public static FidoReturnValues HostDetection(FidoReturnValues lFidoReturnValues, string sHostname, string sSrcIP)
{
Console.WriteLine(@"Attempting host detection for " + sSrcIP + @".");
//attempt to directly communicate with the device
//assume Windows first, then Mac second
lFidoReturnValues.RemoteRegHostname = RemoteRegHost(sSrcIP);
if (lFidoReturnValues.RemoteRegHostname == null || lFidoReturnValues.RemoteRegHostname == "Not able to connect")
{
lFidoReturnValues.SSHHostname = SshHost(sSrcIP);
if (!String.IsNullOrEmpty(lFidoReturnValues.SSHHostname))
{
sHostname = lFidoReturnValues.SSHHostname;
}
}
else
{
if (!String.IsNullOrEmpty(lFidoReturnValues.RemoteRegHostname))
{
sHostname = lFidoReturnValues.RemoteRegHostname;
lFidoReturnValues.Hostname = sHostname;
}
}
//if remote registry and ssh fail then NMAP the host
if ((sHostname == null) && (sHostname == String.Empty))
{
Console.WriteLine(@"Cannot detect hostname, attempting to NMAP " + sSrcIP + @".");
//todo: not currently doing anything wint nmap other
//assigning it to a variable.
lFidoReturnValues.NmapHostname = NmapHost(sSrcIP);
}
return lFidoReturnValues;
}
private static FidoReturnValues FireEyeHash(FidoReturnValues lFidoReturnValues)
{
//if FireEye has hashes send to threat feeds
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any()))
{
if (lFidoReturnValues.FireEye.VirusTotal == null)
{
lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Sending FireEye hashes to VirusTotal.");
lFidoReturnValues.FireEye.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.FireEye.MD5Hash);
}
}
//todo: decide if FireEye should go to ThreatGRID
//if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
//{
// Console.WriteLine(@"Sending FireEye hashes to ThreatGRID.");
// lFidoReturnValues = SendFireEyeToThreatGRID(lFidoReturnValues);
//}
return lFidoReturnValues;
}
public static void InsertEventToDB(FidoReturnValues lFidoReturnValues)
{
var iKeepAlive = Object_Fido_Configs.GetAsInt("fido.application.unnownkeepalive", 0);
var db = new SqLiteDB();
var data = new Dictionary<String, String>
{
{"timer", iKeepAlive.ToString(CultureInfo.InvariantCulture)},
{"ip_address", lFidoReturnValues.SrcIP},
{"hostname", lFidoReturnValues.Hostname.ToLower()},
{"timestamp", Convert.ToDateTime(lFidoReturnValues.TimeOccurred).ToString(CultureInfo.InvariantCulture)},
{"previous_score", lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture)},
{"alert_id", lFidoReturnValues.AlertID}
};
try
{
//insert event to primary alert table
db.Insert("event_alerts", data);
const string eventAlerts = @"select count() from event_alerts";
var newRow = db.ExecuteScalar(eventAlerts);
//if there is threat data then insert otherwise
//todo: figure out a better way to find out if a detector is empty
if (lFidoReturnValues.Bit9 != null | lFidoReturnValues.Antivirus != null | lFidoReturnValues.FireEye != null |
lFidoReturnValues.Cyphort != null | lFidoReturnValues.ProtectWise != null | lFidoReturnValues.PaloAlto != null)
{
UpdateThreatToDB(lFidoReturnValues, newRow);
}
//if there is machine data then insert otherwise
if ((lFidoReturnValues.Landesk != null) | (lFidoReturnValues.Jamf != null))
{
UpdateMachineToDB(lFidoReturnValues, newRow);
}
//if there is user data then insert otherwise
if (lFidoReturnValues.UserInfo != null)
{
UpdateUserToDB(lFidoReturnValues, newRow);
}
//if there is detailed threat data insert
//if there is histiorical url data insert
UpdateHistoricalURLInfo(lFidoReturnValues);
UpdateHistoricalHashInfo(lFidoReturnValues);
UpdateHistoricalIPInfo(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error",
"Fido Failed: {0} Exception caught in insert of event alert to fidodb:" + e);
}
}
public static FidoReturnValues DetectorsToThreatFeeds(FidoReturnValues lFidoReturnValues)
{
lFidoReturnValues = FireEyeURL(lFidoReturnValues);
lFidoReturnValues = CyphortURL(lFidoReturnValues);
lFidoReturnValues = ProtectWiseURL(lFidoReturnValues);
lFidoReturnValues = PaloAltoURL(lFidoReturnValues);
return lFidoReturnValues;
}
public static JamfReturnValues Convert(FidoReturnValues lFidoReturnValues, List<string> lHostInfo)
{
var lJamfReturnValues = new JamfReturnValues
{
ComputerID = lHostInfo[0] ?? string.Empty, Hostname = lHostInfo[1] ?? string.Empty, ReportID = lHostInfo[2] ?? string.Empty, Username = lHostInfo[11], OSName = "OSX " + lHostInfo[9], LastUpdate = FromEpochTime(lHostInfo[3]).ToString()
};
return lJamfReturnValues;
}
