internal static FidoReturnValues HistoricalEvent(FidoReturnValues lFidoReturnValues)
{
Console.WriteLine(@"Gathering historical information from FIDO DB.");
const string historicalQuery = "SELECT * FROM configs_historical_events";
var fidoTemp = GetPreviousAlerts(historicalQuery);
if (fidoTemp.Rows.Count <= 0)
{
return(lFidoReturnValues);
}
lFidoReturnValues.HistoricalEvent = FormatHistoricalEvents(fidoTemp);
var urlCount = new DataTable();
var hashCount = new DataTable();
try
{
if (lFidoReturnValues.Url != null)
{
foreach (var url in lFidoReturnValues.Url)
{
urlCount = GetPreviousAlerts(lFidoReturnValues.HistoricalEvent.UrlQuery.Replace("%url%", url));
}
}
var ipCount = GetPreviousAlerts(lFidoReturnValues.HistoricalEvent.IpQuery.Replace("%ip%", lFidoReturnValues.DstIP));
if (lFidoReturnValues.Hash != null)
{
foreach (var hash in lFidoReturnValues.Hash)
{
hashCount = GetPreviousAlerts(lFidoReturnValues.HistoricalEvent.HashQuery.Replace("%hash%", hash));
}
}
Console.WriteLine(@"Historical data:");
lFidoReturnValues.HistoricalEvent.UrlCount = urlCount.Rows.Count;
lFidoReturnValues.HistoricalEvent.IpCount = ipCount.Rows.Count;
lFidoReturnValues.HistoricalEvent.HashCount = hashCount.Rows.Count;
Console.WriteLine(@"URL Count = " + lFidoReturnValues.HistoricalEvent.UrlCount.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"IP Count = " + lFidoReturnValues.HistoricalEvent.IpCount.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"Hash Count = " + lFidoReturnValues.HistoricalEvent.HashCount.ToString(CultureInfo.InvariantCulture));
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to gather startup configs." + e);
}
return(lFidoReturnValues);
}
private static void ParseProtectWiseEvent(Object_ProtectWise_Threat_ConfigClass.ProtectWise_Events protectWiseReturn)
{
protectWiseReturn.Events = protectWiseReturn.Events.Reverse().ToArray();
foreach (var pevent in protectWiseReturn.Events)
{
Console.WriteLine(@"Gathering ProtectWise observations for event: " + pevent.Message + @".");
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("protectwisev1-event");
var request = parseConfigs.Server + parseConfigs.Query2 + pevent.Id;
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Headers[@"X-Access-Token"] = parseConfigs.APIKey;
alertRequest.Method = "GET";
try
{
using (var protectwiseResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (protectwiseResponse != null && protectwiseResponse.StatusCode == HttpStatusCode.OK)
{
using (var respStream = protectwiseResponse.GetResponseStream())
{
if (respStream == null)
{
return;
}
var protectwiseReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = protectwiseReader.ReadToEnd();
var protectwiseReturn = JsonConvert.DeserializeObject <Object_ProtectWise_Threat_ConfigClass.ProtectWise_Search_Event>(stringreturn);
if (protectwiseReturn != null)
{
ParseProtectWiseObservation(protectwiseReturn, pevent.Message);
}
var responseStream = protectwiseResponse.GetResponseStream();
if (responseStream != null)
{
responseStream.Dispose();
}
protectwiseResponse.Close();
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 Detector when getting json:" + e);
}
}
}
//This function will grab the API information and build a query string.
//Then it will assign the json return to an object. If any of the objects
//have a value they will be sent to ParseCyphort helper function.
public static void GetCyphortAlerts()
{
Console.WriteLine(@"Running Cyphort v2 detector.");
//currently needed to bypass site without a valid cert.
