphortReturn.downloads_array.Any())
// {
// ParseCyphort(cyphortReturn);
// }
// var responseStream = cyphortResponse.GetResponseStream();
// if (responseStream != null) responseStream.Dispose();
// cyphortResponse.Close();
// Console.WriteLine(@"Finished processing Cyphort detector.");
// }
// }
// }
// }
// catch (Exception e)
// {
// Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphort Detector getting json:" + e);
// }
//}
//Helper function to assign important values to FidoReturnValues objects and then
//handoff to TheDirector for FIDO processing.
private static void ParseCyphort(CyphortClass cyphortReturn)
{
try
{
if (cyphortReturn.correlations_array != null && cyphortReturn.correlations_array.Any())
{
cyphortReturn.correlations_array = cyphortReturn.correlations_array.Reverse().ToArray();
for (var i = 0; i < cyphortReturn.correlations_array.Count(); i++)
{
Console.WriteLine(@"Processing correlation alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.correlations_array.Count().ToString(CultureInfo.InvariantCulture) + @".");
var lFidoReturnValues = new FidoReturnValues();
var isRunDirector = false;
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.Cyphort == null)
{
lFidoReturnValues.Cyphort = new CyphortReturnValues();
}
if (cyphortReturn.correlations_array[i][4].Contains(":"))
{
continue;
}
lFidoReturnValues.SrcIP = cyphortReturn.correlations_array[i][4];
lFidoReturnValues.MalwareType = cyphortReturn.correlations_array[i][19] + " and download";
lFidoReturnValues.DstIP = cyphortReturn.correlations_array[i][16];
lFidoReturnValues.Cyphort.DstIP = cyphortReturn.correlations_array[i][16];
lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.correlations_array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.correlations_array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Cyphort.EventID = cyphortReturn.correlations_array[i][1];
lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID;
lFidoReturnValues.Cyphort.URL = new List <string> {
cyphortReturn.correlations_array[i][12]
};
lFidoReturnValues.Url = new List <string> {
cyphortReturn.correlations_array[i][12]
};
lFidoReturnValues.Cyphort.Domain = new List <string> {
cyphortReturn.correlations_array[i][11]
};
lFidoReturnValues.Cyphort.MD5Hash = new List <string> {
cyphortReturn.correlations_array[i][7]
};
lFidoReturnValues.Hash = new List <string> {
cyphortReturn.correlations_array[i][7]
};
lFidoReturnValues.CurrentDetector = "cyphortv2";
//Using the Hostname/SrcIP, check the FidoDB to see if any previous alerts were generated
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
//If previous alerts were generated then run PreviousAlert to compare the AlertID of the newly generated
//alert versus previous alerts.
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues);
}
//If the type of alert is a test alert then exit, or if the alert is has already been processed
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY"))
{
continue;
}
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
TheDirector.Direct(lFidoReturnValues);
}
}
if (cyphortReturn.downloads_array != null && cyphortReturn.downloads_array.Any())
{
cyphortReturn.downloads_array = cyphortReturn.downloads_array.Reverse().ToArray();
for (var i = 0; i < cyphortReturn.downloads_array.Count(); i++)
{
Console.WriteLine(@"Processing download alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.downloads_array.Count().ToString(CultureInfo.InvariantCulture) + @".");
var lFidoReturnValues = new FidoReturnValues();
var isRunDirector = false;
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.Cyphort == null)
{
lFidoReturnValues.Cyphort = new CyphortReturnValues();
}
if (cyphortReturn.downloads_array[i][4].Contains(":"))
{
continue;
}
lFidoReturnValues.SrcIP = cyphortReturn.downloads_array[i][4];
lFidoReturnValues.MalwareType = cyphortReturn.downloads_array[i][20] + " download detected";
lFidoReturnValues.DstIP = cyphortReturn.downloads_array[i][16];
lFidoReturnValues.Cyphort.DstIP = cyphortReturn.downloads_array[i][16];
lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.downloads_array[i][2]).ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.downloads_array[i][2]).ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Cyphort.EventID = cyphortReturn.downloads_array[i][0];
lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID;
lFidoReturnValues.Cyphort.URL = new List <string> {
cyphortReturn.downloads_array[i][12]
};
lFidoReturnValues.Url = new List <string> {
cyphortReturn.downloads_array[i][12]
};
lFidoReturnValues.Cyphort.Domain = new List <string> {
cyphortReturn.downloads_array[i][11]
};
lFidoReturnValues.Cyphort.MD5Hash = new List <string> {
cyphortReturn.downloads_array[i][7]
};
lFidoReturnValues.Hash = new List <string> {
cyphortReturn.downloads_array[i][7]
};
lFidoReturnValues.CurrentDetector = "cyphortv2";
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY"))
{
continue;
}