public static FidoReturnValues DetectorsToThreatFeeds(FidoReturnValues lFidoReturnValues)
{
lFidoReturnValues = FireEyeHash(lFidoReturnValues);
lFidoReturnValues = CyphortHash(lFidoReturnValues);
lFidoReturnValues = ProtectWiseHash(lFidoReturnValues);
lFidoReturnValues = CarbonBlackHash(lFidoReturnValues);
return lFidoReturnValues;
}
internal static FidoReturnValues HistoricalEvent(FidoReturnValues lFidoReturnValues)
{
Console.WriteLine(@"Gathering historical information from FIDO DB.");
const string historicalQuery = "SELECT * FROM configs_historical_events";
var fidoTemp = GetPreviousAlerts(historicalQuery);
if (fidoTemp.Rows.Count <= 0) return lFidoReturnValues;
lFidoReturnValues.HistoricalEvent = FormatHistoricalEvents(fidoTemp);
var urlCount = new DataTable();
var hashCount = new DataTable();
try
{
if (lFidoReturnValues.Url != null)
{
foreach (var url in lFidoReturnValues.Url)
{
urlCount = GetPreviousAlerts(lFidoReturnValues.HistoricalEvent.UrlQuery.Replace("%url%", url));
}
}
var ipCount = GetPreviousAlerts(lFidoReturnValues.HistoricalEvent.IpQuery.Replace("%ip%", lFidoReturnValues.DstIP));
if (lFidoReturnValues.Hash != null)
{
foreach (var hash in lFidoReturnValues.Hash)
{
hashCount = GetPreviousAlerts(lFidoReturnValues.HistoricalEvent.HashQuery.Replace("%hash%", hash));
}
}
Console.WriteLine(@"Historical data:");
lFidoReturnValues.HistoricalEvent.UrlCount = urlCount.Rows.Count;
lFidoReturnValues.HistoricalEvent.IpCount = ipCount.Rows.Count;
lFidoReturnValues.HistoricalEvent.HashCount = hashCount.Rows.Count;
Console.WriteLine(@"URL Count = " + lFidoReturnValues.HistoricalEvent.UrlCount.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"IP Count = " + lFidoReturnValues.HistoricalEvent.IpCount.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"Hash Count = " + lFidoReturnValues.HistoricalEvent.HashCount.ToString(CultureInfo.InvariantCulture));
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to gather startup configs." + e);
}
return lFidoReturnValues;
}
public static FidoReturnValues GetBit9Status(FidoReturnValues lFidoReturnValues, string sConnectionString)
{
//todo: move this to the DB
var sQuery = "SELECT DISTINCT A0.DISPLAYNAME, A1.NAME, A1.STATUS, A2.SUITENAME, A2.VERSION FROM Computer A0 (nolock) LEFT OUTER JOIN Services A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn LEFT OUTER JOIN AppSoftwareSuites A2 (nolock) ON A0.Computer_Idn = A2.Computer_Idn WHERE (A1.NAME = N'Parity Agent' AND A2.SuiteName LIKE N'Parity Agent' AND A0.DEVICENAME = N'" + lFidoReturnValues.Hostname + "')";
var lBit9Return = new List<string>();
var sqlConnect = new SqlConnection(sConnectionString);
sqlConnect.Open();
try
{
var sqlCmd = new SqlCommand(sQuery, sqlConnect);
var sqlReader = sqlCmd.ExecuteReader();
Thread.Sleep(500);
while (sqlReader.Read())
{
for (var i = 0; i < sqlReader.FieldCount; i++)
{
lBit9Return.Add(sqlReader.GetString(i) != string.Empty ? sqlReader.GetString(i) : string.Empty);
}
}
sqlReader.Close();
}
catch(Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getting Bit9 status from Landesk:" + e);
}
if (lBit9Return.Count > 0)
{
lFidoReturnValues.Landesk.Bit9Running = lBit9Return[2].ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Landesk.Bit9Version = lBit9Return[4].ToString(CultureInfo.InvariantCulture);
return lFidoReturnValues;
}
lFidoReturnValues.Landesk.Bit9Running = string.Empty;
lFidoReturnValues.Landesk.Bit9Version = "Not Installed";
return lFidoReturnValues;
}
private static FidoReturnValues CyphortHash(FidoReturnValues lFidoReturnValues)
{
//if Cyphort has hashes send to threat feeds
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
if ((lFidoReturnValues.Cyphort != null) && (lFidoReturnValues.Cyphort.MD5Hash != null) && (lFidoReturnValues.Cyphort.MD5Hash.Any()))
{
if (lFidoReturnValues.Cyphort.VirusTotal == null)
{
lFidoReturnValues.Cyphort.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Sending Cyphort hashes to VirusTotal.");
lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.Cyphort.MD5Hash);
}
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
Console.WriteLine(@"Sending Cyphort hashes to ThreatGRID.");
lFidoReturnValues = SendCyphortToThreatGRID(lFidoReturnValues);
}
return lFidoReturnValues;
}
//This function is designed get the incidents from an event, then determine if the
//incidents have already been processed. If they have not, they will be handed off
//to the GetCyphortIncident function to gather necessary information before being
//sent to TheDirector.
