internal static FidoReturnValues HistoricalEvent(FidoReturnValues lFidoReturnValues) { Console.WriteLine(@"Gathering historical information from FIDO DB."); const string historicalQuery = "SELECT * FROM configs_historical_events"; var fidoTemp = GetPreviousAlerts(historicalQuery); if (fidoTemp.Rows.Count <= 0) { return(lFidoReturnValues); } lFidoReturnValues.HistoricalEvent = FormatHistoricalEvents(fidoTemp); var urlCount = new DataTable(); var hashCount = new DataTable(); try { if (lFidoReturnValues.Url != null) { foreach (var url in lFidoReturnValues.Url) { urlCount = GetPreviousAlerts(lFidoReturnValues.HistoricalEvent.UrlQuery.Replace("%url%", url)); } } var ipCount = GetPreviousAlerts(lFidoReturnValues.HistoricalEvent.IpQuery.Replace("%ip%", lFidoReturnValues.DstIP)); if (lFidoReturnValues.Hash != null) { foreach (var hash in lFidoReturnValues.Hash) { hashCount = GetPreviousAlerts(lFidoReturnValues.HistoricalEvent.HashQuery.Replace("%hash%", hash)); } } Console.WriteLine(@"Historical data:"); lFidoReturnValues.HistoricalEvent.UrlCount = urlCount.Rows.Count; lFidoReturnValues.HistoricalEvent.IpCount = ipCount.Rows.Count; lFidoReturnValues.HistoricalEvent.HashCount = hashCount.Rows.Count; Console.WriteLine(@"URL Count = " + lFidoReturnValues.HistoricalEvent.UrlCount.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"IP Count = " + lFidoReturnValues.HistoricalEvent.IpCount.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"Hash Count = " + lFidoReturnValues.HistoricalEvent.HashCount.ToString(CultureInfo.InvariantCulture)); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to gather startup configs." + e); } return(lFidoReturnValues); }
private static void ParseProtectWiseEvent(Object_ProtectWise_Threat_ConfigClass.ProtectWise_Events protectWiseReturn) { protectWiseReturn.Events = protectWiseReturn.Events.Reverse().ToArray(); foreach (var pevent in protectWiseReturn.Events) { Console.WriteLine(@"Gathering ProtectWise observations for event: " + pevent.Message + @"."); ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("protectwisev1-event"); var request = parseConfigs.Server + parseConfigs.Query2 + pevent.Id; var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Headers[@"X-Access-Token"] = parseConfigs.APIKey; alertRequest.Method = "GET"; try { using (var protectwiseResponse = alertRequest.GetResponse() as HttpWebResponse) { if (protectwiseResponse != null && protectwiseResponse.StatusCode == HttpStatusCode.OK) { using (var respStream = protectwiseResponse.GetResponseStream()) { if (respStream == null) { return; } var protectwiseReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = protectwiseReader.ReadToEnd(); var protectwiseReturn = JsonConvert.DeserializeObject <Object_ProtectWise_Threat_ConfigClass.ProtectWise_Search_Event>(stringreturn); if (protectwiseReturn != null) { ParseProtectWiseObservation(protectwiseReturn, pevent.Message); } var responseStream = protectwiseResponse.GetResponseStream(); if (responseStream != null) { responseStream.Dispose(); } protectwiseResponse.Close(); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 Detector when getting json:" + e); } } }
//This function will grab the API information and build a query string. //Then it will assign the json return to an object. If any of the objects //have a value they will be sent to ParseCyphort helper function. public static void GetCyphortAlerts() { Console.WriteLine(@"Running Cyphort v2 detector."); //currently needed to bypass site without a valid cert. //todo: make ssl bypass configurable ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); }; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv2"); var request = parseConfigs.Server + parseConfigs.Query + parseConfigs.APIKey; var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Method = "GET"; try { using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse) { if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK) { using (var respStream = cyphortResponse.GetResponseStream()) { if (respStream == null) { return; } var cyphortReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = cyphortReader.ReadToEnd(); var cyphortReturn = JsonConvert.DeserializeObject <CyphortClass>(stringreturn); if (cyphortReturn.correlations_array.Any() | cyphortReturn.infections_array.Any() | cyphortReturn.downloads_array.Any()) { ParseCyphort(cyphortReturn); } var responseStream = cyphortResponse.GetResponseStream(); if (responseStream != null) { responseStream.Dispose(); } cyphortResponse.Close(); Console.WriteLine(@"Finished processing Cyphort detector."); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphort Detector getting json:" + e); } }
//module to compose notifications public static void Notify(FidoReturnValues lFidoReturnValues) { try { PrepareFidoReturnValues(lFidoReturnValues); string sSubject = GetSubject(lFidoReturnValues); SendMail(sSubject, lFidoReturnValues); } catch (Exception e) { Console.WriteLine(@"Error creating FIDO email. " + e); Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to threat feeds:" + e); } }
private static DataTable GetThreatGridTable(string query) { var fidoSQlite = new SqLiteDB(); var fidoData = new DataTable(); try { fidoData = fidoSQlite.GetDataTable(query); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e); } return(fidoData); }
private static void UpdateHistoricalIPInfo(FidoReturnValues lFidoReturnValues) { try { if (!string.IsNullOrEmpty(lFidoReturnValues.DstIP)) { InsertHistoricalThreatToDB(new HistorialThreatData { SDB = @"ip", InValue = lFidoReturnValues.DstIP, When = lFidoReturnValues.TimeOccurred }); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update of historical IP info in fidodb:" + e); } }
private static FidoReturnValues FormatURLReturnValues(FidoReturnValues lFidoReturnValues) { try { lFidoReturnValues.ProtectWise.URL = lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url; //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 URL reputation return:" + e);; } return(lFidoReturnValues); }
private static void UpdateHistoricalURLInfo(FidoReturnValues lFidoReturnValues) { try { if (lFidoReturnValues.Url != null) { foreach (var url in lFidoReturnValues.Url.Where(url => !string.IsNullOrEmpty(url))) { InsertHistoricalThreatToDB(@"url", url, lFidoReturnValues.TimeOccurred); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update of historicaal URL info in fidodb:" + e); } }
private static void UpdateHistoricalHashInfo(FidoReturnValues lFidoReturnValues) { try { if (lFidoReturnValues.Hash != null) { foreach (var hash in lFidoReturnValues.Hash.Where(hash => !string.IsNullOrEmpty(hash))) { InsertHistoricalThreatToDB(@"hash", hash, lFidoReturnValues.TimeOccurred); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update of historical hash info in fidodb:" + e); } }
public static FidoReturnValues GetHostOsInfo(FidoReturnValues lFidoReturnValues, string sConnectionString) { var lLandeskReturnValues = lFidoReturnValues.Landesk; var lHostInfoReturn = new List <string>(); //todo: move this to the DB as a const value. var sQuery = "SELECT DISTINCT A1.OSTYPE, A0.TYPE, A2.HASBATTERY, A2.CHASSISTYPE, A1.VERSION, A3.CURRENTBUILD FROM Computer A0 (nolock) LEFT OUTER JOIN Operating_System A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn LEFT OUTER JOIN CompSystem A2 (nolock) ON A0.Computer_Idn = A2.Computer_Idn LEFT OUTER JOIN OSNT A3 (nolock) ON A0.Computer_Idn = A3.Computer_Idn WHERE (A0.DeviceName = N' + hostname + ')"; //todo: move the below to a parametertized function to prevent SQL injection. sQuery = sQuery.Replace(" + hostname + ", lFidoReturnValues.Landesk.Hostname); var sqlConnect = new SqlConnection(sConnectionString); sqlConnect.Open(); try { var sqlCmd = new