public static FidoReturnValues HostDetection(FidoReturnValues lFidoReturnValues, string sHostname, string sSrcIP) { Console.WriteLine(@"Attempting host detection for " + sSrcIP + @"."); //attempt to directly communicate with the device //assume Windows first, then Mac second lFidoReturnValues.RemoteRegHostname = RemoteRegHost(sSrcIP); if (lFidoReturnValues.RemoteRegHostname == null || lFidoReturnValues.RemoteRegHostname == "Not able to connect") { lFidoReturnValues.SSHHostname = SshHost(sSrcIP); if (!String.IsNullOrEmpty(lFidoReturnValues.SSHHostname)) { sHostname = lFidoReturnValues.SSHHostname; } } else { if (!String.IsNullOrEmpty(lFidoReturnValues.RemoteRegHostname)) { sHostname = lFidoReturnValues.RemoteRegHostname; lFidoReturnValues.Hostname = sHostname; } } //if remote registry and ssh fail then NMAP the host if ((sHostname == null) && (sHostname == String.Empty)) { Console.WriteLine(@"Cannot detect hostname, attempting to NMAP " + sSrcIP + @"."); //todo: not currently doing anything wint nmap other //assigning it to a variable. lFidoReturnValues.NmapHostname = NmapHost(sSrcIP); } return lFidoReturnValues; }
private static FidoReturnValues FireEyeHash(FidoReturnValues lFidoReturnValues) { //if FireEye has hashes send to threat feeds if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any())) { if (lFidoReturnValues.FireEye.VirusTotal == null) { lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues(); } Console.WriteLine(@"Sending FireEye hashes to VirusTotal."); lFidoReturnValues.FireEye.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.FireEye.MD5Hash); } } //todo: decide if FireEye should go to ThreatGRID //if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) //{ // Console.WriteLine(@"Sending FireEye hashes to ThreatGRID."); // lFidoReturnValues = SendFireEyeToThreatGRID(lFidoReturnValues); //} return lFidoReturnValues; }
public static void InsertEventToDB(FidoReturnValues lFidoReturnValues) { var iKeepAlive = Object_Fido_Configs.GetAsInt("fido.application.unnownkeepalive", 0); var db = new SqLiteDB(); var data = new Dictionary<String, String> { {"timer", iKeepAlive.ToString(CultureInfo.InvariantCulture)}, {"ip_address", lFidoReturnValues.SrcIP}, {"hostname", lFidoReturnValues.Hostname.ToLower()}, {"timestamp", Convert.ToDateTime(lFidoReturnValues.TimeOccurred).ToString(CultureInfo.InvariantCulture)}, {"previous_score", lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture)}, {"alert_id", lFidoReturnValues.AlertID} }; try { //insert event to primary alert table db.Insert("event_alerts", data); const string eventAlerts = @"select count() from event_alerts"; var newRow = db.ExecuteScalar(eventAlerts); //if there is threat data then insert otherwise //todo: figure out a better way to find out if a detector is empty if (lFidoReturnValues.Bit9 != null | lFidoReturnValues.Antivirus != null | lFidoReturnValues.FireEye != null | lFidoReturnValues.Cyphort != null | lFidoReturnValues.ProtectWise != null | lFidoReturnValues.PaloAlto != null) { UpdateThreatToDB(lFidoReturnValues, newRow); } //if there is machine data then insert otherwise if ((lFidoReturnValues.Landesk != null) | (lFidoReturnValues.Jamf != null)) { UpdateMachineToDB(lFidoReturnValues, newRow); } //if there is user data then insert otherwise if (lFidoReturnValues.UserInfo != null) { UpdateUserToDB(lFidoReturnValues, newRow); } //if there is detailed threat data insert //if there is histiorical url data insert UpdateHistoricalURLInfo(lFidoReturnValues); UpdateHistoricalHashInfo(lFidoReturnValues); UpdateHistoricalIPInfo(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in insert of event alert to fidodb:" + e); } }
public static FidoReturnValues DetectorsToThreatFeeds(FidoReturnValues lFidoReturnValues) { lFidoReturnValues = FireEyeURL(lFidoReturnValues); lFidoReturnValues = CyphortURL(lFidoReturnValues); lFidoReturnValues = ProtectWiseURL(lFidoReturnValues); lFidoReturnValues = PaloAltoURL(lFidoReturnValues); return lFidoReturnValues; }
public static JamfReturnValues Convert(FidoReturnValues lFidoReturnValues, List<string> lHostInfo) { var lJamfReturnValues = new JamfReturnValues { ComputerID = lHostInfo[0] ?? string.Empty, Hostname = lHostInfo[1] ?? string.Empty, ReportID = lHostInfo[2] ?? string.Empty, Username = lHostInfo[11], OSName = "OSX " + lHostInfo[9], LastUpdate = FromEpochTime(lHostInfo[3]).ToString() }; return lJamfReturnValues; }
public static FidoReturnValues DetectorsToThreatFeeds(FidoReturnValues lFidoReturnValues) { lFidoReturnValues = FireEyeHash(lFidoReturnValues); lFidoReturnValues = CyphortHash(lFidoReturnValues); lFidoReturnValues = ProtectWiseHash(lFidoReturnValues); lFidoReturnValues = CarbonBlackHash(lFidoReturnValues); return lFidoReturnValues; }