private static void ParseCyphort(Object_Cyphort_Class.CyphortEvent cyphortReturn)
{
try
{
if (cyphortReturn.Event_Array.Any())
{
cyphortReturn.Event_Array = cyphortReturn.Event_Array.Reverse().ToArray();
for (var i = 0; i < cyphortReturn.Event_Array.Count(); i++)
{
Console.WriteLine(@"Processing Cyphort event " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.Event_Array.Count().ToString(CultureInfo.InvariantCulture) + @".");
//We don't currently process IPv6, so if detected exit and process next alert
if ((cyphortReturn.Event_Array[i].Endpoint_ip != null) && (cyphortReturn.Event_Array[i].Endpoint_ip.Contains(":"))) continue;
//initialize generic variables for Cyphort values
var lFidoReturnValues = new FidoReturnValues();
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.Cyphort == null)
{
lFidoReturnValues.Cyphort = new CyphortReturnValues();
}
//Convert Cyphort classifications to more readable values
if (cyphortReturn.Event_Array[i].Event_type == "http")
{
lFidoReturnValues.MalwareType = "Malware downloaded: " + cyphortReturn.Event_Array[i].Event_name + " Type: " + cyphortReturn.Event_Array[i].Event_category;
}
else if (cyphortReturn.Event_Array[i].Event_type == "cnc")
{
lFidoReturnValues.MalwareType = "CNC Detected: " + cyphortReturn.Event_Array[i].Event_name;
}
//Assign generic event deatils for use in TheDirector
lFidoReturnValues.CurrentDetector = "cyphortv3";
lFidoReturnValues.Cyphort.IncidentID = cyphortReturn.Event_Array[i].Incident_id;
lFidoReturnValues.SrcIP = cyphortReturn.Event_Array[i].Endpoint_ip;
lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.Event_Array[i].Last_activity_time).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.Event_Array[i].Last_activity_time).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.DstIP = cyphortReturn.Event_Array[i].Source_ip;
lFidoReturnValues.Cyphort.DstIP = cyphortReturn.Event_Array[i].Source_ip;
//Send information gathered thus far to function to gather incident details
//and further parsing to determine if sending to TheDirector is needed.
GetCyphortIncident(lFidoReturnValues);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector parse:" + e);
}
}
private static FidoReturnValues FormatInfectionReturnValues(FidoReturnValues lFidoReturnValues)
{
lFidoReturnValues.Cyphort.DstIP = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_ip;
lFidoReturnValues.Cyphort.Domain = new List<string>();
lFidoReturnValues.Cyphort.URL = new List<string>();
lFidoReturnValues.Cyphort.MD5Hash = new List<string>();
try
{
foreach (var infection in lFidoReturnValues.Cyphort.IncidentDetails.Incident.InfectionArray)
{
lFidoReturnValues.Cyphort.EventID = infection.Infection_id;
lFidoReturnValues.AlertID = infection.Infection_id;
lFidoReturnValues.Cyphort.URL.Add(string.Empty);
lFidoReturnValues.Cyphort.MD5Hash.Add(string.Empty);
lFidoReturnValues.Cyphort.Domain.Add(infection.Cnc_servers);
lFidoReturnValues.DNSName = infection.Cnc_servers.Replace(".", "(.)");
var isRunDirector = false;
//Check to see if ID has been processed before
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.Cyphort.EventID, lFidoReturnValues.Cyphort.EventTime);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) continue;
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
Console.WriteLine(@"Processing CNC incident " + lFidoReturnValues.Cyphort.EventID + @" through to the Director.");
TheDirector.Direct(lFidoReturnValues);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 infection return:" + e);
}
return lFidoReturnValues;
}
private static FidoReturnValues FormatDownloadReturnValues(FidoReturnValues lFidoReturnValues)
{
lFidoReturnValues.Cyphort.DstIP = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_ip;
lFidoReturnValues.Cyphort.URL = new List<string>();
lFidoReturnValues.Cyphort.MD5Hash = new List<string>();
lFidoReturnValues.Cyphort.Domain = new List<string>();
try
{
foreach (var download in lFidoReturnValues.Cyphort.IncidentDetails.Incident.DownloadArray)
{
if (!string.IsNullOrEmpty(download.Event_id)) lFidoReturnValues.Cyphort.EventID = download.Event_id;
if (!string.IsNullOrEmpty(download.Event_id)) lFidoReturnValues.AlertID = download.Event_id;
if (!string.IsNullOrEmpty(download.Source_url))
{
lFidoReturnValues.Cyphort.URL.Add(download.Source_url);
lFidoReturnValues.Url = new List<string> {download.Source_url};
}
if (!string.IsNullOrEmpty(download.File_md5_string))
{
lFidoReturnValues.Cyphort.MD5Hash.Add(download.File_md5_string);
lFidoReturnValues.Hash = new List<string> {download.File_md5_string};
}
if (download.Req_headers != null)
{
lFidoReturnValues.Cyphort.Domain.Add(download.Req_headers.Host);
lFidoReturnValues.DNSName = download.Req_headers.Host.Replace(".", "(.)");
}
//Check to see if ID has been processed before
var isRunDirector = false;
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.Cyphort.EventID, lFidoReturnValues.Cyphort.EventTime);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) continue;
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
Console.WriteLine(@"Processing download incident " + lFidoReturnValues.Cyphort.EventID + @" through to the Director.");
TheDirector.Direct(lFidoReturnValues);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 download return:" + e);
}
return lFidoReturnValues;
}
private static void GetCyphortIncident(FidoReturnValues lFidoReturnValues)
{
Console.WriteLine(@"Pulling Cyphort incident details.");
//currently needed to bypass site without a valid cert.