SqlCommand(sQuery, sqlConnect); var sqlReader = sqlCmd.ExecuteReader(); Thread.Sleep(500); if (sqlReader.HasRows) { while (sqlReader.Read()) { var oHostOsInfo = new object[sqlReader.FieldCount]; sqlReader.GetValues(oHostOsInfo); var q = oHostOsInfo.Count(); for (var i = 0; i < q; i++) { lHostInfoReturn.Add(string.IsNullOrEmpty(oHostOsInfo[i].ToString()) ? oHostOsInfo[i].ToString() : "unknown"); } } } sqlReader.Dispose(); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getting vulns from Landesk:" + e); } finally { sqlConnect.Dispose(); } lLandeskReturnValues = Landesk2FidoValues.LandeskOsValues(lLandeskReturnValues, lHostInfoReturn); lFidoReturnValues.Landesk = lLandeskReturnValues; return(lFidoReturnValues); }
public static string NmapHost(string sIP) { try { var procNmap = new ProcessStartInfo(); string procResult = null; procNmap.FileName = Application.StartupPath + "\\nmap\\nmap.exe"; procNmap.Arguments = "-O " + sIP; procNmap.UseShellExecute = false; procNmap.RedirectStandardOutput = true; using (var process = Process.Start(procNmap)) { if (process != null) { using (var reader = process.StandardOutput) { procResult = reader.ReadToEnd(); //Console.WriteLine(procResult); } } } var filter = new[] { "\n", "\r" }; string NmapHostname = null; string sNmapOs = null; if (procResult != null) { var aryResult = procResult.Split(filter, StringSplitOptions.RemoveEmptyEntries); if (aryResult.Count() >= 25) { NmapHostname = aryResult[1]; sNmapOs = aryResult[21]; } } var sPassReturn = NmapHostname + "^" + sNmapOs; return(sPassReturn); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught during NMAP scan:" + e); } return(null); }
//if getevents is positive, get machine name and IP private static IEnumerable <string> GetHost(string sMD5) { var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null); sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1"); var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode); var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode); var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null); var sDB = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null); var oBit9Return = new object[4]; var lHostInfo = new List <string>(); try { //todo: encrypt and retrived these values from DB. var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDB + ";connection timeout=10"); //todo: SQL injection. Store query in database and modify variables when retrieving var sQuery = "SELECT [Computer_Name],[IP_Address], [Executed], [Deleted] FROM [das].[dbo].[Fido_FileInstanceInfo] Where MD5 = '" + sMD5 + "'"; using (var cmd = new SqlCommand(sQuery, vConnection) { CommandType = CommandType.Text }) { vConnection.Open(); using (var objReader = cmd.ExecuteReader()) { if (objReader.HasRows) { while (objReader.Read()) { var quant = objReader.GetSqlValues(oBit9Return); if (oBit9Return.GetValue(0) != null) { lHostInfo.Add(oBit9Return.GetValue(0) + "," + oBit9Return.GetValue(1) + "," + oBit9Return.GetValue(2) + "," + oBit9Return.GetValue(3)); } } } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving host information from Bit9:" + e); } return(lHostInfo); }
private static FidoReturnValues FormatInfectionReturnValues(FidoReturnValues lFidoReturnValues) { lFidoReturnValues.Cyphort.DstIP = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_ip; lFidoReturnValues.Cyphort.Domain = new List <string>(); lFidoReturnValues.Cyphort.URL = new List <string>(); lFidoReturnValues.Cyphort.MD5Hash = new List <string>(); try { foreach (var infection in lFidoReturnValues.Cyphort.IncidentDetails.Incident.InfectionArray) { lFidoReturnValues.Cyphort.EventID = infection.Infection_id; lFidoReturnValues.AlertID = infection.Infection_id; lFidoReturnValues.Cyphort.URL.Add(string.Empty); lFidoReturnValues.Cyphort.MD5Hash.Add(string.Empty); lFidoReturnValues.Cyphort.Domain.Add(infection.Cnc_servers); lFidoReturnValues.DNSName = infection.Cnc_servers.Replace(".", "(.)"); var isRunDirector = false; //Check to see if ID has been processed before lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.Cyphort.EventID, lFidoReturnValues.Cyphort.EventTime); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; Console.WriteLine(@"Processing CNC incident " + lFidoReturnValues.Cyphort.EventID + @" through to the Director."); TheDirector.Direct(lFidoReturnValues); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 infection return:" + e); } return(lFidoReturnValues); }