internal static FidoReturnValues HistoricalEvent(FidoReturnValues lFidoReturnValues) { Console.WriteLine(@"Gathering historical information from FIDO DB."); const string historicalQuery = "SELECT * FROM configs_historical_events"; var fidoTemp = GetPreviousAlerts(historicalQuery); if (fidoTemp.Rows.Count <= 0) return lFidoReturnValues; lFidoReturnValues.HistoricalEvent = FormatHistoricalEvents(fidoTemp); var urlCount = new DataTable(); var hashCount = new DataTable(); try { if (lFidoReturnValues.Url != null) { foreach (var url in lFidoReturnValues.Url) { urlCount = GetPreviousAlerts(lFidoReturnValues.HistoricalEvent.UrlQuery.Replace("%url%", url)); } } var ipCount = GetPreviousAlerts(lFidoReturnValues.HistoricalEvent.IpQuery.Replace("%ip%", lFidoReturnValues.DstIP)); if (lFidoReturnValues.Hash != null) { foreach (var hash in lFidoReturnValues.Hash) { hashCount = GetPreviousAlerts(lFidoReturnValues.HistoricalEvent.HashQuery.Replace("%hash%", hash)); } } Console.WriteLine(@"Historical data:"); lFidoReturnValues.HistoricalEvent.UrlCount = urlCount.Rows.Count; lFidoReturnValues.HistoricalEvent.IpCount = ipCount.Rows.Count; lFidoReturnValues.HistoricalEvent.HashCount = hashCount.Rows.Count; Console.WriteLine(@"URL Count = " + lFidoReturnValues.HistoricalEvent.UrlCount.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"IP Count = " + lFidoReturnValues.HistoricalEvent.IpCount.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"Hash Count = " + lFidoReturnValues.HistoricalEvent.HashCount.ToString(CultureInfo.InvariantCulture)); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to gather startup configs." + e); } return lFidoReturnValues; }
public static FidoReturnValues GetBit9Status(FidoReturnValues lFidoReturnValues, string sConnectionString) { //todo: move this to the DB var sQuery = "SELECT DISTINCT A0.DISPLAYNAME, A1.NAME, A1.STATUS, A2.SUITENAME, A2.VERSION FROM Computer A0 (nolock) LEFT OUTER JOIN Services A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn LEFT OUTER JOIN AppSoftwareSuites A2 (nolock) ON A0.Computer_Idn = A2.Computer_Idn WHERE (A1.NAME = N'Parity Agent' AND A2.SuiteName LIKE N'Parity Agent' AND A0.DEVICENAME = N'" + lFidoReturnValues.Hostname + "')"; var lBit9Return = new List<string>(); var sqlConnect = new SqlConnection(sConnectionString); sqlConnect.Open(); try { var sqlCmd = new SqlCommand(sQuery, sqlConnect); var sqlReader = sqlCmd.ExecuteReader(); Thread.Sleep(500); while (sqlReader.Read()) { for (var i = 0; i < sqlReader.FieldCount; i++) { lBit9Return.Add(sqlReader.GetString(i) != string.Empty ? sqlReader.GetString(i) : string.Empty); } } sqlReader.Close(); } catch(Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getting Bit9 status from Landesk:" + e); } if (lBit9Return.Count > 0) { lFidoReturnValues.Landesk.Bit9Running = lBit9Return[2].ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Landesk.Bit9Version = lBit9Return[4].ToString(CultureInfo.InvariantCulture); return lFidoReturnValues; } lFidoReturnValues.Landesk.Bit9Running = string.Empty; lFidoReturnValues.Landesk.Bit9Version = "Not Installed"; return lFidoReturnValues; }
private static FidoReturnValues CyphortHash(FidoReturnValues lFidoReturnValues) { //if Cyphort has hashes send to threat feeds if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { if ((lFidoReturnValues.Cyphort != null) && (lFidoReturnValues.Cyphort.MD5Hash != null) && (lFidoReturnValues.Cyphort.MD5Hash.Any())) { if (lFidoReturnValues.Cyphort.VirusTotal == null) { lFidoReturnValues.Cyphort.VirusTotal = new VirusTotalReturnValues(); } Console.WriteLine(@"Sending Cyphort hashes to VirusTotal."); lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.Cyphort.MD5Hash); } } if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { Console.WriteLine(@"Sending Cyphort hashes to ThreatGRID."); lFidoReturnValues = SendCyphortToThreatGRID(lFidoReturnValues); } return lFidoReturnValues; }
//This function is designed get the incidents from an event, then determine if the //incidents have already been processed. If they have not, they will be handed off //to the GetCyphortIncident function to gather necessary information before being //sent to TheDirector. private static void ParseCyphort(Object_Cyphort_Class.CyphortEvent cyphortReturn) { try { if (cyphortReturn.Event_Array.Any()) { cyphortReturn.Event_Array = cyphortReturn.Event_Array.Reverse().ToArray(); for (var i = 0; i < cyphortReturn.Event_Array.Count(); i++) { Console.WriteLine(@"Processing Cyphort event " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.Event_Array.Count().ToString(CultureInfo.InvariantCulture) + @"."); //We don't currently process IPv6, so if detected exit and process next alert if ((cyphortReturn.Event_Array[i].Endpoint_ip != null) && (cyphortReturn.Event_Array[i].Endpoint_ip.Contains(":"))) continue; //initialize generic variables for Cyphort values var lFidoReturnValues = new FidoReturnValues(); if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.Cyphort == null) { lFidoReturnValues.Cyphort = new CyphortReturnValues(); } //Convert Cyphort classifications to more readable values if (cyphortReturn.Event_Array[i].Event_type == "http") { lFidoReturnValues.MalwareType = "Malware downloaded: " + cyphortReturn.Event_Array[i].Event_name + " Type: " + cyphortReturn.Event_Array[i].Event_category; } else if (cyphortReturn.Event_Array[i].Event_type == "cnc") { lFidoReturnValues.MalwareType = "CNC Detected: " + cyphortReturn.Event_Array[i].Event_name; } //Assign generic event deatils for use in TheDirector lFidoReturnValues.CurrentDetector = "cyphortv3"; lFidoReturnValues.Cyphort.IncidentID = cyphortReturn.Event_Array[i].Incident_id; lFidoReturnValues.SrcIP = cyphortReturn.Event_Array[i].Endpoint_ip; lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.Event_Array[i].Last_activity_time).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.Event_Array[i].Last_activity_time).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.DstIP = cyphortReturn.Event_Array[i].Source_ip; lFidoReturnValues.Cyphort.DstIP = cyphortReturn.Event_Array[i].Source_ip; //Send information gathered thus far to function to gather incident details //and further parsing to determine if sending to TheDirector is needed. GetCyphortIncident(lFidoReturnValues); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector parse:" + e); } }
private static FidoReturnValues FormatInfectionReturnValues(FidoReturnValues lFidoReturnValues) { lFidoReturnValues.Cyphort.DstIP = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_ip; lFidoReturnValues.Cyphort.Domain = new List<string>(); lFidoReturnValues.Cyphort.URL = new List<string>(); lFidoReturnValues.Cyphort.MD5Hash = new List<string>(); try { foreach (var infection in lFidoReturnValues.Cyphort.IncidentDetails.Incident.InfectionArray) { lFidoReturnValues.Cyphort.EventID = infection.Infection_id; lFidoReturnValues.AlertID = infection.Infection_id; lFidoReturnValues.Cyphort.URL.Add(string.Empty); lFidoReturnValues.Cyphort.MD5Hash.Add(string.Empty); lFidoReturnValues.Cyphort.Domain.Add(infection.Cnc_servers); lFidoReturnValues.DNSName = infection.Cnc_servers.Replace(".", "(.)"); var isRunDirector = false; //Check to see if ID has been processed before lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.Cyphort.EventID, lFidoReturnValues.Cyphort.EventTime); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) continue; //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; Console.WriteLine(@"Processing CNC incident " + lFidoReturnValues.Cyphort.EventID + @" through to the Director."); TheDirector.Direct(lFidoReturnValues); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 infection return:" + e); } return lFidoReturnValues; }
private static FidoReturnValues FormatDownloadReturnValues(FidoReturnValues lFidoReturnValues) { lFidoReturnValues.Cyphort.DstIP = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_ip; lFidoReturnValues.Cyphort.URL = new List<string>(); lFidoReturnValues.Cyphort.MD5Hash = new List<string>(); lFidoReturnValues.Cyphort.Domain = new List<string>(); try { foreach (var download in lFidoReturnValues.Cyphort.IncidentDetails.Incident.DownloadArray) { if (!string.IsNullOrEmpty(download.Event_id)) lFidoReturnValues.Cyphort.EventID = download.Event_id; if (!string.IsNullOrEmpty(download.Event_id)) lFidoReturnValues.AlertID = download.Event_id; if (!string.IsNullOrEmpty(download.Source_url)) { lFidoReturnValues.Cyphort.URL.Add(download.Source_url); lFidoReturnValues.Url = new List<string> {download.Source_url}; } if (!string.IsNullOrEmpty(download.File_md5_string)) { lFidoReturnValues.Cyphort.MD5Hash.Add(download.File_md5_string); lFidoReturnValues.Hash = new List<string> {download.File_md5_string}; } if (download.Req_headers != null) { lFidoReturnValues.Cyphort.Domain.Add(download.Req_headers.Host); lFidoReturnValues.DNSName = download.Req_headers.Host.Replace(".", "(.)"); } //Check to see if ID has been processed before var isRunDirector = false; lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.Cyphort.EventID, lFidoReturnValues.Cyphort.EventTime); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) continue; //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; Console.WriteLine(@"Processing download incident " + lFidoReturnValues.Cyphort.EventID + @" through to the Director."); TheDirector.Direct(lFidoReturnValues); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 download return:" + e); } return lFidoReturnValues; }