//todo: make ssl bypass configurable
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv3");
var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey;
request = request.Replace("%incidentid%", lFidoReturnValues.Cyphort.IncidentID);
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Method = "GET";
try
{
using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK)
{
using (var respStream = cyphortResponse.GetResponseStream())
{
if (respStream == null) return;
var cyphortReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = cyphortReader.ReadToEnd();
var cyphortReturn = JsonConvert.DeserializeObject<Object_Cyphort_Class.CyphortIncident>(stringreturn);
if (cyphortReturn.Incident != null)
{
lFidoReturnValues.Cyphort.IncidentDetails = new Object_Cyphort_Class.CyphortIncident();
lFidoReturnValues.Cyphort.IncidentDetails = cyphortReturn;
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_name != null)
{
lFidoReturnValues.DNSName = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_name.Replace(".", "(.)");
}
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_exploit == "1")
{
}
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_download == "1")
{
lFidoReturnValues = FormatDownloadReturnValues(lFidoReturnValues);
}
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_execution == "1")
{
}
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_infection == "1")
{
lFidoReturnValues = FormatInfectionReturnValues(lFidoReturnValues);
}
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_data_theft == "1")
{
}
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_file_submission == "1")
{
}
}
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector getting json:" + e);
}
}
public static FidoReturnValues LandesklFidoValues(FidoReturnValues lFidoReturnValues, List<string> lHostInfo)
{
var lLandeskReturnValues = new LandeskReturnValues();
for (var i = 0; i < lHostInfo.Count(); i++)
{
switch (i)
{
case 0:
lLandeskReturnValues.Hostname = lHostInfo[0] ?? string.Empty;
break;
case 1:
lLandeskReturnValues.Domain = lHostInfo[1] ?? string.Empty;
break;
case 2:
lLandeskReturnValues.LastUpdate = lHostInfo[2] ?? string.Empty;
break;
case 3:
lLandeskReturnValues.Product = lHostInfo[3] ?? string.Empty;
break;
case 4:
lLandeskReturnValues.ProductVersion = lHostInfo[4] ?? string.Empty;
break;
case 5:
lLandeskReturnValues.AgentRunning = lHostInfo[5] ?? string.Empty;
break;
case 6:
lLandeskReturnValues.AutoProtectOn = lHostInfo[6] ?? string.Empty;
break;
case 7:
lLandeskReturnValues.DefInstallDate = lHostInfo[7] ?? string.Empty;
break;
case 8:
lLandeskReturnValues.EngineVersion = lHostInfo[8] ?? string.Empty;
break;
case 9:
lLandeskReturnValues.OSName = lHostInfo[9] ?? string.Empty;
break;
case 10:
lLandeskReturnValues.ComputerIDN = lHostInfo[10] ?? string.Empty;
break;
case 11:
lLandeskReturnValues.Username = lHostInfo[11] ?? string.Empty;
break;
}
}
lFidoReturnValues.Landesk = lLandeskReturnValues;
lFidoReturnValues.Hostname = lLandeskReturnValues.Hostname;
lFidoReturnValues.Username = lLandeskReturnValues.Username;
return lFidoReturnValues;
}
private static void UpdateHistoricalIPInfo(FidoReturnValues lFidoReturnValues)
{
try
{
if (!string.IsNullOrEmpty(lFidoReturnValues.DstIP))
{
InsertHistoricalThreatToDB(@"ip", lFidoReturnValues.DstIP, lFidoReturnValues.TimeOccurred);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update of historical IP info in fidodb:" + e);
}
}
private static void UpdateDetailedThreatToDB(FidoReturnValues lFidoReturnValues, string row)
{
//todo: figure out best way to insert detailed reports to prevent having to query web services again
//var threatURL = lFidoReturnValues.FireEye.URL.Aggregate(string.Empty, (current, url) => current + (url + ","));
//threatURL = lFidoReturnValues.FireEye.ChannelHost.Aggregate(threatURL, (current, link) => current + (link + ","));
//data.Add("threat_url", threatURL);
//var threatMD5 = lFidoReturnValues.FireEye.MD5Hash.Aggregate(string.Empty, (current, md5) => current + (md5 + ","));
//data.Add("threat_hash", threatMD5);
}
private static bool PreviousAlert(FidoReturnValues lFidoReturnValues, string event_id, string event_time)
{
var isRunDirector = false;
for (var j = 0; j < lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count; j++)
{
if (lFidoReturnValues.PreviousAlerts.Alerts.Rows[j][6].ToString() != event_id) continue;
if (Convert.ToDateTime(event_time) == Convert.ToDateTime(lFidoReturnValues.PreviousAlerts.Alerts.Rows[j][4].ToString()))
{
isRunDirector = true;
}
}