//todo: make ssl bypass configurable
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); };
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv2");
var request = parseConfigs.Server + parseConfigs.Query + parseConfigs.APIKey;
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Method = "GET";
try
{
using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK)
{
using (var respStream = cyphortResponse.GetResponseStream())
{
if (respStream == null)
{
return;
}
var cyphortReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = cyphortReader.ReadToEnd();
var cyphortReturn = JsonConvert.DeserializeObject <CyphortClass>(stringreturn);
if (cyphortReturn.correlations_array.Any() | cyphortReturn.infections_array.Any() | cyphortReturn.downloads_array.Any())
{
ParseCyphort(cyphortReturn);
}
var responseStream = cyphortResponse.GetResponseStream();
if (responseStream != null)
{
responseStream.Dispose();
}
cyphortResponse.Close();
Console.WriteLine(@"Finished processing Cyphort detector.");
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphort Detector getting json:" + e);
}
}
//module to compose notifications
public static void Notify(FidoReturnValues lFidoReturnValues)
{
try
{
PrepareFidoReturnValues(lFidoReturnValues);
string sSubject = GetSubject(lFidoReturnValues);
SendMail(sSubject, lFidoReturnValues);
}
catch (Exception e)
{
Console.WriteLine(@"Error creating FIDO email. " + e);
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to threat feeds:" + e);
}
}
private static DataTable GetThreatGridTable(string query)
{
var fidoSQlite = new SqLiteDB();
var fidoData = new DataTable();
try
{
fidoData = fidoSQlite.GetDataTable(query);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e);
}
return(fidoData);
}
private static void UpdateHistoricalIPInfo(FidoReturnValues lFidoReturnValues)
{
try
{
if (!string.IsNullOrEmpty(lFidoReturnValues.DstIP))
{
InsertHistoricalThreatToDB(new HistorialThreatData {
SDB = @"ip", InValue = lFidoReturnValues.DstIP, When = lFidoReturnValues.TimeOccurred
});
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update of historical IP info in fidodb:" + e);
}
}
private static FidoReturnValues FormatURLReturnValues(FidoReturnValues lFidoReturnValues)
{
try
{
lFidoReturnValues.ProtectWise.URL = lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url;
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
TheDirector.Direct(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 URL reputation return:" + e);;
}
return(lFidoReturnValues);
}
private static void UpdateHistoricalURLInfo(FidoReturnValues lFidoReturnValues)
{
try
{
if (lFidoReturnValues.Url != null)
{
foreach (var url in lFidoReturnValues.Url.Where(url => !string.IsNullOrEmpty(url)))
{
InsertHistoricalThreatToDB(@"url", url, lFidoReturnValues.TimeOccurred);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update of historicaal URL info in fidodb:" + e);
}
}
private static void UpdateHistoricalHashInfo(FidoReturnValues lFidoReturnValues)
{
try
{
if (lFidoReturnValues.Hash != null)
{
foreach (var hash in lFidoReturnValues.Hash.Where(hash => !string.IsNullOrEmpty(hash)))
{
InsertHistoricalThreatToDB(@"hash", hash, lFidoReturnValues.TimeOccurred);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update of historical hash info in fidodb:" + e);
}
}
public static FidoReturnValues GetHostOsInfo(FidoReturnValues lFidoReturnValues, string sConnectionString)
{
var lLandeskReturnValues = lFidoReturnValues.Landesk;
var lHostInfoReturn = new List <string>();
//todo: move this to the DB as a const value.
var sQuery = "SELECT DISTINCT A1.OSTYPE, A0.TYPE, A2.HASBATTERY, A2.CHASSISTYPE, A1.VERSION, A3.CURRENTBUILD FROM Computer A0 (nolock) LEFT OUTER JOIN Operating_System A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn LEFT OUTER JOIN CompSystem A2 (nolock) ON A0.Computer_Idn = A2.Computer_Idn LEFT OUTER JOIN OSNT A3 (nolock) ON A0.Computer_Idn = A3.Computer_Idn WHERE (A0.DeviceName = N' + hostname + ')";
//todo: move the below to a parametertized function to prevent SQL injection.
