private static FidoReturnValues ProtectWiseHash(FidoReturnValues lFidoReturnValues)
{
//if ProtectWise has hashes send to threat feeds
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
if ((lFidoReturnValues.ProtectWise != null) && (lFidoReturnValues.ProtectWise.MD5 != null) && (lFidoReturnValues.ProtectWise.MD5.Any()))
{
if (lFidoReturnValues.ProtectWise.VirusTotal == null)
{
lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Sending ProtectWise hashes to VirusTotal.");
var MD5Hash = new List <string> {
lFidoReturnValues.ProtectWise.MD5
};
lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(MD5Hash);
}
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
Console.WriteLine(@"Sending ProtectWise hashes to ThreatGRID.");
lFidoReturnValues = SendProtectWiseToThreatGRID(lFidoReturnValues);
}
return(lFidoReturnValues);
}
private static FidoReturnValues FireEyeHash(FidoReturnValues lFidoReturnValues)
{
//if FireEye has hashes send to threat feeds
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any()))
{
if (lFidoReturnValues.FireEye.VirusTotal == null)
{
lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Sending FireEye hashes to VirusTotal.");
lFidoReturnValues.FireEye.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.FireEye.MD5Hash);
}
}
//todo: decide if FireEye should go to ThreatGRID
//if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
//{
// Console.WriteLine(@"Sending FireEye hashes to ThreatGRID.");
// lFidoReturnValues = SendFireEyeToThreatGRID(lFidoReturnValues);
//}
return(lFidoReturnValues);
}
private static FidoReturnValues SendProtectWiseToVirusTotal(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
return(lFidoReturnValues);
}
var sIPToCheck = new List <string>();
if (lFidoReturnValues.ProtectWise.VirusTotal == null)
{
lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues();
}
//send ProtectWise return to VT URL API
if (lFidoReturnValues.ProtectWise.IncidentDetails.Data != null)
{
if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null)
{
Console.WriteLine(@"Sending ProtectWise URLs to VirusTotal.");
var URL = new List <string> {
lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url
};
var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL);
if (vtURLReturn != null)
{
lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn;
}
}
else if (lFidoReturnValues.ProtectWise.URL != null)
{
Console.WriteLine(@"Sending ProtectWise destination IP to VirusTotal.");
var URL = new List <string> {
lFidoReturnValues.ProtectWise.URL
};
var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL);
if (vtURLReturn != null)
{
lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn;
}
}
}
if (lFidoReturnValues.ProtectWise.DstIP != null)
{
sIPToCheck.Add(lFidoReturnValues.ProtectWise.DstIP);
}
sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();
//send ProtectWise return to VT IP API
if (sIPToCheck.Any())
{
Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
lFidoReturnValues.ProtectWise.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
//todo: move the url to the database
lFidoReturnValues.ProtectWise.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.ProtectWise.DstIP + "/information/";
}
return(lFidoReturnValues);
}
private static FidoReturnValues SendPaloAltoToVirusTotal(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
return(lFidoReturnValues);
}
var sIPToCheck = new List <string> {
lFidoReturnValues.PaloAlto.DstIp
};
//send ProtectWise return to VT IP API
if (lFidoReturnValues.PaloAlto.DstIp.Any())
{
if (lFidoReturnValues.PaloAlto.VirusTotal == null)
{
lFidoReturnValues.PaloAlto.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
try
{
var IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
if (IPReturn != null)
{
lFidoReturnValues.PaloAlto.VirusTotal.IPReturn = IPReturn;
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in retrieving VT IP information:" + e);
}
//todo: move the url to the database
lFidoReturnValues.PaloAlto.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.PaloAlto.DstIp + "/information/";
}
return(lFidoReturnValues);
}
private static FidoReturnValues CyphortHash(FidoReturnValues lFidoReturnValues)
{
//if Cyphort has hashes send to threat feeds
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
if ((lFidoReturnValues.Cyphort != null) && (lFidoReturnValues.Cyphort.MD5Hash != null) && (lFidoReturnValues.Cyphort.MD5Hash.Any()))
{
if (lFidoReturnValues.Cyphort.VirusTotal == null)
{
lFidoReturnValues.Cyphort.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Sending Cyphort hashes to VirusTotal.");
lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.Cyphort.MD5Hash);
}
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
Console.WriteLine(@"Sending Cyphort hashes to ThreatGRID.");
lFidoReturnValues = SendCyphortToThreatGRID(lFidoReturnValues);
}
return(lFidoReturnValues);
}
private static FidoReturnValues FireEyeURL(FidoReturnValues lFidoReturnValues)
{
if ((lFidoReturnValues.FireEye != null) && ((lFidoReturnValues.FireEye.URL.Count != 0) || (lFidoReturnValues.FireEye.ChannelHost.Count != 0)))
{
//initialize VT area if null
if (lFidoReturnValues.FireEye.VirusTotal == null)
{
lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues();
}
//convert return from FireEye to list
var sURLToCheck = new List <string>();
//if ((lFidoReturnValues.FireEye.URL != null) && (lFidoReturnValues.FireEye.URL.Count > 0))
//{
// sURLToCheck.AddRange(lFidoReturnValues.FireEye.URL);
//}
if ((lFidoReturnValues.FireEye.ChannelHost != null) && (lFidoReturnValues.FireEye.ChannelHost.Count > 0))
{
sURLToCheck.AddRange(lFidoReturnValues.FireEye.ChannelHost);
}
//if (lFidoReturnValues.FireEye.DstIP != null)
//{
// sURLToCheck.Add(lFidoReturnValues.FireEye.DstIP);
//}
sURLToCheck = sURLToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();
//send FireEye return to VT
if ((sURLToCheck != null) && sURLToCheck.Any())
{
Console.WriteLine(@"Sending FireEye URLs to VirusTotal.");
lFidoReturnValues.FireEye.VirusTotal.URLReturn = Feeds_VirusTotal.VirusTotalUrl(sURLToCheck);
}
var sIPToCheck = new List <string>();
if (lFidoReturnValues.FireEye.DstIP != null)
{
sIPToCheck.Add(lFidoReturnValues.FireEye.DstIP);
}
sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();
//send IP information to VT IP API
if (sIPToCheck != null)
{
Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
lFidoReturnValues.FireEye.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
lFidoReturnValues.FireEye.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.FireEye.DstIP + "/information/";
}
//initialize AlienVault area if null
if (lFidoReturnValues.FireEye.AlienVault == null)
{
lFidoReturnValues.FireEye.AlienVault = new AlienVaultReturnValues();
}
//next send FireEye return to AlienVault
if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.DstIP != null))
{
Console.WriteLine(@"Getting IP information from AlienVault");
lFidoReturnValues.FireEye.AlienVault = Feeds_AlientVault.AlienVaultIP(lFidoReturnValues.DstIP);
}
}
return(lFidoReturnValues);
}
private static FidoReturnValues SendCyphortToVirusTotal(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
return(lFidoReturnValues);
}
//convert return from Cyphort to list
var sURLToCheck = new List <string>();
if ((lFidoReturnValues.Cyphort.URL.Any()) && (lFidoReturnValues.Cyphort.URL.Count > 0))
{
for (var i = 0; i < lFidoReturnValues.Cyphort.URL.Count(); i++)
{
if (string.IsNullOrEmpty(lFidoReturnValues.Cyphort.URL[i]))
{
continue;
}
if (lFidoReturnValues.Cyphort.URL[i].Contains(".exe"))
{
continue;
}
//if (!lFidoReturnValues.Cyphort.URL[i].Contains(".com"))
//{
// lFidoReturnValues.Cyphort.URL[i] = lFidoReturnValues.Cyphort.URL[i] + @".com";
//}
sURLToCheck.Add(lFidoReturnValues.Cyphort.URL[i]);
}
}
if ((lFidoReturnValues.Cyphort.Domain != null) && (lFidoReturnValues.Cyphort.Domain.Count > 0))
{
sURLToCheck.AddRange(lFidoReturnValues.Cyphort.Domain);
}
if (lFidoReturnValues.Cyphort.DstIP != null)
{
sURLToCheck.Add(lFidoReturnValues.Cyphort.DstIP);
}
sURLToCheck = sURLToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();
//send Cyphort return to VT URL API
if (sURLToCheck.Any())
{
Console.WriteLine(@"Sending Cyport URLs to VirusTotal.");
lFidoReturnValues.Cyphort.VirusTotal.URLReturn = Feeds_VirusTotal.VirusTotalUrl(sURLToCheck);
}
var sIPToCheck = new List <string>();
if (lFidoReturnValues.Cyphort.DstIP != null)
{
sIPToCheck.Add(lFidoReturnValues.Cyphort.DstIP);
}
sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();
//send Cyphort return to VT IP API
if (sIPToCheck.Any())
{
Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
lFidoReturnValues.Cyphort.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
//todo: move the url to the database
lFidoReturnValues.Cyphort.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.Cyphort.DstIP + "/information/";
}
return(lFidoReturnValues);
}
//This is the detector call for bit9. Its purpose is to get
//the most recent hashes (last 60 secs (or so)) and parse them
//over to our security feeds. If the security feeds find
//relevant information get hostname/ip and call TheDirector.