private static void GetCyphortIncident(FidoReturnValues lFidoReturnValues) { Console.WriteLine(@"Pulling Cyphort incident details."); //currently needed to bypass site without a valid cert. //todo: make ssl bypass configurable ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv3"); var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey; request = request.Replace("%incidentid%", lFidoReturnValues.Cyphort.IncidentID); var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Method = "GET"; try { using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse) { if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK) { using (var respStream = cyphortResponse.GetResponseStream()) { if (respStream == null) return; var cyphortReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = cyphortReader.ReadToEnd(); var cyphortReturn = JsonConvert.DeserializeObject<Object_Cyphort_Class.CyphortIncident>(stringreturn); if (cyphortReturn.Incident != null) { lFidoReturnValues.Cyphort.IncidentDetails = new Object_Cyphort_Class.CyphortIncident(); lFidoReturnValues.Cyphort.IncidentDetails = cyphortReturn; if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_name != null) { lFidoReturnValues.DNSName = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_name.Replace(".", "(.)"); } if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_exploit == "1") { } if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_download == "1") { lFidoReturnValues = FormatDownloadReturnValues(lFidoReturnValues); } if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_execution == "1") { } if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_infection == "1") { lFidoReturnValues = FormatInfectionReturnValues(lFidoReturnValues); } if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_data_theft == "1") { } if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_file_submission == "1") { } } } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector getting json:" + e); } }
public static FidoReturnValues LandesklFidoValues(FidoReturnValues lFidoReturnValues, List<string> lHostInfo) { var lLandeskReturnValues = new LandeskReturnValues(); for (var i = 0; i < lHostInfo.Count(); i++) { switch (i) { case 0: lLandeskReturnValues.Hostname = lHostInfo[0] ?? string.Empty; break; case 1: lLandeskReturnValues.Domain = lHostInfo[1] ?? string.Empty; break; case 2: lLandeskReturnValues.LastUpdate = lHostInfo[2] ?? string.Empty; break; case 3: lLandeskReturnValues.Product = lHostInfo[3] ?? string.Empty; break; case 4: lLandeskReturnValues.ProductVersion = lHostInfo[4] ?? string.Empty; break; case 5: lLandeskReturnValues.AgentRunning = lHostInfo[5] ?? string.Empty; break; case 6: lLandeskReturnValues.AutoProtectOn = lHostInfo[6] ?? string.Empty; break; case 7: lLandeskReturnValues.DefInstallDate = lHostInfo[7] ?? string.Empty; break; case 8: lLandeskReturnValues.EngineVersion = lHostInfo[8] ?? string.Empty; break; case 9: lLandeskReturnValues.OSName = lHostInfo[9] ?? string.Empty; break; case 10: lLandeskReturnValues.ComputerIDN = lHostInfo[10] ?? string.Empty; break; case 11: lLandeskReturnValues.Username = lHostInfo[11] ?? string.Empty; break; } } lFidoReturnValues.Landesk = lLandeskReturnValues; lFidoReturnValues.Hostname = lLandeskReturnValues.Hostname; lFidoReturnValues.Username = lLandeskReturnValues.Username; return lFidoReturnValues; }
private static void UpdateHistoricalIPInfo(FidoReturnValues lFidoReturnValues) { try { if (!string.IsNullOrEmpty(lFidoReturnValues.DstIP)) { InsertHistoricalThreatToDB(@"ip", lFidoReturnValues.DstIP, lFidoReturnValues.TimeOccurred); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update of historical IP info in fidodb:" + e); } }
private static void UpdateDetailedThreatToDB(FidoReturnValues lFidoReturnValues, string row) { //todo: figure out best way to insert detailed reports to prevent having to query web services again //var threatURL = lFidoReturnValues.FireEye.URL.Aggregate(string.Empty, (current, url) => current + (url + ",")); //threatURL = lFidoReturnValues.FireEye.ChannelHost.Aggregate(threatURL, (current, link) => current + (link + ",")); //data.Add("threat_url", threatURL); //var threatMD5 = lFidoReturnValues.FireEye.MD5Hash.Aggregate(string.Empty, (current, md5) => current + (md5 + ",")); //data.Add("threat_hash", threatMD5); }
private static bool PreviousAlert(FidoReturnValues lFidoReturnValues, string event_id, string event_time) { var isRunDirector = false; for (var j = 0; j < lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count; j++) { if (lFidoReturnValues.PreviousAlerts.Alerts.Rows[j][6].ToString() != event_id) continue; if (Convert.ToDateTime(event_time) == Convert.ToDateTime(lFidoReturnValues.PreviousAlerts.Alerts.Rows[j][4].ToString())) { isRunDirector = true; } } return isRunDirector; }