internal static EventAlerts GetPreviousMachineAlerts(FidoReturnValues lFidoReturnValues, bool isMatrixScore) { var machineQuery = string.Empty; lFidoReturnValues.IsSendAlert = true; if (!string.IsNullOrEmpty(lFidoReturnValues.Hostname)) { //todo: move this to the database machineQuery = "SELECT * FROM event_alerts WHERE hostname = '" + lFidoReturnValues.Hostname.ToLower() + "' ORDER BY primkey DESC"; } else if (!string.IsNullOrEmpty(lFidoReturnValues.SrcIP)) { //todo: move this to the database machineQuery = "SELECT * FROM event_alerts WHERE ip_address = '" + lFidoReturnValues.SrcIP + "' ORDER BY primkey DESC"; } var fidoTemp = GetPreviousAlerts(machineQuery); if (fidoTemp.Rows.Count <= 0) { return(lFidoReturnValues.PreviousAlerts); } lFidoReturnValues.PreviousAlerts = new EventAlerts { Alerts = fidoTemp }; if (!isMatrixScore) { return(lFidoReturnValues.PreviousAlerts); } //todo: move integer values for time offsets to database as configurable. try { return(PreviousMachineAlerts(lFidoReturnValues, fidoTemp)); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to gather startup configs." + e); } return(lFidoReturnValues.PreviousAlerts); }
public FidoReturnValues FidoHostNames(FidoReturnValues lFidoInputHostnames) { //code to look at all returned hostname values //if remotereg/ssh come back with value then //they win... make sure they are equal to //sysmgmt return and if not get new return from //sysmgmt server. if remotereg/ssh come back as //empty, then sysmgmt wins. var lFidoParseHostnames = lFidoInputHostnames; try { return(lFidoParseHostnames); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught doing FidoHostNames:" + e); } return(null); }
private static ParseCBConfigs ParseDetectorConfigs(string detect) { //todo: move this to the database, assign a variable to 'detect' and replace being using in GEtFidoConfigs var query = @"SELECT * from configs_sysmgmt_carbonblack WHERE api_call = '" + detect + @"'"; var fidoSQlite = new SqLiteDB(); var fidoData = new DataTable(); var cbReturn = new ParseCBConfigs(); try { fidoData = fidoSQlite.GetDataTable(query); cbReturn = CBConfigs(fidoData); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e); } return(cbReturn); }
public static FidoReturnValues GetBit9Status(FidoReturnValues lFidoReturnValues, string sConnectionString) { //todo: move this to the DB var sQuery = "SELECT DISTINCT A0.DISPLAYNAME, A1.NAME, A1.STATUS, A2.SUITENAME, A2.VERSION FROM Computer A0 (nolock) LEFT OUTER JOIN Services A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn LEFT OUTER JOIN AppSoftwareSuites A2 (nolock) ON A0.Computer_Idn = A2.Computer_Idn WHERE (A1.NAME = N'Parity Agent' AND A2.SuiteName LIKE N'Parity Agent' AND A0.DEVICENAME = N'" + lFidoReturnValues.Hostname + "')"; var lBit9Return = new List <string>(); var sqlConnect = new SqlConnection(sConnectionString); sqlConnect.Open(); try { var sqlCmd = new SqlCommand(sQuery, sqlConnect); var sqlReader = sqlCmd.ExecuteReader(); Thread.Sleep(500); while (sqlReader.Read()) { for (var i = 0; i < sqlReader.FieldCount; i++) { lBit9Return.Add(sqlReader.GetString(i) != string.Empty ? sqlReader.GetString(i) : string.Empty); } } sqlReader.Close(); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getting Bit9 status from Landesk:" + e); } if (lBit9Return.Count > 0) { lFidoReturnValues.Landesk.Bit9Running = lBit9Return[2].ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Landesk.Bit9Version = lBit9Return[4].ToString(CultureInfo.InvariantCulture); return(lFidoReturnValues); } lFidoReturnValues.Landesk.Bit9Running = string.Empty; lFidoReturnValues.Landesk.Bit9Version = "Not Installed"; return(lFidoReturnValues); }