sQuery = sQuery.Replace(" + hostname + ", lFidoReturnValues.Landesk.Hostname);
var sqlConnect = new SqlConnection(sConnectionString);
sqlConnect.Open();
try
{
var sqlCmd = new SqlCommand(sQuery, sqlConnect);
var sqlReader = sqlCmd.ExecuteReader();
Thread.Sleep(500);
if (sqlReader.HasRows)
{
while (sqlReader.Read())
{
var oHostOsInfo = new object[sqlReader.FieldCount];
sqlReader.GetValues(oHostOsInfo);
var q = oHostOsInfo.Count();
for (var i = 0; i < q; i++)
{
lHostInfoReturn.Add(string.IsNullOrEmpty(oHostOsInfo[i].ToString()) ? oHostOsInfo[i].ToString() : "unknown");
}
}
}
sqlReader.Dispose();
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getting vulns from Landesk:" + e);
}
finally
{
sqlConnect.Dispose();
}
lLandeskReturnValues = Landesk2FidoValues.LandeskOsValues(lLandeskReturnValues, lHostInfoReturn);
lFidoReturnValues.Landesk = lLandeskReturnValues;
return(lFidoReturnValues);
}
public static string NmapHost(string sIP)
{
try
{
var procNmap = new ProcessStartInfo();
string procResult = null;
procNmap.FileName = Application.StartupPath + "\\nmap\\nmap.exe";
procNmap.Arguments = "-O " + sIP;
procNmap.UseShellExecute = false;
procNmap.RedirectStandardOutput = true;
using (var process = Process.Start(procNmap))
{
if (process != null)
{
using (var reader = process.StandardOutput)
{
procResult = reader.ReadToEnd();
//Console.WriteLine(procResult);
}
}
}
var filter = new[] { "\n", "\r" };
string NmapHostname = null;
string sNmapOs = null;
if (procResult != null)
{
var aryResult = procResult.Split(filter, StringSplitOptions.RemoveEmptyEntries);
if (aryResult.Count() >= 25)
{
NmapHostname = aryResult[1];
sNmapOs = aryResult[21];
}
}
var sPassReturn = NmapHostname + "^" + sNmapOs;
return(sPassReturn);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught during NMAP scan:" + e);
}
return(null);
}
//if getevents is positive, get machine name and IP
private static IEnumerable <string> GetHost(string sMD5)
{
var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null);
sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1");
var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode);
var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode);
var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null);
var sDB = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null);
var oBit9Return = new object[4];
var lHostInfo = new List <string>();
try
{
//todo: encrypt and retrived these values from DB.
var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDB + ";connection timeout=10");
//todo: SQL injection. Store query in database and modify variables when retrieving
var sQuery = "SELECT [Computer_Name],[IP_Address], [Executed], [Deleted] FROM [das].[dbo].[Fido_FileInstanceInfo] Where MD5 = '" + sMD5 + "'";
using (var cmd = new SqlCommand(sQuery, vConnection)
{
CommandType = CommandType.Text
})
{
vConnection.Open();
using (var objReader = cmd.ExecuteReader())
{
if (objReader.HasRows)
{
while (objReader.Read())
{
var quant = objReader.GetSqlValues(oBit9Return);
if (oBit9Return.GetValue(0) != null)
{
lHostInfo.Add(oBit9Return.GetValue(0) + "," + oBit9Return.GetValue(1) + "," + oBit9Return.GetValue(2) + "," + oBit9Return.GetValue(3));
}
}
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving host information from Bit9:" + e);
}
return(lHostInfo);
}
private static FidoReturnValues FormatInfectionReturnValues(FidoReturnValues lFidoReturnValues)
{
lFidoReturnValues.Cyphort.DstIP = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_ip;
lFidoReturnValues.Cyphort.Domain = new List <string>();
lFidoReturnValues.Cyphort.URL = new List <string>();
lFidoReturnValues.Cyphort.MD5Hash = new List <string>();
try
{
foreach (var infection in lFidoReturnValues.Cyphort.IncidentDetails.Incident.InfectionArray)
{
lFidoReturnValues.Cyphort.EventID = infection.Infection_id;
lFidoReturnValues.AlertID = infection.Infection_id;
lFidoReturnValues.Cyphort.URL.Add(string.Empty);
lFidoReturnValues.Cyphort.MD5Hash.Add(string.Empty);
lFidoReturnValues.Cyphort.Domain.Add(infection.Cnc_servers);
lFidoReturnValues.DNSName = infection.Cnc_servers.Replace(".", "(.)");
var isRunDirector = false;
//Check to see if ID has been processed before
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.Cyphort.EventID, lFidoReturnValues.Cyphort.EventTime);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR"))
{
continue;
}
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
Console.WriteLine(@"Processing CNC incident " + lFidoReturnValues.Cyphort.EventID + @" through to the Director.");
TheDirector.Direct(lFidoReturnValues);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 infection return:" + e);
}
return(lFidoReturnValues);
}
internal static EventAlerts GetPreviousMachineAlerts(FidoReturnValues lFidoReturnValues, bool isMatrixScore)
{
var machineQuery = string.Empty;
lFidoReturnValues.IsSendAlert = true;
if (!string.IsNullOrEmpty(lFidoReturnValues.Hostname))
{
//todo: move this to the database
machineQuery = "SELECT * FROM event_alerts WHERE hostname = '" + lFidoReturnValues.Hostname.ToLower() + "' ORDER BY primkey DESC";
}
else if (!string.IsNullOrEmpty(lFidoReturnValues.SrcIP))
{
//todo: move this to the database
machineQuery = "SELECT * FROM event_alerts WHERE ip_address = '" + lFidoReturnValues.SrcIP + "' ORDER BY primkey DESC";
}
var fidoTemp = GetPreviousAlerts(machineQuery);
if (fidoTemp.Rows.Count <= 0)
{
return(lFidoReturnValues.PreviousAlerts);
}
lFidoReturnValues.PreviousAlerts = new EventAlerts {
Alerts = fidoTemp
};
if (!isMatrixScore)
{
return(lFidoReturnValues.PreviousAlerts);
}
//todo: move integer values for time offsets to database as configurable.