private static void ParsePan(Object_PaloAlto_Class.PanReturn panReturn) { try { foreach (var entry in panReturn.Result.Log.Logs.Entry) { if (entry.App == "dns") continue; Console.WriteLine(@"Processing PAN " + entry.SubType + @" event."); //initialize generic variables for PAN values var lFidoReturnValues = new FidoReturnValues(); if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.PaloAlto == null) { lFidoReturnValues.PaloAlto = new PaloAltoReturnValues(); } //Convert PAN classifications to more readable values lFidoReturnValues.MalwareType = entry.Type + " " + entry.SubType; lFidoReturnValues.CurrentDetector = "panv1"; lFidoReturnValues.PaloAlto.EventID = entry.EventID; lFidoReturnValues.AlertID = entry.EventID; if (entry.Direction == "client-to-server") { lFidoReturnValues.PaloAlto.isDst = true; } else { lFidoReturnValues.PaloAlto.isDst = false; } if (lFidoReturnValues.PaloAlto.isDst) { lFidoReturnValues.SrcIP = entry.SrcIP; lFidoReturnValues.DstIP = entry.DstIP; lFidoReturnValues.PaloAlto.DstIp = entry.DstIP; } else { lFidoReturnValues.SrcIP = entry.DstIP; lFidoReturnValues.DstIP = entry.SrcIP; lFidoReturnValues.PaloAlto.DstIp = entry.SrcIP; } if (!string.IsNullOrEmpty(entry.DstUser)) { lFidoReturnValues.PaloAlto.DstUser = entry.DstUser.Replace(@"corp\", string.Empty); lFidoReturnValues.Username = entry.DstUser; } lFidoReturnValues.PaloAlto.EventTime = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture); lFidoReturnValues.TimeOccurred = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture); var isRunDirector = false; //Check to see if ID has been processed before lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.PaloAlto.EventID, lFidoReturnValues.PaloAlto.EventTime); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) continue; //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; Console.WriteLine(@"Processing PAN incident " + lFidoReturnValues.PaloAlto.EventID + @" through to the Director."); TheDirector.Direct(lFidoReturnValues); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in PANv1 Detector parse:" + e); } }
private static EventAlerts PreviousMachineAlerts(FidoReturnValues lFidoReturnValues, DataTable fidoTemp) { lFidoReturnValues.PreviousAlerts = FormatEventAlert(fidoTemp); if ((lFidoReturnValues.PreviousAlerts.Hostname == lFidoReturnValues.Hostname.ToLower()) && lFidoReturnValues.Hostname.ToLower() != "unknown") { var previousAlertTimeDate = Convert.ToDateTime(lFidoReturnValues.PreviousAlerts.TimeStamp); var currentAlertTimeDate = Convert.ToDateTime(lFidoReturnValues.TimeOccurred); var diff = (currentAlertTimeDate - previousAlertTimeDate); //if the time is greater than this # determine how great and if there is an association //or if the alerts should be considered 'new' if (diff.TotalMinutes > 30) { //if time difference is greater than this # assume a new alert if (diff.TotalMinutes < 720 && diff.TotalMinutes > 240) { if (lFidoReturnValues.ThreatScore > 50) { lFidoReturnValues.ThreatScore = 75; lFidoReturnValues.IsPreviousAlert = false; lFidoReturnValues.IsSendAlert = true; Console.WriteLine(@"New Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"New Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture)); } else { lFidoReturnValues.ThreatScore += 15; lFidoReturnValues.IsPreviousAlert = false; lFidoReturnValues.IsSendAlert = true; Console.WriteLine(@"New Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"New Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture)); } Console.WriteLine(@"Machine previous alerted and it has been longer than 4 hours!"); } else if (diff.TotalMinutes > 240) { if (lFidoReturnValues.ThreatScore > 50) { lFidoReturnValues.ThreatScore = 100; lFidoReturnValues.IsPreviousAlert = false; lFidoReturnValues.IsSendAlert = true; Console.WriteLine(@"New Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"New Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture)); } else { lFidoReturnValues.ThreatScore += 25; lFidoReturnValues.IsPreviousAlert = false; lFidoReturnValues.IsSendAlert = true; Console.WriteLine(@"New Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"New Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture)); } Console.WriteLine(@"Machine previous alerted and it has been longer than 4 hours!"); } //else an associated alert with the machine making multiple callbacks else { Console.WriteLine(@"Machine previous alerted but assuming this is part of same event!"); lFidoReturnValues.IsPreviousAlert = false; lFidoReturnValues.IsSendAlert = true; } } //if less then determine if additional alerts are higher or lower severity than previous alerts else if (diff.TotalMinutes <= 30 & lFidoReturnValues.TotalScore > lFidoReturnValues.PreviousAlerts.PreviousScore) { Console.WriteLine(@"Multiple alerts detected and this event is scored higher than previous event!"); lFidoReturnValues.IsPreviousAlert = true; lFidoReturnValues.IsSendAlert = true; } else if (diff.TotalMinutes <= 30 & lFidoReturnValues.PreviousAlerts.PreviousScore >= lFidoReturnValues.TotalScore) { Console.WriteLine(@"Multiple alerts detected and this event is scored lower than previous event!"); lFidoReturnValues.IsPreviousAlert = true; lFidoReturnValues.IsSendAlert = false; } } return lFidoReturnValues.PreviousAlerts; }