return isRunDirector;
}
private static void ParsePan(Object_PaloAlto_Class.PanReturn panReturn)
{
try
{
foreach (var entry in panReturn.Result.Log.Logs.Entry)
{
if (entry.App == "dns") continue;
Console.WriteLine(@"Processing PAN " + entry.SubType + @" event.");
//initialize generic variables for PAN values
var lFidoReturnValues = new FidoReturnValues();
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.PaloAlto == null)
{
lFidoReturnValues.PaloAlto = new PaloAltoReturnValues();
}
//Convert PAN classifications to more readable values
lFidoReturnValues.MalwareType = entry.Type + " " + entry.SubType;
lFidoReturnValues.CurrentDetector = "panv1";
lFidoReturnValues.PaloAlto.EventID = entry.EventID;
lFidoReturnValues.AlertID = entry.EventID;
if (entry.Direction == "client-to-server")
{
lFidoReturnValues.PaloAlto.isDst = true;
}
else
{
lFidoReturnValues.PaloAlto.isDst = false;
}
if (lFidoReturnValues.PaloAlto.isDst)
{
lFidoReturnValues.SrcIP = entry.SrcIP;
lFidoReturnValues.DstIP = entry.DstIP;
lFidoReturnValues.PaloAlto.DstIp = entry.DstIP;
}
else
{
lFidoReturnValues.SrcIP = entry.DstIP;
lFidoReturnValues.DstIP = entry.SrcIP;
lFidoReturnValues.PaloAlto.DstIp = entry.SrcIP;
}
if (!string.IsNullOrEmpty(entry.DstUser))
{
lFidoReturnValues.PaloAlto.DstUser = entry.DstUser.Replace(@"corp\", string.Empty);
lFidoReturnValues.Username = entry.DstUser;
}
lFidoReturnValues.PaloAlto.EventTime = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.TimeOccurred = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture);
var isRunDirector = false;
//Check to see if ID has been processed before
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.PaloAlto.EventID, lFidoReturnValues.PaloAlto.EventTime);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) continue;
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
Console.WriteLine(@"Processing PAN incident " + lFidoReturnValues.PaloAlto.EventID + @" through to the Director.");
TheDirector.Direct(lFidoReturnValues);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in PANv1 Detector parse:" + e);
}
}
private static EventAlerts PreviousMachineAlerts(FidoReturnValues lFidoReturnValues, DataTable fidoTemp)
{
lFidoReturnValues.PreviousAlerts = FormatEventAlert(fidoTemp);
if ((lFidoReturnValues.PreviousAlerts.Hostname == lFidoReturnValues.Hostname.ToLower()) && lFidoReturnValues.Hostname.ToLower() != "unknown")
{
var previousAlertTimeDate = Convert.ToDateTime(lFidoReturnValues.PreviousAlerts.TimeStamp);
var currentAlertTimeDate = Convert.ToDateTime(lFidoReturnValues.TimeOccurred);
var diff = (currentAlertTimeDate - previousAlertTimeDate);
//if the time is greater than this # determine how great and if there is an association
//or if the alerts should be considered 'new'
if (diff.TotalMinutes > 30)
{
//if time difference is greater than this # assume a new alert
if (diff.TotalMinutes < 720 && diff.TotalMinutes > 240)
{
if (lFidoReturnValues.ThreatScore > 50)
{
lFidoReturnValues.ThreatScore = 75;
lFidoReturnValues.IsPreviousAlert = false;
lFidoReturnValues.IsSendAlert = true;
Console.WriteLine(@"New Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"New Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture));
}
else
{
lFidoReturnValues.ThreatScore += 15;
lFidoReturnValues.IsPreviousAlert = false;
lFidoReturnValues.IsSendAlert = true;
Console.WriteLine(@"New Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"New Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture));
}
Console.WriteLine(@"Machine previous alerted and it has been longer than 4 hours!");
}
else if (diff.TotalMinutes > 240)
{
if (lFidoReturnValues.ThreatScore > 50)
{
lFidoReturnValues.ThreatScore = 100;
lFidoReturnValues.IsPreviousAlert = false;
lFidoReturnValues.IsSendAlert = true;
Console.WriteLine(@"New Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"New Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture));
}
else
{
lFidoReturnValues.ThreatScore += 25;
lFidoReturnValues.IsPreviousAlert = false;
lFidoReturnValues.IsSendAlert = true;
Console.WriteLine(@"New Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"New Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture));
}
Console.WriteLine(@"Machine previous alerted and it has been longer than 4 hours!");
}
//else an associated alert with the machine making multiple callbacks
else
{
Console.WriteLine(@"Machine previous alerted but assuming this is part of same event!");
lFidoReturnValues.IsPreviousAlert = false;
lFidoReturnValues.IsSendAlert = true;
}
}