public static void GetEvents()
{
var lFidoReturnValues = new FidoReturnValues();
try
{
Console.WriteLine(@"Running Bit9 detector.");
var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null);
sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1");
var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode);
var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode);
var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null);
var sDb = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null);
var sBit9DetectorQuery = Object_Fido_Configs.GetAsString("fido.detectors.bit9.query", null);
var sTempConn = Object_Fido_Configs.GetAsString("fido.detectors.bit9.connectionstring", null);
var replacements = new Dictionary <string, string>
{
{ "sUserID", sUserID },
{ "sPwd", sPwd },
{ "sBit9Server", sBit9Server },
{ "sDB", sDb }
};
//sTempConn = replacements.Aggregate(sTempConn, (current, srep) => current.Replace(srep.Key, srep.Value));
//todo: SQL injection. really? this was the best you could think of? remove this and do it properly.
var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDb + ";connection timeout=60");
var sqlCmd = new SqlCommand(sBit9DetectorQuery, vConnection)
{
CommandType = CommandType.Text
};
var lBit9Hash = new List <string>();
vConnection.Open();
using (var objReader = sqlCmd.ExecuteReader())
{
if (objReader.HasRows)
{
Console.WriteLine(@"New hashes found...");
while (objReader.Read())
{
var oBit9Return = new object[objReader.FieldCount];
var quant = objReader.GetSqlValues(oBit9Return);
if (oBit9Return.GetValue(4) != null)
{
lBit9Hash.Add(oBit9Return.GetValue(4).ToString());
}
}
}
}
if (lBit9Hash.Count == 0)
{
return;
}
Console.WriteLine(@"Processing " + lBit9Hash.Count().ToString(CultureInfo.InvariantCulture) + @" hashes.");
var aryBit9Hash = lBit9Hash.ToArray();
lFidoReturnValues.Hash = lBit9Hash;
//todo: write additional code to include other threat feeds.
var vtReturn = Feeds_VirusTotal.ParseHash(aryBit9Hash);
if (!vtReturn.Any())
{
return;
}
//todo: if return is 'not seen before' right helper function to upload file to threat feed.
foreach (var vtEntry in vtReturn)
{
if (vtEntry.Positives <= 0)
{
continue;
}
var sHostInfo = GetHost(vtEntry.Resource);
foreach (var sHostInfoList in sHostInfo)
{
var sSingleHostInfo = sHostInfoList.Split(',');
var sHostName = sSingleHostInfo[0].Split('\\');
//todo: need to write second tree for when file hasn't
//executed, but does still exist on the system,
//sSingleHostInfo[1].ToLower() == "yes"
if (sSingleHostInfo[2].ToLower() != "yes")
{
continue;
}
if (lFidoReturnValues.Bit9 == null)
{
lFidoReturnValues.Bit9 = new Bit9ReturnValues();
}
if (lFidoReturnValues.Bit9.VTReport == null)
{
lFidoReturnValues.Bit9.VTReport = new List <FileReport>();
}
lFidoReturnValues.IsHostKnown = true;
lFidoReturnValues.Hostname = sHostName[1];
lFidoReturnValues.SrcIP = sSingleHostInfo[1];
lFidoReturnValues.Bit9.HostName = sSingleHostInfo[0];
lFidoReturnValues.Bit9.VTReport.Add(vtEntry);
lFidoReturnValues.Bit9.FileExecuted = sSingleHostInfo[2];
lFidoReturnValues.Bit9.FileDeleted = sSingleHostInfo[3];
lFidoReturnValues.CurrentDetector = "bit9";
lFidoReturnValues.MalwareType = "Malicious file";
lFidoReturnValues.IsTargetOS = true;
lFidoReturnValues.DstIP = string.Empty;
var lMD5 = new List <string> {
vtEntry.MD5
};
lMD5 = GetFileInfo(lMD5, lFidoReturnValues.Bit9);
lFidoReturnValues.Bit9.FileName = lMD5[5] + @"\" + lMD5[6];
lFidoReturnValues.Bit9.FileThreat = lMD5[51];
lFidoReturnValues.Bit9.FileTrust = lMD5[50];
//lFidoReturnValues.Hash = new List<FileReport> {vtEntry.MD5};
Console.WriteLine(@"Malicious hashes found... continue to process.");
TheDirector.Direct(lFidoReturnValues);
}
}
vConnection.Close();
Console.WriteLine(@"Exiting Bit9 detector.");
}
catch (Exception e)
{
// Get stack trace for the exception with source file information
var st = new StackTrace(e, true);
// Get the top stack frame
var frame = st.GetFrame(0);
// Get the line number from the stack frame
var line = frame.GetFileLineNumber();
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving alerts from Bit9 on line " + line + ":" + e);
}
}