private static void UpdateUserToDB(FidoReturnValues lFidoReturnValues, string row) { var db = new SqLiteDB(); var data = new Dictionary<String, String> { {"username", lFidoReturnValues.Username.ToLower()}, {"fullname", lFidoReturnValues.UserInfo.Username.ToLower()}, {"email", lFidoReturnValues.UserInfo.UserEmail.ToLower()}, {"title", lFidoReturnValues.UserInfo.Title.ToLower()}, {"dept", lFidoReturnValues.UserInfo.Department.ToLower()}, {"emp_type", lFidoReturnValues.UserInfo.EmployeeType.ToLower()}, {"emp_phone", lFidoReturnValues.UserInfo.MobileNumber}, {"cube", lFidoReturnValues.UserInfo.CubeLocation.ToLower()}, {"city_state", lFidoReturnValues.UserInfo.City.ToLower() + "\\" + lFidoReturnValues.UserInfo.State.ToLower()}, {"manager", lFidoReturnValues.UserInfo.ManagerName.ToLower()}, {"manager_title", lFidoReturnValues.UserInfo.ManagerTitle.ToLower()}, {"manager_email", lFidoReturnValues.UserInfo.ManagerMail.ToLower()}, {"manager_phone", lFidoReturnValues.UserInfo.MobileNumber}, {"user_score", lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture)} }; try { db.Update("event_user", data, "primkey = " + row); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update user area of fidodb:" + e); } }
private static void UpdateHistoricalURLInfo(FidoReturnValues lFidoReturnValues) { try { if (lFidoReturnValues.Url != null) { foreach (var url in lFidoReturnValues.Url.Where(url => !string.IsNullOrEmpty(url))) { InsertHistoricalThreatToDB(@"url", url, lFidoReturnValues.TimeOccurred); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update of historicaal URL info in fidodb:" + e); } }
//This function will attempt to assign alerts to the AntivirusReturnValues object //before returning it to the FidoReturnValues object. public static FidoReturnValues SophoslFidoValues(List<string> lHostInfo) { var lFidoReturnValues = new FidoReturnValues(); var lSophosReturnValues = new AntivirusReturnValues(); for (var x = 0; x < lHostInfo.Count; x++) { switch (x) { case 0: lSophosReturnValues.ReceivedTime = lHostInfo[0]; break; case 1: lSophosReturnValues.EventTime = lHostInfo[1]; lFidoReturnValues.TimeOccurred = lHostInfo[1]; break; case 2: lSophosReturnValues.ActionTaken = lHostInfo[2]; break; case 3: lSophosReturnValues.Username = lHostInfo[3]; var sNewUserName = lHostInfo[3].Split('\\'); if (sNewUserName.Length == 1) { lFidoReturnValues.Username = sNewUserName[0]; } else if (sNewUserName.Length > 1) { lFidoReturnValues.Username = sNewUserName[1]; } else { lFidoReturnValues.Username = string.Empty; } break; case 4: lSophosReturnValues.Status = lHostInfo[4]; break; case 5: lSophosReturnValues.ThreatType = lHostInfo[5]; break; case 6: lSophosReturnValues.ThreatName = lHostInfo[6]; lFidoReturnValues.MalwareType = lHostInfo[6]; break; case 7: lSophosReturnValues.FilePath = lHostInfo[7]; break; case 8: lSophosReturnValues.HostName = lHostInfo[8]; lFidoReturnValues.Hostname = lHostInfo[8]; break; case 9: lFidoReturnValues.SrcIP = lHostInfo[9]; break; } } lFidoReturnValues.Antivirus = lSophosReturnValues; return lFidoReturnValues; }
public static FidoReturnValues GetDomainStatus(FidoReturnValues lFidoReturnValues) { return lFidoReturnValues; }
private static void UpdateHistoricalHashInfo(FidoReturnValues lFidoReturnValues) { try { if (lFidoReturnValues.Hash != null) { foreach (var hash in lFidoReturnValues.Hash.Where(hash => !string.IsNullOrEmpty(hash))) { InsertHistoricalThreatToDB(@"hash", hash, lFidoReturnValues.TimeOccurred); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update of historical hash info in fidodb:" + e); } }