try
{
return(PreviousMachineAlerts(lFidoReturnValues, fidoTemp));
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to gather startup configs." + e);
}
return(lFidoReturnValues.PreviousAlerts);
}
public FidoReturnValues FidoHostNames(FidoReturnValues lFidoInputHostnames)
{
//code to look at all returned hostname values
//if remotereg/ssh come back with value then
//they win... make sure they are equal to
//sysmgmt return and if not get new return from
//sysmgmt server. if remotereg/ssh come back as
//empty, then sysmgmt wins.
var lFidoParseHostnames = lFidoInputHostnames;
try
{
return(lFidoParseHostnames);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught doing FidoHostNames:" + e);
}
return(null);
}
private static ParseCBConfigs ParseDetectorConfigs(string detect)
{
//todo: move this to the database, assign a variable to 'detect' and replace being using in GEtFidoConfigs
var query = @"SELECT * from configs_sysmgmt_carbonblack WHERE api_call = '" + detect + @"'";
var fidoSQlite = new SqLiteDB();
var fidoData = new DataTable();
var cbReturn = new ParseCBConfigs();
try
{
fidoData = fidoSQlite.GetDataTable(query);
cbReturn = CBConfigs(fidoData);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e);
}
return(cbReturn);
}
public static FidoReturnValues GetBit9Status(FidoReturnValues lFidoReturnValues, string sConnectionString)
{
//todo: move this to the DB
var sQuery = "SELECT DISTINCT A0.DISPLAYNAME, A1.NAME, A1.STATUS, A2.SUITENAME, A2.VERSION FROM Computer A0 (nolock) LEFT OUTER JOIN Services A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn LEFT OUTER JOIN AppSoftwareSuites A2 (nolock) ON A0.Computer_Idn = A2.Computer_Idn WHERE (A1.NAME = N'Parity Agent' AND A2.SuiteName LIKE N'Parity Agent' AND A0.DEVICENAME = N'" + lFidoReturnValues.Hostname + "')";
var lBit9Return = new List <string>();
var sqlConnect = new SqlConnection(sConnectionString);
sqlConnect.Open();
try
{
var sqlCmd = new SqlCommand(sQuery, sqlConnect);
var sqlReader = sqlCmd.ExecuteReader();
Thread.Sleep(500);
while (sqlReader.Read())
{
for (var i = 0; i < sqlReader.FieldCount; i++)
{
lBit9Return.Add(sqlReader.GetString(i) != string.Empty ? sqlReader.GetString(i) : string.Empty);
}
}
sqlReader.Close();
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getting Bit9 status from Landesk:" + e);
}
if (lBit9Return.Count > 0)
{
lFidoReturnValues.Landesk.Bit9Running = lBit9Return[2].ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Landesk.Bit9Version = lBit9Return[4].ToString(CultureInfo.InvariantCulture);
return(lFidoReturnValues);
}
lFidoReturnValues.Landesk.Bit9Running = string.Empty;
lFidoReturnValues.Landesk.Bit9Version = "Not Installed";
return(lFidoReturnValues);
}
private static ParseCBConfigs CBConfigs(DataTable cbData)
{
try
{
var reformat = new ParseCBConfigs
{
APIKey = Convert.ToString(cbData.Rows[0].ItemArray[1]),
BaseURL = Convert.ToString(cbData.Rows[0].ItemArray[2]),
APICall = Convert.ToString(cbData.Rows[0].ItemArray[3]),
APIFunction = Convert.ToString(cbData.Rows[0].ItemArray[4]),
APIQuery = Convert.ToString(cbData.Rows[0].ItemArray[5])
};
return(reformat);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e);
}
return(null);
}
//After receiving the email alert the subject, body and folder the email came from are passed
//to this function to be parsed.