//if less then determine if additional alerts are higher or lower severity than previous alerts
else if (diff.TotalMinutes <= 30 & lFidoReturnValues.TotalScore > lFidoReturnValues.PreviousAlerts.PreviousScore)
{
Console.WriteLine(@"Multiple alerts detected and this event is scored higher than previous event!");
lFidoReturnValues.IsPreviousAlert = true;
lFidoReturnValues.IsSendAlert = true;
}
else if (diff.TotalMinutes <= 30 & lFidoReturnValues.PreviousAlerts.PreviousScore >= lFidoReturnValues.TotalScore)
{
Console.WriteLine(@"Multiple alerts detected and this event is scored lower than previous event!");
lFidoReturnValues.IsPreviousAlert = true;
lFidoReturnValues.IsSendAlert = false;
}
}
return lFidoReturnValues.PreviousAlerts;
}
private static void UpdateUserToDB(FidoReturnValues lFidoReturnValues, string row)
{
var db = new SqLiteDB();
var data = new Dictionary<String, String>
{
{"username", lFidoReturnValues.Username.ToLower()},
{"fullname", lFidoReturnValues.UserInfo.Username.ToLower()},
{"email", lFidoReturnValues.UserInfo.UserEmail.ToLower()},
{"title", lFidoReturnValues.UserInfo.Title.ToLower()},
{"dept", lFidoReturnValues.UserInfo.Department.ToLower()},
{"emp_type", lFidoReturnValues.UserInfo.EmployeeType.ToLower()},
{"emp_phone", lFidoReturnValues.UserInfo.MobileNumber},
{"cube", lFidoReturnValues.UserInfo.CubeLocation.ToLower()},
{"city_state", lFidoReturnValues.UserInfo.City.ToLower() + "\\" + lFidoReturnValues.UserInfo.State.ToLower()},
{"manager", lFidoReturnValues.UserInfo.ManagerName.ToLower()},
{"manager_title", lFidoReturnValues.UserInfo.ManagerTitle.ToLower()},
{"manager_email", lFidoReturnValues.UserInfo.ManagerMail.ToLower()},
{"manager_phone", lFidoReturnValues.UserInfo.MobileNumber},
{"user_score", lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture)}
};
try
{
db.Update("event_user", data, "primkey = " + row);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update user area of fidodb:" + e);
}
}
private static void UpdateHistoricalURLInfo(FidoReturnValues lFidoReturnValues)
{
try
{
if (lFidoReturnValues.Url != null)
{
foreach (var url in lFidoReturnValues.Url.Where(url => !string.IsNullOrEmpty(url)))
{
InsertHistoricalThreatToDB(@"url", url, lFidoReturnValues.TimeOccurred);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update of historicaal URL info in fidodb:" + e);
}
}
//This function will attempt to assign alerts to the AntivirusReturnValues object
//before returning it to the FidoReturnValues object.
public static FidoReturnValues SophoslFidoValues(List<string> lHostInfo)
{
var lFidoReturnValues = new FidoReturnValues();
var lSophosReturnValues = new AntivirusReturnValues();
for (var x = 0; x < lHostInfo.Count; x++)
{
switch (x)
{
case 0:
lSophosReturnValues.ReceivedTime = lHostInfo[0];
break;
case 1:
lSophosReturnValues.EventTime = lHostInfo[1];
lFidoReturnValues.TimeOccurred = lHostInfo[1];
break;
case 2:
lSophosReturnValues.ActionTaken = lHostInfo[2];
break;
case 3:
lSophosReturnValues.Username = lHostInfo[3];
var sNewUserName = lHostInfo[3].Split('\\');
if (sNewUserName.Length == 1)
{
lFidoReturnValues.Username = sNewUserName[0];
}
else if (sNewUserName.Length > 1)
{
lFidoReturnValues.Username = sNewUserName[1];
}
else
{
lFidoReturnValues.Username = string.Empty;
}
break;
case 4:
lSophosReturnValues.Status = lHostInfo[4];
break;
case 5:
lSophosReturnValues.ThreatType = lHostInfo[5];
break;
case 6:
lSophosReturnValues.ThreatName = lHostInfo[6];
lFidoReturnValues.MalwareType = lHostInfo[6];
break;
case 7:
lSophosReturnValues.FilePath = lHostInfo[7];
break;
case 8:
lSophosReturnValues.HostName = lHostInfo[8];
lFidoReturnValues.Hostname = lHostInfo[8];
break;
case 9:
lFidoReturnValues.SrcIP = lHostInfo[9];
break;
}
}
lFidoReturnValues.Antivirus = lSophosReturnValues;
return lFidoReturnValues;
}
public static FidoReturnValues GetDomainStatus(FidoReturnValues lFidoReturnValues)
{
return lFidoReturnValues;
}
private static void UpdateHistoricalHashInfo(FidoReturnValues lFidoReturnValues)
{
try
{
if (lFidoReturnValues.Hash != null)
{
foreach (var hash in lFidoReturnValues.Hash.Where(hash => !string.IsNullOrEmpty(hash)))
{
InsertHistoricalThreatToDB(@"hash", hash, lFidoReturnValues.TimeOccurred);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update of historical hash info in fidodb:" + e);
}
}
private static void CloseCarbonBlackAlert(FidoReturnValues lFidoReturnValues)
{
Console.WriteLine(@"Closing CarbonBlack event for: " + lFidoReturnValues.AlertID + @".");
//currently needed to bypass site without a valid cert.
//todo: make ssl bypass configurable
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("carbonblackv1");
var request = parseConfigs.Server + parseConfigs.Query2 + lFidoReturnValues.AlertID + parseConfigs.Query3;
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Method = "POST";
alertRequest.ContentType = "application/json";
alertRequest.Headers[@"X-Auth-Token"] = parseConfigs.APIKey;
try
{
using (var cbResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (cbResponse != null && cbResponse.StatusCode == HttpStatusCode.OK)
{
using (var respStream = cbResponse.GetResponseStream())
{
if (respStream == null) return;
var cbReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = cbReader.ReadToEnd();
if (stringreturn == "[]") return;
var cbReturn = JsonConvert.DeserializeObject<Object_CarbonBlack_Alert_Class.CarbonBlack>(stringreturn);
if (cbReturn != null)
{
ParseCarbonBlackAlert(cbReturn);
}
var responseStream = cbResponse.GetResponseStream();
if (responseStream != null) responseStream.Dispose();
cbResponse.Close();
Console.WriteLine(@"Finished retreiving CB alerts.");
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black alert area:" + e);
}
}
internal static EventAlerts GetPreviousMachineAlerts(FidoReturnValues lFidoReturnValues, bool isMatrixScore)
{
var machineQuery = string.Empty;
lFidoReturnValues.IsSendAlert = true;
if (!string.IsNullOrEmpty(lFidoReturnValues.Hostname))
{
//todo: move this to the database
machineQuery = "SELECT * FROM event_alerts WHERE hostname = '" + lFidoReturnValues.Hostname.ToLower() + "' ORDER BY primkey DESC";
}
else if (!string.IsNullOrEmpty(lFidoReturnValues.SrcIP))
{
//todo: move this to the database
machineQuery = "SELECT * FROM event_alerts WHERE ip_address = '" + lFidoReturnValues.SrcIP + "' ORDER BY primkey DESC";
}
var fidoTemp = GetPreviousAlerts(machineQuery);
if (fidoTemp.Rows.Count <= 0) return lFidoReturnValues.PreviousAlerts;
lFidoReturnValues.PreviousAlerts = new EventAlerts {Alerts = fidoTemp};
if (!isMatrixScore) return lFidoReturnValues.PreviousAlerts;
//todo: move integer values for time offsets to database as configurable.
try
{
return PreviousMachineAlerts(lFidoReturnValues, fidoTemp);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to gather startup configs." + e);
}
return lFidoReturnValues.PreviousAlerts;
}
private static void ParseCarbonBlackAlert(Object_CarbonBlack_Alert_Class.CarbonBlack cbReturn)
{
var cbHost = string.Empty;
var cbHostInt = 0;
foreach (var cbEvent in cbReturn.Results)
{
Console.WriteLine(@"Formatting CarbonBlack event for: " + cbEvent.Hostname + @".");
try
{
//initialize generic variables for CB values
var lFidoReturnValues = new FidoReturnValues();
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.CB == null)
{
lFidoReturnValues.CB = new CarbonBlackReturnValues { Alert = new CarbonBlackAlert() };
}
lFidoReturnValues.CurrentDetector = "carbonblackv1";
lFidoReturnValues.CB.Alert.WatchListName = cbEvent.WatchlistName;
lFidoReturnValues.CB.Alert.AlertType = cbEvent.AlertType;
if (lFidoReturnValues.CB.Alert.WatchListName.Contains("binary") || lFidoReturnValues.CB.Alert.AlertType.Contains("binary"))
{
lFidoReturnValues.isBinary = true;
}
var dTable = new SqLiteDB();
var cbData = dTable.GetDataTable(@"Select * from configs_dictionary_carbonblack");
var cbDict = GetDict(cbData);
foreach (var label in cbDict)
{
if (cbEvent.WatchlistName == label.Key)
{
lFidoReturnValues.MalwareType = label.Value;
break;
}
}
if (lFidoReturnValues.MalwareType == null) lFidoReturnValues.MalwareType = "Malicious file detected.";
lFidoReturnValues.CB.Alert.EventID = cbEvent.UniqueID;
lFidoReturnValues.AlertID = cbEvent.UniqueID;
lFidoReturnValues.CB.Alert.EventTime = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Hostname = cbEvent.Hostname;
//todo: this was supposed to limit the total # of alerts sent from a single host,
//however, it is poo and needs to be redone.
if (lFidoReturnValues.Hostname != cbHost)
{
cbHost = lFidoReturnValues.Hostname;
}
else
{
cbHostInt++;
}
if (cbHostInt >= 25)
{
CloseCarbonBlackAlert(lFidoReturnValues);
}
lFidoReturnValues.Username = cbEvent.Username;
lFidoReturnValues.Hash = new List<string> {cbEvent.MD5};
lFidoReturnValues.CB.Alert.MD5Hash = cbEvent.MD5;
lFidoReturnValues.CB.Inventory = SysMgmt_CarbonBlack.GetCarbonBlackHost(lFidoReturnValues, true);
if (string.IsNullOrEmpty(cbEvent.ProcessPath))
{
if (string.IsNullOrEmpty(cbEvent.ProcessPath)) lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ObservedFilename[0];
}
else
{
lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ProcessPath;
}
if ((cbEvent.ObservedHosts.HostCount != 0) && (cbEvent.ObservedHosts.HostCount != null))
{
lFidoReturnValues.CB.Alert.HostCount = cbEvent.ObservedHosts.HostCount.ToString(CultureInfo.InvariantCulture);
}
else
{
lFidoReturnValues.CB.Alert.HostCount = "0";
}
if ((cbEvent.NetconnCount != 0) && (cbEvent.NetconnCount != null))
{
lFidoReturnValues.CB.Alert.NetConn = cbEvent.NetconnCount.ToString(CultureInfo.InvariantCulture);