private static ParseCBConfigs CBConfigs(DataTable cbData) { try { var reformat = new ParseCBConfigs { APIKey = Convert.ToString(cbData.Rows[0].ItemArray[1]), BaseURL = Convert.ToString(cbData.Rows[0].ItemArray[2]), APICall = Convert.ToString(cbData.Rows[0].ItemArray[3]), APIFunction = Convert.ToString(cbData.Rows[0].ItemArray[4]), APIQuery = Convert.ToString(cbData.Rows[0].ItemArray[5]) }; return(reformat); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e); } return(null); }
//After receiving the email alert the subject, body and folder the email came from are passed //to this function to be parsed. private static string ScanEmail(string sSubject, string sBody, string sFolderName, bool isParamTest) { //todo: this seems hokey and needs to be redone. I think I was drinking whiskey when I wrote it. try { switch (sFolderName) { case "FireEye": Detect_FireeyeMPS.FireEyeEmailReceive(sBody, sSubject); return("test"); case "FireEye-MAS": Detect_FireEyeMas.ParseFireEyeMas(sBody); return("test"); case "Bit9": return("test"); case "ClearPass": return("test"); case "PaloAlto": return("test"); case "Sophos": return("test"); case "SourceFire": //sourcefire.Main return("test"); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught during scan email:" + e); } //todo: return 'test'? why? remove this or finish return value handling. return("test"); }
//get sql connection string and sql query public static List <string> GetSqlConfigs(string sSource) { var lQueryConfig = new List <string>(); try { lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlconnstring", null)); lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlqueryip", null)); lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlqueryhostname", null)); if (sSource == "jamf") { lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlqueryextattrib", null)); lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlqueryos", null)); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getsqlconfigs area:" + e); } return(lQueryConfig); }
internal static ParseConfigs FormatParse(DataTable dbReturn) { try { var reformat = new ParseConfigs { PrimeKey = Convert.ToInt16(dbReturn.Rows[0].ItemArray[0]), ApiCall = Convert.ToString(dbReturn.Rows[0].ItemArray[1]), ApiBaseUrl = Convert.ToString(dbReturn.Rows[0].ItemArray[2]), ApiFuncCall = Convert.ToString(dbReturn.Rows[0].ItemArray[3]), ApiQueryString = Convert.ToString(dbReturn.Rows[0].ItemArray[4]), ApiKey = Convert.ToString(dbReturn.Rows[0].ItemArray[5]) }; return(reformat); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e); } return(null); }
public static List <Int32> GetVulns(string sHostname, string sConnectionString) { var lVuln = new List <Int32>(); var sQueries = new List <string>(); //todo: move this to the DB as const values. var sFinalQuery = "SELECT count(DISTINCT A1.Title) FROM Computer A0 (nolock) LEFT OUTER JOIN CVDetectedV A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn WHERE (A0.DEVICENAME = N'" + sHostname + "' AND (A1.VULSEVERITY = N'Critical' OR A1.VULSEVERITY = N'High' OR A1.VULSEVERITY = N'Low' OR A1.VULSEVERITY = N'Medium') AND A1.VULTYPE = N'Vulnerability')"; var sCriticalQuery = "SELECT count(DISTINCT A1.Title) FROM Computer A0 (nolock) LEFT OUTER JOIN CVDetectedV A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn WHERE (A0.DEVICENAME = N'" + sHostname + "' AND A1.VULSEVERITY = N'Critical' AND A1.VULTYPE = N'Vulnerability')"; var sHighQuery = "SELECT count(DISTINCT A1.Title) FROM Computer A0 (nolock) LEFT OUTER JOIN