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
TheDirector.Direct(lFidoReturnValues);
}
}
if (cyphortReturn.infections_array != null && cyphortReturn.infections_array.Any())
{
cyphortReturn.infections_array = cyphortReturn.infections_array.Reverse().ToArray();
for (var i = 0; i < cyphortReturn.infections_array.Count(); i++)
{
Console.WriteLine(@"Processing infection alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.infections_array.Count().ToString(CultureInfo.InvariantCulture) + @".");
var lFidoReturnValues = new FidoReturnValues();
var isRunDirector = false;
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.Cyphort == null)
{
lFidoReturnValues.Cyphort = new CyphortReturnValues();
}
if (cyphortReturn.infections_array[i][4].Contains(":"))
{
continue;
}
lFidoReturnValues.SrcIP = cyphortReturn.infections_array[i][4];
lFidoReturnValues.MalwareType = "C&C external communication detected";
lFidoReturnValues.DstIP = cyphortReturn.infections_array[i][16];
lFidoReturnValues.Cyphort.DstIP = cyphortReturn.infections_array[i][16];
lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.infections_array[i][2]).ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.infections_array[i][2]).ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Cyphort.EventID = cyphortReturn.infections_array[i][1];
lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID;
lFidoReturnValues.Cyphort.URL = new List <string> {
cyphortReturn.infections_array[i][12]
};
lFidoReturnValues.Url = new List <string> {
cyphortReturn.infections_array[i][12]
};
lFidoReturnValues.Cyphort.Domain = new List <string> {
cyphortReturn.infections_array[i][11]
};
lFidoReturnValues.Cyphort.MD5Hash = new List <string> {
cyphortReturn.infections_array[i][7]
};
lFidoReturnValues.Hash = new List <string> {
cyphortReturn.infections_array[i][7]
};
lFidoReturnValues.CurrentDetector = "cyphortv2";
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY"))
{
continue;
}
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
TheDirector.Direct(lFidoReturnValues);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphort Detector parse:" + e);
}
}
//function for FireEye MPS to parse each email to get source, destination, MAC addr, type of
//attack, time it occured and important URLs
public static void FireEyeEmailReceive(string sEmailBody, string sSubject)
{
try
{
Console.WriteLine(@"Running FireEye MPS detector.");
var sSubjectArray = sSubject.Split(':');
var malwareType = sSubjectArray[0];
FidoReturnValues lFidoReturnValues;
//the below code is hacky and needs to be optimized. I couldn't
//think of a better way to write it and it works... so fix it or shut up.
//get additional information from the alert such as hashes, URLs, etc
if (string.IsNullOrEmpty(malwareType) && (String.Compare(malwareType, "malware-callback detected", StringComparison.Ordinal) == 0) || (String.Compare(malwareType, "malware-object detected", StringComparison.Ordinal) == 0))
{
Console.WriteLine(@"Malware-callback detected");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, false);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
lFidoReturnValues.IsTargetOS = true;
//hand of process to get more information about the host
lFidoReturnValues.MalwareType = sSubjectArray[0];
lFidoReturnValues.CurrentDetector = "mps";
TheDirector.Direct(lFidoReturnValues);
//consider do an else in case srcip comes back empty
//else
//{
//}
}
else if (malwareType != null && String.Compare(malwareType, "web-infection detected", StringComparison.Ordinal) == 0)
{
Console.WriteLine(@"Web-infection detected.");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, true);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
lFidoReturnValues.IsTargetOS = true;
//hand of process to get more information about the host
lFidoReturnValues.MalwareType = sSubjectArray[0];
lFidoReturnValues.CurrentDetector = "mps";
TheDirector.Direct(lFidoReturnValues);
//consider do an else in case srcip comes back empty
//else
//{
//}
}
else if (malwareType != null && String.Compare(malwareType, "infection-match detected", StringComparison.Ordinal) == 0)
{
Console.WriteLine(@"Infection-match detected.");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, false);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
lFidoReturnValues.IsTargetOS = true;
//hand of process to get more information about the host
lFidoReturnValues.MalwareType = sSubjectArray[0];
lFidoReturnValues.CurrentDetector = "mps";
TheDirector.Direct(lFidoReturnValues);
//consider do an else in case srcip comes back empty
//else
//{
//}
}
Console.WriteLine(@"Exiting FireEye detector.");
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught receiving FireEye email:" + e);
}
}
//This is the detector call for bit9. Its purpose is to get
//the most recent hashes (last 60 secs (or so)) and parse them
//over to our security feeds. If the security feeds find
//relevant information get hostname/ip and call TheDirector.