private static void CloseCarbonBlackAlert(FidoReturnValues lFidoReturnValues) { Console.WriteLine(@"Closing CarbonBlack event for: " + lFidoReturnValues.AlertID + @"."); //currently needed to bypass site without a valid cert. //todo: make ssl bypass configurable ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("carbonblackv1"); var request = parseConfigs.Server + parseConfigs.Query2 + lFidoReturnValues.AlertID + parseConfigs.Query3; var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Method = "POST"; alertRequest.ContentType = "application/json"; alertRequest.Headers[@"X-Auth-Token"] = parseConfigs.APIKey; try { using (var cbResponse = alertRequest.GetResponse() as HttpWebResponse) { if (cbResponse != null && cbResponse.StatusCode == HttpStatusCode.OK) { using (var respStream = cbResponse.GetResponseStream()) { if (respStream == null) return; var cbReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = cbReader.ReadToEnd(); if (stringreturn == "[]") return; var cbReturn = JsonConvert.DeserializeObject<Object_CarbonBlack_Alert_Class.CarbonBlack>(stringreturn); if (cbReturn != null) { ParseCarbonBlackAlert(cbReturn); } var responseStream = cbResponse.GetResponseStream(); if (responseStream != null) responseStream.Dispose(); cbResponse.Close(); Console.WriteLine(@"Finished retreiving CB alerts."); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black alert area:" + e); } }
internal static EventAlerts GetPreviousMachineAlerts(FidoReturnValues lFidoReturnValues, bool isMatrixScore) { var machineQuery = string.Empty; lFidoReturnValues.IsSendAlert = true; if (!string.IsNullOrEmpty(lFidoReturnValues.Hostname)) { //todo: move this to the database machineQuery = "SELECT * FROM event_alerts WHERE hostname = '" + lFidoReturnValues.Hostname.ToLower() + "' ORDER BY primkey DESC"; } else if (!string.IsNullOrEmpty(lFidoReturnValues.SrcIP)) { //todo: move this to the database machineQuery = "SELECT * FROM event_alerts WHERE ip_address = '" + lFidoReturnValues.SrcIP + "' ORDER BY primkey DESC"; } var fidoTemp = GetPreviousAlerts(machineQuery); if (fidoTemp.Rows.Count <= 0) return lFidoReturnValues.PreviousAlerts; lFidoReturnValues.PreviousAlerts = new EventAlerts {Alerts = fidoTemp}; if (!isMatrixScore) return lFidoReturnValues.PreviousAlerts; //todo: move integer values for time offsets to database as configurable. try { return PreviousMachineAlerts(lFidoReturnValues, fidoTemp); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to gather startup configs." + e); } return lFidoReturnValues.PreviousAlerts; }
private static void ParseCarbonBlackAlert(Object_CarbonBlack_Alert_Class.CarbonBlack cbReturn) { var cbHost = string.Empty; var cbHostInt = 0; foreach (var cbEvent in cbReturn.Results) { Console.WriteLine(@"Formatting CarbonBlack event for: " + cbEvent.Hostname + @"."); try { //initialize generic variables for CB values var lFidoReturnValues = new FidoReturnValues(); if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.CB == null) { lFidoReturnValues.CB = new CarbonBlackReturnValues { Alert = new CarbonBlackAlert() }; } lFidoReturnValues.CurrentDetector = "carbonblackv1"; lFidoReturnValues.CB.Alert.WatchListName = cbEvent.WatchlistName; lFidoReturnValues.CB.Alert.AlertType = cbEvent.AlertType; if (lFidoReturnValues.CB.Alert.WatchListName.Contains("binary") || lFidoReturnValues.CB.Alert.AlertType.Contains("binary")) { lFidoReturnValues.isBinary = true; } var dTable = new SqLiteDB(); var cbData = dTable.GetDataTable(@"Select * from configs_dictionary_carbonblack"); var cbDict = GetDict(cbData); foreach (var label in cbDict) { if (cbEvent.WatchlistName == label.Key) { lFidoReturnValues.MalwareType = label.Value; break; } } if (lFidoReturnValues.MalwareType == null) lFidoReturnValues.MalwareType = "Malicious file detected."; lFidoReturnValues.CB.Alert.EventID = cbEvent.UniqueID; lFidoReturnValues.AlertID = cbEvent.UniqueID; lFidoReturnValues.CB.Alert.EventTime = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Hostname = cbEvent.Hostname; //todo: this was supposed to limit the total # of alerts sent from a single host, //however, it is poo and needs to be redone. if (lFidoReturnValues.Hostname != cbHost) { cbHost = lFidoReturnValues.Hostname; } else { cbHostInt++; } if (cbHostInt >= 25) { CloseCarbonBlackAlert(lFidoReturnValues); } lFidoReturnValues.Username = cbEvent.Username; lFidoReturnValues.Hash = new List<string> {cbEvent.MD5}; lFidoReturnValues.CB.Alert.MD5Hash = cbEvent.MD5; lFidoReturnValues.CB.Inventory = SysMgmt_CarbonBlack.GetCarbonBlackHost(lFidoReturnValues, true); if (string.IsNullOrEmpty(cbEvent.ProcessPath)) { if (string.IsNullOrEmpty(cbEvent.ProcessPath)) lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ObservedFilename[0]; } else { lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ProcessPath; } if ((cbEvent.ObservedHosts.HostCount != 0) && (cbEvent.ObservedHosts.HostCount != null)) { lFidoReturnValues.CB.Alert.HostCount = cbEvent.ObservedHosts.HostCount.ToString(CultureInfo.InvariantCulture); } else { lFidoReturnValues.CB.Alert.HostCount = "0"; } if ((cbEvent.NetconnCount != 0) && (cbEvent.NetconnCount != null)) { lFidoReturnValues.CB.Alert.NetConn = cbEvent.NetconnCount.ToString(CultureInfo.InvariantCulture); } else { lFidoReturnValues.CB.Alert.NetConn = "0"; } if (lFidoReturnValues.CB.Inventory != null) { var sFilter = new[] {"|", ","}; var sIP = lFidoReturnValues.CB.Inventory.NetworkAdapters.Split(sFilter,StringSplitOptions.RemoveEmptyEntries); lFidoReturnValues.SrcIP = sIP[0]; } var isRunDirector = false; //Check to see if ID has been processed before lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.AlertID, lFidoReturnValues.TimeOccurred); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) continue; //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); //CloseCarbonBlackAlert(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black v1 Detector when formatting json:" + e); } } }