CVDetectedV A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn WHERE (A0.DEVICENAME = N'" + sHostname + "' AND A1.VULSEVERITY = N'High' AND A1.VULTYPE = N'Vulnerability')"; var sLowQuery = "SELECT count(DISTINCT A1.Title) FROM Computer A0 (nolock) LEFT OUTER JOIN CVDetectedV A1 (nolock) ON A0.Computer_Idn = A1.Computer_Idn WHERE (A0.DEVICENAME = N'" + sHostname + "' AND (A1.VULSEVERITY = N'Low' OR A1.VULSEVERITY = N'Medium') AND A1.VULTYPE = N'Vulnerability')"; sQueries.Add(sFinalQuery); sQueries.Add(sCriticalQuery); sQueries.Add(sHighQuery); sQueries.Add(sLowQuery); var sqlConnect = new SqlConnection(sConnectionString); sqlConnect.Open(); try { foreach (var sqlReader in sQueries.Select(tmpQuery => new SqlCommand(tmpQuery, sqlConnect)).Select(sqlCmd => sqlCmd.ExecuteReader())) { Thread.Sleep(500); while (sqlReader.Read()) { lVuln.Add(sqlReader.GetInt32(0) > 0 ? sqlReader.GetInt32(0) : 0); } sqlReader.Close(); } sqlConnect.Close(); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getting vulns from Landesk:" + e); } return(lVuln); }
private static FidoReturnValues SendPaloAltoToVirusTotal(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { return(lFidoReturnValues); } var sIPToCheck = new List <string> { lFidoReturnValues.PaloAlto.DstIp }; //send ProtectWise return to VT IP API if (lFidoReturnValues.PaloAlto.DstIp.Any()) { if (lFidoReturnValues.PaloAlto.VirusTotal == null) { lFidoReturnValues.PaloAlto.VirusTotal = new VirusTotalReturnValues(); } Console.WriteLine(@"Getting detailed IP information from VirusTotal."); try { var IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck); if (IPReturn != null) { lFidoReturnValues.PaloAlto.VirusTotal.IPReturn = IPReturn; } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in retrieving VT IP information:" + e); } //todo: move the url to the database lFidoReturnValues.PaloAlto.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.PaloAlto.DstIp + "/information/"; } return(lFidoReturnValues); }
public DataTable GetDataTable(string sql) { var dt = new DataTable(); try { var cnn = new SQLiteConnection(_dbConn); cnn.Open(); var mycommand = new SQLiteCommand(cnn) { CommandText = sql }; var reader = mycommand.ExecuteReader(); dt.Load(reader); reader.Close(); cnn.Close(); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to get table." + e); } return(dt); }
public static Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info ThreatInfo(string sHash) { ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; var ThreatGRIDReturn = new Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info(); var parseConfigs = Object_ThreatGRID_Configs.GetThreatGridConfigs("hash-threat-level"); var request = parseConfigs.ApiBaseUrl + parseConfigs.ApiFuncCall + sHash + "/threat?" + parseConfigs.ApiQueryString + "&api_key=" + parseConfigs.ApiKey; var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Method = "GET"; //alertRequest.Timeout = 120000; try { using (var ThreatGRIDResponse = alertRequest.GetResponse() as HttpWebResponse) { if (ThreatGRIDResponse != null && ThreatGRIDResponse.StatusCode == HttpStatusCode.OK) { using (var respStream = ThreatGRIDResponse.GetResponseStream()) { if (respStream == null) { return(null); } var ThreatGRIDReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = ThreatGRIDReader.ReadToEnd(); ThreatGRIDReturn = JsonConvert.DeserializeObject <Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info>(stringreturn); ThreatGRIDResponse.Close(); return(ThreatGRIDReturn); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in retrieving ThreatGRID threat information:" + e + "Query : " + request); } return(ThreatGRIDReturn); }
//public bool Delete(String tableName, String where) //{ // var returnCode = true; // try // { // ExecuteNonQuery(String.Format("delete from {0} where {1};", tableName, where)); // } // catch (Exception e) // { // