private static FidoReturnValues ProtectWiseHash(FidoReturnValues lFidoReturnValues)
        {
            //if ProtectWise has hashes send to threat feeds
            if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
            {
                if ((lFidoReturnValues.ProtectWise != null) && (lFidoReturnValues.ProtectWise.MD5 != null) && (lFidoReturnValues.ProtectWise.MD5.Any()))
                {
                    if (lFidoReturnValues.ProtectWise.VirusTotal == null)
                    {
                        lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues();
                    }
                    Console.WriteLine(@"Sending ProtectWise hashes to VirusTotal.");
                    var MD5Hash = new List <string> {
                        lFidoReturnValues.ProtectWise.MD5
                    };
                    lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(MD5Hash);
                }
            }

            if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
            {
                Console.WriteLine(@"Sending ProtectWise hashes to ThreatGRID.");
                lFidoReturnValues = SendProtectWiseToThreatGRID(lFidoReturnValues);
            }

            return(lFidoReturnValues);
        }
        private static FidoReturnValues FireEyeHash(FidoReturnValues lFidoReturnValues)
        {
            //if FireEye has hashes send to threat feeds
            if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
            {
                if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any()))
                {
                    if (lFidoReturnValues.FireEye.VirusTotal == null)
                    {
                        lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues();
                    }
                    Console.WriteLine(@"Sending FireEye hashes to VirusTotal.");
                    lFidoReturnValues.FireEye.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.FireEye.MD5Hash);
                }
            }

            //todo: decide if FireEye should go to ThreatGRID
            //if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
            //{
            //  Console.WriteLine(@"Sending FireEye hashes to ThreatGRID.");
            //  lFidoReturnValues = SendFireEyeToThreatGRID(lFidoReturnValues);
            //}

            return(lFidoReturnValues);
        }
Esempio n. 3
0
        private static FidoReturnValues SendProtectWiseToVirusTotal(FidoReturnValues lFidoReturnValues)
        {
            if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
            {
                return(lFidoReturnValues);
            }

            var sIPToCheck = new List <string>();

            if (lFidoReturnValues.ProtectWise.VirusTotal == null)
            {
                lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues();
            }
            //send ProtectWise return to VT URL API
            if (lFidoReturnValues.ProtectWise.IncidentDetails.Data != null)
            {
                if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null)
                {
                    Console.WriteLine(@"Sending ProtectWise URLs to VirusTotal.");
                    var URL = new List <string> {
                        lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url
                    };
                    var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL);
                    if (vtURLReturn != null)
                    {
                        lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn;
                    }
                }
                else if (lFidoReturnValues.ProtectWise.URL != null)
                {
                    Console.WriteLine(@"Sending ProtectWise destination IP to VirusTotal.");
                    var URL = new List <string> {
                        lFidoReturnValues.ProtectWise.URL
                    };
                    var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL);
                    if (vtURLReturn != null)
                    {
                        lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn;
                    }
                }
            }

            if (lFidoReturnValues.ProtectWise.DstIP != null)
            {
                sIPToCheck.Add(lFidoReturnValues.ProtectWise.DstIP);
            }

            sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();
            //send ProtectWise return to VT IP API
            if (sIPToCheck.Any())
            {
                Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
                lFidoReturnValues.ProtectWise.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
                //todo: move the url to the database
                lFidoReturnValues.ProtectWise.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.ProtectWise.DstIP + "/information/";
            }
            return(lFidoReturnValues);
        }
Esempio n. 4
0
        private static FidoReturnValues SendPaloAltoToVirusTotal(FidoReturnValues lFidoReturnValues)
        {
            if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
            {
                return(lFidoReturnValues);
            }

            var sIPToCheck = new List <string> {
                lFidoReturnValues.PaloAlto.DstIp
            };

            //send ProtectWise return to VT IP API
            if (lFidoReturnValues.PaloAlto.DstIp.Any())
            {
                if (lFidoReturnValues.PaloAlto.VirusTotal == null)
                {
                    lFidoReturnValues.PaloAlto.VirusTotal = new VirusTotalReturnValues();
                }

                Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
                try
                {
                    var IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
                    if (IPReturn != null)
                    {
                        lFidoReturnValues.PaloAlto.VirusTotal.IPReturn = IPReturn;
                    }
                }
                catch (Exception e)
                {
                    Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in retrieving VT IP information:" + e);
                }

                //todo: move the url to the database
                lFidoReturnValues.PaloAlto.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.PaloAlto.DstIp + "/information/";
            }
            return(lFidoReturnValues);
        }
        private static FidoReturnValues CyphortHash(FidoReturnValues lFidoReturnValues)
        {
            //if Cyphort has hashes send to threat feeds
            if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
            {
                if ((lFidoReturnValues.Cyphort != null) && (lFidoReturnValues.Cyphort.MD5Hash != null) && (lFidoReturnValues.Cyphort.MD5Hash.Any()))
                {
                    if (lFidoReturnValues.Cyphort.VirusTotal == null)
                    {
                        lFidoReturnValues.Cyphort.VirusTotal = new VirusTotalReturnValues();
                    }
                    Console.WriteLine(@"Sending Cyphort hashes to VirusTotal.");
                    lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.Cyphort.MD5Hash);
                }
            }

            if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
            {
                Console.WriteLine(@"Sending Cyphort hashes to ThreatGRID.");
                lFidoReturnValues = SendCyphortToThreatGRID(lFidoReturnValues);
            }
            return(lFidoReturnValues);
        }
Esempio n. 6
0
        private static FidoReturnValues FireEyeURL(FidoReturnValues lFidoReturnValues)
        {
            if ((lFidoReturnValues.FireEye != null) && ((lFidoReturnValues.FireEye.URL.Count != 0) || (lFidoReturnValues.FireEye.ChannelHost.Count != 0)))
            {
                //initialize VT area if null
                if (lFidoReturnValues.FireEye.VirusTotal == null)
                {
                    lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues();
                }

                //convert return from FireEye to list
                var sURLToCheck = new List <string>();
                //if ((lFidoReturnValues.FireEye.URL != null) && (lFidoReturnValues.FireEye.URL.Count > 0))
                //{
                //  sURLToCheck.AddRange(lFidoReturnValues.FireEye.URL);
                //}
                if ((lFidoReturnValues.FireEye.ChannelHost != null) && (lFidoReturnValues.FireEye.ChannelHost.Count > 0))
                {
                    sURLToCheck.AddRange(lFidoReturnValues.FireEye.ChannelHost);
                }
                //if (lFidoReturnValues.FireEye.DstIP != null)
                //{
                //  sURLToCheck.Add(lFidoReturnValues.FireEye.DstIP);
                //}

                sURLToCheck = sURLToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();

                //send FireEye return to VT
                if ((sURLToCheck != null) && sURLToCheck.Any())
                {
                    Console.WriteLine(@"Sending FireEye URLs to VirusTotal.");
                    lFidoReturnValues.FireEye.VirusTotal.URLReturn = Feeds_VirusTotal.VirusTotalUrl(sURLToCheck);
                }

                var sIPToCheck = new List <string>();

                if (lFidoReturnValues.FireEye.DstIP != null)
                {
                    sIPToCheck.Add(lFidoReturnValues.FireEye.DstIP);
                }

                sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();

                //send IP information to VT IP API
                if (sIPToCheck != null)
                {
                    Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
                    lFidoReturnValues.FireEye.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
                    lFidoReturnValues.FireEye.VirusTotal.IPUrl    = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.FireEye.DstIP + "/information/";
                }

                //initialize AlienVault area if null
                if (lFidoReturnValues.FireEye.AlienVault == null)
                {
                    lFidoReturnValues.FireEye.AlienVault = new AlienVaultReturnValues();
                }

                //next send FireEye return to AlienVault
                if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.DstIP != null))
                {
                    Console.WriteLine(@"Getting IP information from AlienVault");
                    lFidoReturnValues.FireEye.AlienVault = Feeds_AlientVault.AlienVaultIP(lFidoReturnValues.DstIP);
                }
            }
            return(lFidoReturnValues);
        }
Esempio n. 7
0
        private static FidoReturnValues SendCyphortToVirusTotal(FidoReturnValues lFidoReturnValues)
        {
            if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
            {
                return(lFidoReturnValues);
            }

            //convert return from Cyphort to list
            var sURLToCheck = new List <string>();

            if ((lFidoReturnValues.Cyphort.URL.Any()) && (lFidoReturnValues.Cyphort.URL.Count > 0))
            {
                for (var i = 0; i < lFidoReturnValues.Cyphort.URL.Count(); i++)
                {
                    if (string.IsNullOrEmpty(lFidoReturnValues.Cyphort.URL[i]))
                    {
                        continue;
                    }
                    if (lFidoReturnValues.Cyphort.URL[i].Contains(".exe"))
                    {
                        continue;
                    }
                    //if (!lFidoReturnValues.Cyphort.URL[i].Contains(".com"))
                    //{
                    //  lFidoReturnValues.Cyphort.URL[i] = lFidoReturnValues.Cyphort.URL[i] + @".com";
                    //}
                    sURLToCheck.Add(lFidoReturnValues.Cyphort.URL[i]);
                }
            }

            if ((lFidoReturnValues.Cyphort.Domain != null) && (lFidoReturnValues.Cyphort.Domain.Count > 0))
            {
                sURLToCheck.AddRange(lFidoReturnValues.Cyphort.Domain);
            }

            if (lFidoReturnValues.Cyphort.DstIP != null)
            {
                sURLToCheck.Add(lFidoReturnValues.Cyphort.DstIP);
            }

            sURLToCheck = sURLToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();

            //send Cyphort return to VT URL API
            if (sURLToCheck.Any())
            {
                Console.WriteLine(@"Sending Cyport URLs to VirusTotal.");
                lFidoReturnValues.Cyphort.VirusTotal.URLReturn = Feeds_VirusTotal.VirusTotalUrl(sURLToCheck);
            }

            var sIPToCheck = new List <string>();

            if (lFidoReturnValues.Cyphort.DstIP != null)
            {
                sIPToCheck.Add(lFidoReturnValues.Cyphort.DstIP);
            }

            sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();

            //send Cyphort return to VT IP API
            if (sIPToCheck.Any())
            {
                Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
                lFidoReturnValues.Cyphort.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
                //todo: move the url to the database
                lFidoReturnValues.Cyphort.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.Cyphort.DstIP + "/information/";
            }
            return(lFidoReturnValues);
        }
Esempio n. 8
0
        //This is the detector call for bit9. Its purpose is to get
        //the most recent hashes (last 60 secs (or so)) and parse them
        //over to our security feeds. If the security feeds find
        //relevant information get hostname/ip and call TheDirector.
        public static void GetEvents()
        {
            var lFidoReturnValues = new FidoReturnValues();

            try
            {
                Console.WriteLine(@"Running Bit9 detector.");
                var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null);
                sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1");
                var sUserID            = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode);
                var sPwd               = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode);
                var sBit9Server        = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null);
                var sDb                = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null);
                var sBit9DetectorQuery = Object_Fido_Configs.GetAsString("fido.detectors.bit9.query", null);
                var sTempConn          = Object_Fido_Configs.GetAsString("fido.detectors.bit9.connectionstring", null);
                var replacements       = new Dictionary <string, string>
                {
                    { "sUserID", sUserID },
                    { "sPwd", sPwd },
                    { "sBit9Server", sBit9Server },
                    { "sDB", sDb }
                };