public static FidoReturnValues RunMatrix(FidoReturnValues lFidoReturnValues) { //Iterate through each detector and the corresponding threat feed looking for values to score #region ThreatScore Console.WriteLine(@"Starting threat feed evaluation."); lFidoReturnValues = Matrix_Scoring.GetDetectorsScore(lFidoReturnValues); #endregion var isRunAssett = Object_Fido_Configs.GetAsBool("fido.director.assetscore", false); if (isRunAssett) { #region AssetValue Console.WriteLine(@"Starting assest evaluation."); //asset evaluation var isPaired = Object_Fido_Configs.GetAsBool("fido.posture.asset.paired", false); lFidoReturnValues = Matrix_Scoring.GetAssetScore(lFidoReturnValues, isPaired); #endregion #region MachinePosture Console.WriteLine(@"Scoring machine posture evaluation."); //Patch evaluation lFidoReturnValues = Matrix_Scoring.GetPatchScore(lFidoReturnValues); //AV evaluation lFidoReturnValues = Matrix_Scoring.GetAVScore(lFidoReturnValues); #endregion #region UserPosture Console.WriteLine(@"Starting user posture evaluation."); if (lFidoReturnValues.UserInfo != null) { lFidoReturnValues = Matrix_Scoring.GetUserScore(lFidoReturnValues); } #endregion } #region HistoricalInfo Console.WriteLine(@"Starting historical artifact evaluation."); lFidoReturnValues = Matrix_Historical_Helper.HistoricalEvent(lFidoReturnValues); lFidoReturnValues = Matrix_Scoring.GetHistoricalHashCount(lFidoReturnValues); lFidoReturnValues = Matrix_Scoring.GetHistoricalURLCount(lFidoReturnValues); lFidoReturnValues = Matrix_Scoring.GetHistoricalIPCount(lFidoReturnValues); #endregion #region PreviousAlerts Console.WriteLine(@"Checking to see if this machine has previous alerted."); lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, true); #endregion //todo: put configuration in DB for whether to include user/machine score in division of their score. //lFidoReturnValues.TotalScore = lFidoReturnValues.TotalScore / 10; //lFidoReturnValues.UserScore = lFidoReturnValues.UserScore / 10; //lFidoReturnValues.MachineScore = lFidoReturnValues.MachineScore / 10; lFidoReturnValues.ThreatScore = lFidoReturnValues.ThreatScore / 10; lFidoReturnValues = Matrix_Scoring.SetScoreValues(lFidoReturnValues); Console.WriteLine(@"Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"Machine Score for event = " + lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"User Score for event = " + lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture)); return lFidoReturnValues; }
public static List<string> RunEnforce(FidoReturnValues lFidoReturnValues) { return lFidoReturnValues.Actions; }
public static FidoReturnValues GetHostOsInfo(FidoReturnValues lFidoReturnValues, string sConnectionString) { var lLandeskReturnValues = lFidoReturnValues.Landesk; var lHostInfoReturn = new List<string>(); //todo: move this to the DB as a const value. var sQuery = "SELECT DISTINCT A1.OSTYPE, A0.TYPE, A2.HASBATTERY, A2.CHASSISTYPE, A1.VERSION, A3.CURRENTBUILD FROM Computer A0 (nolock) LEFT OUTER JOIN Operating_System A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn LEFT OUTER JOIN CompSystem A2 (nolock) ON A0.Computer_Idn = A2.Computer_Idn LEFT OUTER JOIN OSNT A3 (nolock) ON A0.Computer_Idn = A3.Computer_Idn WHERE (A0.DeviceName = N' + hostname + ')"; //todo: move the below to a parametertized function to prevent SQL injection. sQuery = sQuery.Replace(" + hostname + ", lFidoReturnValues.Landesk.Hostname); var sqlConnect = new SqlConnection(sConnectionString); sqlConnect.Open(); try { var sqlCmd = new SqlCommand(sQuery, sqlConnect); var sqlReader = sqlCmd.ExecuteReader(); Thread.Sleep(500); if (sqlReader.HasRows) { while (sqlReader.Read()) { var oHostOsInfo = new object[sqlReader.FieldCount]; sqlReader.GetValues(oHostOsInfo); var q = oHostOsInfo.Count(); for (var i = 0; i < q; i++) { lHostInfoReturn.Add(string.IsNullOrEmpty(oHostOsInfo[i].ToString()) ? oHostOsInfo[i].ToString() : "unknown"); } } } sqlReader.Dispose(); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getting vulns from Landesk:" + e); } finally { sqlConnect.Dispose(); } lLandeskReturnValues = Landesk2FidoValues.LandeskOsValues(lLandeskReturnValues, lHostInfoReturn); lFidoReturnValues.Landesk = lLandeskReturnValues; return lFidoReturnValues; }