public static void GetEvents()
{
var lFidoReturnValues = new FidoReturnValues();
try
{
Console.WriteLine(@"Running Bit9 detector.");
var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null);
sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1");
var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode);
var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode);
var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null);
var sDb = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null);
var sBit9DetectorQuery = Object_Fido_Configs.GetAsString("fido.detectors.bit9.query", null);
var sTempConn = Object_Fido_Configs.GetAsString("fido.detectors.bit9.connectionstring", null);
var replacements = new Dictionary <string, string>
{
{ "sUserID", sUserID },
{ "sPwd", sPwd },
{ "sBit9Server", sBit9Server },
{ "sDB", sDb }
};
//sTempConn = replacements.Aggregate(sTempConn, (current, srep) => current.Replace(srep.Key, srep.Value));
//todo: SQL injection. really? this was the best you could think of? remove this and do it properly.
var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDb + ";connection timeout=60");
var sqlCmd = new SqlCommand(sBit9DetectorQuery, vConnection)
{
CommandType = CommandType.Text
};
var lBit9Hash = new List <string>();
vConnection.Open();
using (var objReader = sqlCmd.ExecuteReader())
{
if (objReader.HasRows)
{
Console.WriteLine(@"New hashes found...");
while (objReader.Read())
{
var oBit9Return = new object[objReader.FieldCount];
var quant = objReader.GetSqlValues(oBit9Return);
if (oBit9Return.GetValue(4) != null)
{
lBit9Hash.Add(oBit9Return.GetValue(4).ToString());
}
}
}
}
if (lBit9Hash.Count == 0)
{
return;
}
Console.WriteLine(@"Processing " + lBit9Hash.Count().ToString(CultureInfo.InvariantCulture) + @" hashes.");
var aryBit9Hash = lBit9Hash.ToArray();
lFidoReturnValues.Hash = lBit9Hash;
//todo: write additional code to include other threat feeds.
var vtReturn = Feeds_VirusTotal.ParseHash(aryBit9Hash);
if (!vtReturn.Any())
{
return;
}
//todo: if return is 'not seen before' right helper function to upload file to threat feed.
foreach (var vtEntry in vtReturn)
{
if (vtEntry.Positives <= 0)
{
continue;
}
var sHostInfo = GetHost(vtEntry.Resource);
foreach (var sHostInfoList in sHostInfo)
{
var sSingleHostInfo = sHostInfoList.Split(',');
var sHostName = sSingleHostInfo[0].Split('\\');
//todo: need to write second tree for when file hasn't
//executed, but does still exist on the system,
//sSingleHostInfo[1].ToLower() == "yes"
if (sSingleHostInfo[2].ToLower() != "yes")
{
continue;
}
if (lFidoReturnValues.Bit9 == null)
{
lFidoReturnValues.Bit9 = new Bit9ReturnValues();
}
if (lFidoReturnValues.Bit9.VTReport == null)
{
lFidoReturnValues.Bit9.VTReport = new List <FileReport>();
}
lFidoReturnValues.IsHostKnown = true;
lFidoReturnValues.Hostname = sHostName[1];
lFidoReturnValues.SrcIP = sSingleHostInfo[1];
lFidoReturnValues.Bit9.HostName = sSingleHostInfo[0];
lFidoReturnValues.Bit9.VTReport.Add(vtEntry);
lFidoReturnValues.Bit9.FileExecuted = sSingleHostInfo[2];
lFidoReturnValues.Bit9.FileDeleted = sSingleHostInfo[3];
lFidoReturnValues.CurrentDetector = "bit9";
lFidoReturnValues.MalwareType = "Malicious file";
lFidoReturnValues.IsTargetOS = true;
lFidoReturnValues.DstIP = string.Empty;
var lMD5 = new List <string> {
vtEntry.MD5
};
lMD5 = GetFileInfo(lMD5, lFidoReturnValues.Bit9);
lFidoReturnValues.Bit9.FileName = lMD5[5] + @"\" + lMD5[6];
lFidoReturnValues.Bit9.FileThreat = lMD5[51];
lFidoReturnValues.Bit9.FileTrust = lMD5[50];
//lFidoReturnValues.Hash = new List<FileReport> {vtEntry.MD5};
Console.WriteLine(@"Malicious hashes found... continue to process.");
TheDirector.Direct(lFidoReturnValues);
}
}
vConnection.Close();
Console.WriteLine(@"Exiting Bit9 detector.");
}
catch (Exception e)
{
// Get stack trace for the exception with source file information
var st = new StackTrace(e, true);
// Get the top stack frame
var frame = st.GetFrame(0);
// Get the line number from the stack frame
var line = frame.GetFileLineNumber();
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving alerts from Bit9 on line " + line + ":" + e);
}
}
private static void ParseCarbonBlackAlert(Object_CarbonBlack_Alert_Class.CarbonBlack cbReturn)
{
var cbHost = string.Empty;
var cbHostInt = 0;
foreach (var cbEvent in cbReturn.Results)
{
Console.WriteLine(@"Formatting CarbonBlack event for: " + cbEvent.Hostname + @".");
try
{
//initialize generic variables for CB values
var lFidoReturnValues = new FidoReturnValues();
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.CB == null)
{
lFidoReturnValues.CB = new CarbonBlackReturnValues {
Alert = new CarbonBlackAlert()
};
}
lFidoReturnValues.CurrentDetector = "carbonblackv1";
lFidoReturnValues.CB.Alert.WatchListName = cbEvent.WatchlistName;
lFidoReturnValues.CB.Alert.AlertType = cbEvent.AlertType;
if (lFidoReturnValues.CB.Alert.WatchListName.Contains("binary") || lFidoReturnValues.CB.Alert.AlertType.Contains("binary"))
{
lFidoReturnValues.isBinary = true;
}
var dTable = new SqLiteDB();
var cbData = dTable.GetDataTable(@"Select * from configs_dictionary_carbonblack");
var cbDict = GetDict(cbData);
foreach (var label in cbDict)
{
if (cbEvent.WatchlistName == label.Key)
{
lFidoReturnValues.MalwareType = label.Value;
break;
}
}
if (lFidoReturnValues.MalwareType == null)
{
lFidoReturnValues.MalwareType = "Malicious file detected.";
}
lFidoReturnValues.CB.Alert.EventID = cbEvent.UniqueID;
lFidoReturnValues.AlertID = cbEvent.UniqueID;
lFidoReturnValues.CB.Alert.EventTime = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Hostname = cbEvent.Hostname;
//todo: this was supposed to limit the total # of alerts sent from a single host,
//however, it is poo and needs to be redone.
if (lFidoReturnValues.Hostname != cbHost)
{
cbHost = lFidoReturnValues.Hostname;
}
else
{
cbHostInt++;
}
if (cbHostInt >= 25)
{
CloseCarbonBlackAlert(lFidoReturnValues);
}
lFidoReturnValues.Username = cbEvent.Username;
lFidoReturnValues.Hash = new List <string> {
cbEvent.MD5
};
lFidoReturnValues.CB.Alert.MD5Hash = cbEvent.MD5;
lFidoReturnValues.CB.Inventory = SysMgmt_CarbonBlack.GetCarbonBlackHost(lFidoReturnValues, true);
if (string.IsNullOrEmpty(cbEvent.ProcessPath))
{
if (string.IsNullOrEmpty(cbEvent.ProcessPath))
{
lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ObservedFilename[0];
}
}
else
{
lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ProcessPath;
}
if ((cbEvent.ObservedHosts.HostCount != 0) && (cbEvent.ObservedHosts.HostCount != null))
{
lFidoReturnValues.CB.Alert.HostCount = cbEvent.ObservedHosts.HostCount.ToString(CultureInfo.InvariantCulture);
}
else
{
lFidoReturnValues.CB.Alert.HostCount = "0";
}
if ((cbEvent.NetconnCount != 0) && (cbEvent.NetconnCount != null))
{
lFidoReturnValues.CB.Alert.NetConn = cbEvent.NetconnCount.ToString(CultureInfo.InvariantCulture);
}
else
{
lFidoReturnValues.CB.Alert.NetConn = "0";
}
if (lFidoReturnValues.CB.Inventory != null)
{
var sFilter = new[] { "|", "," };
var sIP = lFidoReturnValues.CB.Inventory.NetworkAdapters.Split(sFilter, StringSplitOptions.RemoveEmptyEntries);
lFidoReturnValues.SrcIP = sIP[0];
}
var isRunDirector = false;
//Check to see if ID has been processed before
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.AlertID, lFidoReturnValues.TimeOccurred);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR"))
{
continue;
}
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
TheDirector.Direct(lFidoReturnValues);
//CloseCarbonBlackAlert(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black v1 Detector when formatting json:" + e);
}
}
}