                //sTempConn = replacements.Aggregate(sTempConn, (current, srep) => current.Replace(srep.Key, srep.Value));
                //todo: SQL injection. really? this was the best you could think of? remove this and do it properly.
                var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDb + ";connection timeout=60");
                var sqlCmd      = new SqlCommand(sBit9DetectorQuery, vConnection)
                {
                    CommandType = CommandType.Text
                };
                var lBit9Hash = new List <string>();

                vConnection.Open();

                using (var objReader = sqlCmd.ExecuteReader())
                {
                    if (objReader.HasRows)
                    {
                        Console.WriteLine(@"New hashes found...");
                        while (objReader.Read())
                        {
                            var oBit9Return = new object[objReader.FieldCount];
                            var quant       = objReader.GetSqlValues(oBit9Return);
                            if (oBit9Return.GetValue(4) != null)
                            {
                                lBit9Hash.Add(oBit9Return.GetValue(4).ToString());
                            }
                        }
                    }
                }
                if (lBit9Hash.Count == 0)
                {
                    return;
                }
                Console.WriteLine(@"Processing " + lBit9Hash.Count().ToString(CultureInfo.InvariantCulture) + @" hashes.");
                var aryBit9Hash = lBit9Hash.ToArray();
                lFidoReturnValues.Hash = lBit9Hash;
                //todo: write additional code to include other threat feeds.
                var vtReturn = Feeds_VirusTotal.ParseHash(aryBit9Hash);

                if (!vtReturn.Any())
                {
                    return;
                }

                //todo: if return is 'not seen before' right helper function to upload file to threat feed.
                foreach (var vtEntry in vtReturn)
                {
                    if (vtEntry.Positives <= 0)
                    {
                        continue;
                    }

                    var sHostInfo = GetHost(vtEntry.Resource);
                    foreach (var sHostInfoList in sHostInfo)
                    {
                        var sSingleHostInfo = sHostInfoList.Split(',');
                        var sHostName       = sSingleHostInfo[0].Split('\\');
                        //todo: need to write second tree for when file hasn't
                        //executed, but does still exist on the system,
                        //sSingleHostInfo[1].ToLower() == "yes"
                        if (sSingleHostInfo[2].ToLower() != "yes")
                        {
                            continue;
                        }
                        if (lFidoReturnValues.Bit9 == null)
                        {
                            lFidoReturnValues.Bit9 = new Bit9ReturnValues();
                        }
                        if (lFidoReturnValues.Bit9.VTReport == null)
                        {
                            lFidoReturnValues.Bit9.VTReport = new List <FileReport>();
                        }

                        lFidoReturnValues.IsHostKnown   = true;
                        lFidoReturnValues.Hostname      = sHostName[1];
                        lFidoReturnValues.SrcIP         = sSingleHostInfo[1];
                        lFidoReturnValues.Bit9.HostName = sSingleHostInfo[0];
                        lFidoReturnValues.Bit9.VTReport.Add(vtEntry);
                        lFidoReturnValues.Bit9.FileExecuted = sSingleHostInfo[2];
                        lFidoReturnValues.Bit9.FileDeleted  = sSingleHostInfo[3];
                        lFidoReturnValues.CurrentDetector   = "bit9";
                        lFidoReturnValues.MalwareType       = "Malicious file";
                        lFidoReturnValues.IsTargetOS        = true;
                        lFidoReturnValues.DstIP             = string.Empty;
                        var lMD5 = new List <string> {
                            vtEntry.MD5
                        };
                        lMD5 = GetFileInfo(lMD5, lFidoReturnValues.Bit9);
                        lFidoReturnValues.Bit9.FileName   = lMD5[5] + @"\" + lMD5[6];
                        lFidoReturnValues.Bit9.FileThreat = lMD5[51];
                        lFidoReturnValues.Bit9.FileTrust  = lMD5[50];
                        //lFidoReturnValues.Hash = new List<FileReport> {vtEntry.MD5};
                        Console.WriteLine(@"Malicious hashes found... continue to process.");
                        TheDirector.Direct(lFidoReturnValues);
                    }
                }
                vConnection.Close();
                Console.WriteLine(@"Exiting Bit9 detector.");
            }
            catch (Exception e)
            {
                // Get stack trace for the exception with source file information
                var st = new StackTrace(e, true);
                // Get the top stack frame
                var frame = st.GetFrame(0);
                // Get the line number from the stack frame
                var line = frame.GetFileLineNumber();
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving alerts from Bit9 on line " + line + ":" + e);
            }
        }