private static string ScanEmail(string sSubject, string sBody, string sFolderName, bool isParamTest)
{
//todo: this seems hokey and needs to be redone. I think I was drinking whiskey when I wrote it.
try
{
switch (sFolderName)
{
case "FireEye":
Detect_FireeyeMPS.FireEyeEmailReceive(sBody, sSubject);
return("test");
case "FireEye-MAS":
Detect_FireEyeMas.ParseFireEyeMas(sBody);
return("test");
case "Bit9":
return("test");
case "ClearPass":
return("test");
case "PaloAlto":
return("test");
case "Sophos":
return("test");
case "SourceFire":
//sourcefire.Main
return("test");
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught during scan email:" + e);
}
//todo: return 'test'? why? remove this or finish return value handling.
return("test");
}
//get sql connection string and sql query
public static List <string> GetSqlConfigs(string sSource)
{
var lQueryConfig = new List <string>();
try
{
lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlconnstring", null));
lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlqueryip", null));
lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlqueryhostname", null));
if (sSource == "jamf")
{
lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlqueryextattrib", null));
lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlqueryos", null));
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getsqlconfigs area:" + e);
}
return(lQueryConfig);
}
internal static ParseConfigs FormatParse(DataTable dbReturn)
{
try
{
var reformat = new ParseConfigs
{
PrimeKey = Convert.ToInt16(dbReturn.Rows[0].ItemArray[0]),
ApiCall = Convert.ToString(dbReturn.Rows[0].ItemArray[1]),
ApiBaseUrl = Convert.ToString(dbReturn.Rows[0].ItemArray[2]),
ApiFuncCall = Convert.ToString(dbReturn.Rows[0].ItemArray[3]),
ApiQueryString = Convert.ToString(dbReturn.Rows[0].ItemArray[4]),
ApiKey = Convert.ToString(dbReturn.Rows[0].ItemArray[5])
};
return(reformat);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e);
}
return(null);
}
public static List <Int32> GetVulns(string sHostname, string sConnectionString)
{
var lVuln = new List <Int32>();
var sQueries = new List <string>();
//todo: move this to the DB as const values.
var sFinalQuery = "SELECT count(DISTINCT A1.Title) FROM Computer A0 (nolock) LEFT OUTER JOIN CVDetectedV A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn WHERE (A0.DEVICENAME = N'" + sHostname + "' AND (A1.VULSEVERITY = N'Critical' OR A1.VULSEVERITY = N'High' OR A1.VULSEVERITY = N'Low' OR A1.VULSEVERITY = N'Medium') AND A1.VULTYPE = N'Vulnerability')";
var sCriticalQuery = "SELECT count(DISTINCT A1.Title) FROM Computer A0 (nolock) LEFT OUTER JOIN CVDetectedV A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn WHERE (A0.DEVICENAME = N'" + sHostname + "' AND A1.VULSEVERITY = N'Critical' AND A1.VULTYPE = N'Vulnerability')";
var sHighQuery = "SELECT count(DISTINCT A1.Title) FROM Computer A0 (nolock) LEFT OUTER JOIN CVDetectedV A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn WHERE (A0.DEVICENAME = N'" + sHostname + "' AND A1.VULSEVERITY = N'High' AND A1.VULTYPE = N'Vulnerability')";
var sLowQuery = "SELECT count(DISTINCT A1.Title) FROM Computer A0 (nolock) LEFT OUTER JOIN CVDetectedV A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn WHERE (A0.DEVICENAME = N'" + sHostname + "' AND (A1.VULSEVERITY = N'Low' OR A1.VULSEVERITY = N'Medium') AND A1.VULTYPE = N'Vulnerability')";
sQueries.Add(sFinalQuery);
sQueries.Add(sCriticalQuery);
sQueries.Add(sHighQuery);
sQueries.Add(sLowQuery);
var sqlConnect = new SqlConnection(sConnectionString);
sqlConnect.Open();
try
{
foreach (var sqlReader in sQueries.Select(tmpQuery => new SqlCommand(tmpQuery, sqlConnect)).Select(sqlCmd => sqlCmd.ExecuteReader()))
{
Thread.Sleep(500);
while (sqlReader.Read())
{
lVuln.Add(sqlReader.GetInt32(0) > 0 ? sqlReader.GetInt32(0) : 0);
}
sqlReader.Close();
}
sqlConnect.Close();
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getting vulns from Landesk:" + e);
}
return(lVuln);
}
private static FidoReturnValues SendPaloAltoToVirusTotal(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
return(lFidoReturnValues);
}
var sIPToCheck = new List <string> {
lFidoReturnValues.PaloAlto.DstIp
};
//send ProtectWise return to VT IP API
if (lFidoReturnValues.PaloAlto.DstIp.Any())
{
if (lFidoReturnValues.PaloAlto.VirusTotal == null)
{
lFidoReturnValues.PaloAlto.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
try
{
var IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
if (IPReturn != null)
{
lFidoReturnValues.PaloAlto.VirusTotal.IPReturn = IPReturn;
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in retrieving VT IP information:" + e);
}
//todo: move the url to the database
lFidoReturnValues.PaloAlto.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.PaloAlto.DstIp + "/information/";
}
return(lFidoReturnValues);
}
public DataTable GetDataTable(string sql)
{
var dt = new DataTable();
try
{
var cnn = new SQLiteConnection(_dbConn);
cnn.Open();
var mycommand = new SQLiteCommand(cnn)
{
CommandText = sql
};
var reader = mycommand.ExecuteReader();
dt.Load(reader);
reader.Close();
cnn.Close();
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to get table." + e);
}
return(dt);
}
public static Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info ThreatInfo(string sHash)
{
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
var ThreatGRIDReturn = new Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info();
var parseConfigs = Object_ThreatGRID_Configs.GetThreatGridConfigs("hash-threat-level");
var request = parseConfigs.ApiBaseUrl + parseConfigs.ApiFuncCall + sHash + "/threat?" + parseConfigs.ApiQueryString + "&api_key=" + parseConfigs.ApiKey;
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Method = "GET";
//alertRequest.Timeout = 120000;
try
{
using (var ThreatGRIDResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (ThreatGRIDResponse != null && ThreatGRIDResponse.StatusCode == HttpStatusCode.OK)
{
using (var respStream = ThreatGRIDResponse.GetResponseStream())
{
if (respStream == null)
{
return(null);
}
var ThreatGRIDReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = ThreatGRIDReader.ReadToEnd();
ThreatGRIDReturn = JsonConvert.DeserializeObject <Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info>(stringreturn);
ThreatGRIDResponse.Close();
return(ThreatGRIDReturn);
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in retrieving ThreatGRID threat information:" + e + "Query : " + request);
}
return(ThreatGRIDReturn);
}
//public bool Delete(String tableName, String where)
//{
// var returnCode = true;
// try
// {
// ExecuteNonQuery(String.Format("delete from {0} where {1};", tableName, where));
// }
// catch (Exception e)
// {
// Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to date data." + e);
// returnCode = false;
// }
// return returnCode;
//}
public bool Insert(String tableName, Dictionary <String, String> data)
{
var columns = "";
var values = "";
var returnCode = true;
foreach (KeyValuePair <String, String> val in data)
{
columns += String.Format(" {0},", val.Key.ToString(CultureInfo.InvariantCulture));
values += String.Format(" '{0}',", val.Value);
}
columns = columns.Substring(0, columns.Length - 1);
values = values.Substring(0, values.Length - 1);
try
{
ExecuteNonQuery(String.Format("insert into {0}({1}) values({2});", tableName, columns, values));
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to get insert data." + e);
returnCode = false;
}
return(returnCode);
}
internal static Object_ThreatGRID_IP_ConfigClass.ParseConfigs GetThreatGridConfigs(string detect)
{
//todo: move this to the database, assign a variable to 'detect' and replace being using in GEtFidoConfigs
var query = @"SELECT * from configs_threatfeed_threatgrid WHERE api_call = '" + detect + @"'";
var fidoTemp = GetThreatGridTable(query);
var fidoReturn = new Object_ThreatGRID_IP_ConfigClass.ParseConfigs();
try
{
if (fidoTemp != null)
{
fidoReturn = Object_ThreatGRID_IP_ConfigClass.FormatParse(fidoTemp);
}
if (fidoReturn != null)
{
return(fidoReturn);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to gather parse configs." + e);
}
return(null);
}
//todo: below is highlighted out until we start parsing previous alerts again
//private static FidoReturnValues GetPreviousUserAlerts(FidoReturnValues lFidoReturnValues)
//{
//}
//private static FidoReturnValues GetPreviousMachineAlerts(FidoReturnValues lFidoReturnValues)
//{
//}
private static EventAlerts FormatEventAlert(DataTable dbReturn)
{
try
{
var reformat = new EventAlerts
{
PrimKey = Convert.ToInt32(dbReturn.Rows[0].ItemArray[0]),
Timer = Convert.ToInt32(dbReturn.Rows[0].ItemArray[1]),
IP = Convert.ToString(dbReturn.Rows[0].ItemArray[2]),
Hostname = Convert.ToString(dbReturn.Rows[0].ItemArray[3]),
TimeStamp = Convert.ToString(dbReturn.Rows[0].ItemArray[4]),
PreviousScore = Convert.ToInt32(dbReturn.Rows[0].ItemArray[5]),
AlertID = Convert.ToString(dbReturn.Rows[0].ItemArray[6])
};
EventAlerts lEventAlerts = reformat;
return(lEventAlerts);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format event alerts return." + e);
}
return(null);
}
private static void ParsePan(Object_PaloAlto_Class.PanReturn panReturn)
{
try
{
foreach (var entry in panReturn.Result.Log.Logs.Entry)
{
if (entry.App == "dns")
{
continue;
}
Console.WriteLine(@"Processing PAN " + entry.SubType + @" event.");
//initialize generic variables for PAN values
var lFidoReturnValues = new FidoReturnValues();
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.PaloAlto == null)
{
lFidoReturnValues.PaloAlto = new PaloAltoReturnValues();
}
//Convert PAN classifications to more readable values
lFidoReturnValues.MalwareType = entry.Type + " " + entry.SubType;
lFidoReturnValues.CurrentDetector = "panv1";
lFidoReturnValues.PaloAlto.EventID = entry.EventID;
lFidoReturnValues.AlertID = entry.EventID;
if (entry.Direction == "client-to-server")
{
lFidoReturnValues.PaloAlto.isDst = true;
}
else
{
lFidoReturnValues.PaloAlto.isDst = false;
}
if (lFidoReturnValues.PaloAlto.isDst)
{
lFidoReturnValues.SrcIP = entry.SrcIP;
lFidoReturnValues.DstIP = entry.DstIP;
lFidoReturnValues.PaloAlto.DstIp = entry.DstIP;
}
else
{
lFidoReturnValues.SrcIP = entry.DstIP;
lFidoReturnValues.DstIP = entry.SrcIP;
lFidoReturnValues.PaloAlto.DstIp = entry.SrcIP;
}
if (!string.IsNullOrEmpty(entry.DstUser))
{
lFidoReturnValues.PaloAlto.DstUser = entry.DstUser.Replace(@"corp\", string.Empty);
lFidoReturnValues.Username = entry.DstUser;
}
lFidoReturnValues.PaloAlto.EventTime = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.TimeOccurred = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture);
var isRunDirector = false;
//Check to see if ID has been processed before
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues, lFidoReturnValues.PaloAlto.EventID, lFidoReturnValues.PaloAlto.EventTime);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR"))
{
continue;
}
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
Console.WriteLine(@"Processing PAN incident " + lFidoReturnValues.PaloAlto.EventID + @" through to the Director.");
TheDirector.Direct(lFidoReturnValues);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in PANv1 Detector parse:" + e);
}
}
public static UserReturnValues Getuserinfo(string sUserId)
{
try
{
var lUserInfo = new UserReturnValues();
var domainPath = Object_Fido_Configs.GetAsString("fido.ldap.basedn", string.Empty);
var user = Object_Fido_Configs.GetAsString("fido.ldap.userid", string.Empty);
var pwd = Object_Fido_Configs.GetAsString("fido.ldap.pwd", string.Empty);