}
else
{
lFidoReturnValues.CB.Alert.NetConn = "0";
}
if (lFidoReturnValues.CB.Inventory != null)
{
var sFilter = new[] {"|", ","};
var sIP = lFidoReturnValues.CB.Inventory.NetworkAdapters.Split(sFilter,StringSplitOptions.RemoveEmptyEntries);
lFidoReturnValues.SrcIP = sIP[0];
}
var isRunDirector = false;
//Check to see if ID has been processed before
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.AlertID, lFidoReturnValues.TimeOccurred);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) continue;
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
TheDirector.Direct(lFidoReturnValues);
//CloseCarbonBlackAlert(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black v1 Detector when formatting json:" + e);
}
}
}
public static FidoReturnValues RunMatrix(FidoReturnValues lFidoReturnValues)
{
//Iterate through each detector and the corresponding threat feed looking for values to score
#region ThreatScore
Console.WriteLine(@"Starting threat feed evaluation.");
lFidoReturnValues = Matrix_Scoring.GetDetectorsScore(lFidoReturnValues);
#endregion
var isRunAssett = Object_Fido_Configs.GetAsBool("fido.director.assetscore", false);
if (isRunAssett)
{
#region AssetValue
Console.WriteLine(@"Starting assest evaluation.");
//asset evaluation
var isPaired = Object_Fido_Configs.GetAsBool("fido.posture.asset.paired", false);
lFidoReturnValues = Matrix_Scoring.GetAssetScore(lFidoReturnValues, isPaired);
#endregion
#region MachinePosture
Console.WriteLine(@"Scoring machine posture evaluation.");
//Patch evaluation
lFidoReturnValues = Matrix_Scoring.GetPatchScore(lFidoReturnValues);
//AV evaluation
lFidoReturnValues = Matrix_Scoring.GetAVScore(lFidoReturnValues);
#endregion
#region UserPosture
Console.WriteLine(@"Starting user posture evaluation.");
if (lFidoReturnValues.UserInfo != null)
{
lFidoReturnValues = Matrix_Scoring.GetUserScore(lFidoReturnValues);
}
#endregion
}
#region HistoricalInfo
Console.WriteLine(@"Starting historical artifact evaluation.");
lFidoReturnValues = Matrix_Historical_Helper.HistoricalEvent(lFidoReturnValues);
lFidoReturnValues = Matrix_Scoring.GetHistoricalHashCount(lFidoReturnValues);
lFidoReturnValues = Matrix_Scoring.GetHistoricalURLCount(lFidoReturnValues);
lFidoReturnValues = Matrix_Scoring.GetHistoricalIPCount(lFidoReturnValues);
#endregion
#region PreviousAlerts
Console.WriteLine(@"Checking to see if this machine has previous alerted.");
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, true);
#endregion
//todo: put configuration in DB for whether to include user/machine score in division of their score.
//lFidoReturnValues.TotalScore = lFidoReturnValues.TotalScore / 10;
//lFidoReturnValues.UserScore = lFidoReturnValues.UserScore / 10;
//lFidoReturnValues.MachineScore = lFidoReturnValues.MachineScore / 10;
lFidoReturnValues.ThreatScore = lFidoReturnValues.ThreatScore / 10;
lFidoReturnValues = Matrix_Scoring.SetScoreValues(lFidoReturnValues);
Console.WriteLine(@"Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"Machine Score for event = " + lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"User Score for event = " + lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture));
return lFidoReturnValues;
}
public static List<string> RunEnforce(FidoReturnValues lFidoReturnValues)
{
return lFidoReturnValues.Actions;
}
public static FidoReturnValues GetHostOsInfo(FidoReturnValues lFidoReturnValues, string sConnectionString)
{
var lLandeskReturnValues = lFidoReturnValues.Landesk;
var lHostInfoReturn = new List<string>();
//todo: move this to the DB as a const value.
var sQuery = "SELECT DISTINCT A1.OSTYPE, A0.TYPE, A2.HASBATTERY, A2.CHASSISTYPE, A1.VERSION, A3.CURRENTBUILD FROM Computer A0 (nolock) LEFT OUTER JOIN Operating_System A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn LEFT OUTER JOIN CompSystem A2 (nolock) ON A0.Computer_Idn = A2.Computer_Idn LEFT OUTER JOIN OSNT A3 (nolock) ON A0.Computer_Idn = A3.Computer_Idn WHERE (A0.DeviceName = N' + hostname + ')";
//todo: move the below to a parametertized function to prevent SQL injection.
sQuery = sQuery.Replace(" + hostname + ", lFidoReturnValues.Landesk.Hostname);
var sqlConnect = new SqlConnection(sConnectionString);
sqlConnect.Open();
try
{
var sqlCmd = new SqlCommand(sQuery, sqlConnect);
var sqlReader = sqlCmd.ExecuteReader();
Thread.Sleep(500);
if (sqlReader.HasRows)
{
while (sqlReader.Read())
{
var oHostOsInfo = new object[sqlReader.FieldCount];
sqlReader.GetValues(oHostOsInfo);
var q = oHostOsInfo.Count();
for (var i = 0; i < q; i++)
{
lHostInfoReturn.Add(string.IsNullOrEmpty(oHostOsInfo[i].ToString()) ? oHostOsInfo[i].ToString() : "unknown");
}
}
}
sqlReader.Dispose();
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getting vulns from Landesk:" + e);
}
finally
{
sqlConnect.Dispose();
}
lLandeskReturnValues = Landesk2FidoValues.LandeskOsValues(lLandeskReturnValues, lHostInfoReturn);
lFidoReturnValues.Landesk = lLandeskReturnValues;
return lFidoReturnValues;
}