var searchRoot = new DirectoryEntry(domainPath, user, pwd);
var search = new DirectorySearcher(searchRoot)
{
Filter = "(&(objectClass=user)(objectCategory=person)(sAMAccountName=" + sUserId + "))"
};
search.PropertiesToLoad.Add("samaccountname");
search.PropertiesToLoad.Add("mail");
search.PropertiesToLoad.Add("displayname");
search.PropertiesToLoad.Add("department");
search.PropertiesToLoad.Add("title");
search.PropertiesToLoad.Add("employeeType");
search.PropertiesToLoad.Add("manager");
search.PropertiesToLoad.Add("info");
search.PropertiesToLoad.Add("l");
search.PropertiesToLoad.Add("st");
search.PropertiesToLoad.Add("streetAddress");
search.PropertiesToLoad.Add("mobile");
lUserInfo.UserEmail = string.Empty;
lUserInfo.UserID = string.Empty;
lUserInfo.Username = string.Empty;
lUserInfo.Department = string.Empty;
lUserInfo.Title = string.Empty;
lUserInfo.EmployeeType = string.Empty;
lUserInfo.CubeLocation = string.Empty;
lUserInfo.City = string.Empty;
lUserInfo.State = string.Empty;
lUserInfo.StreetAddress = string.Empty;
lUserInfo.MobileNumber = string.Empty;
lUserInfo.ManagerID = string.Empty;
lUserInfo.ManagerMail = string.Empty;
lUserInfo.ManagerMobile = string.Empty;
lUserInfo.ManagerTitle = string.Empty;
lUserInfo.ManagerName = string.Empty;
var resultCol = search.FindAll();
if (!resultCol.PropertiesLoaded.Any() && resultCol == null)
{
return(lUserInfo);
}
for (var counter = 0; counter < resultCol.Count; counter++)
{
var result = resultCol[counter];
if (result.Properties.Contains("samaccountname") && result.Properties.Contains("mail") && result.Properties.Contains("displayname"))
{
if (result.Properties["mail"].Count > 0)
{
lUserInfo.UserEmail = (String)result.Properties["mail"][0] ?? string.Empty;
}
if (result.Properties["samaccountname"].Count > 0)
{
lUserInfo.UserID = (String)result.Properties["samaccountname"][0] ?? string.Empty;
}
if (result.Properties["displayname"].Count > 0)
{
lUserInfo.Username = (String)result.Properties["displayname"][0] ?? string.Empty;
}
if (result.Properties["department"].Count > 0)
{
lUserInfo.Department = (String)result.Properties["department"][0] ?? string.Empty;
}
if (result.Properties["title"].Count > 0)
{
lUserInfo.Title = (String)result.Properties["title"][0] ?? string.Empty;
}
if (result.Properties["employeeType"].Count > 0)
{
lUserInfo.EmployeeType = (String)result.Properties["employeeType"][0] ?? string.Empty;
}
if (result.Properties["manager"].Count > 0)
{
lUserInfo.ManagerName = (String)result.Properties["manager"][0] ?? string.Empty;
}
if (result.Properties["info"].Count > 0)
{
lUserInfo.CubeLocation = (String)result.Properties["info"][0] ?? string.Empty;
}
if (result.Properties["l"].Count > 0)
{
lUserInfo.City = (String)result.Properties["l"][0] ?? string.Empty;
}
if (result.Properties["st"].Count > 0)
{
lUserInfo.State = (String)result.Properties["st"][0] ?? string.Empty;
}
if (result.Properties["streetAddress"].Count > 0)
{
lUserInfo.StreetAddress = (String)result.Properties["streetAddress"][0] ?? string.Empty;
}
if (result.Properties["mobile"].Count > 0)
{
lUserInfo.MobileNumber = (String)result.Properties["mobile"][0] ?? string.Empty;
}
}
if (string.IsNullOrEmpty(lUserInfo.ManagerName))
{
continue;
}
var lManagerValues = Getmanagerinfo(lUserInfo.ManagerName);
for (var i = 0; i < lManagerValues.Count; i++)
{
if (!lManagerValues[i].Any())
{
continue;
}
switch (i)
{
case 0:
lUserInfo.ManagerMail = lManagerValues[0];
break;
case 1:
lUserInfo.ManagerID = lManagerValues[1];
break;
case 2:
lUserInfo.ManagerName = lManagerValues[2];
break;
case 3:
lUserInfo.ManagerTitle = lManagerValues[3];
break;
case 4:
lUserInfo.ManagerMobile = lManagerValues[4];
break;
}
}
}
return(lUserInfo);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Active Directory grab user info area:" + e);
}
return(null);
}
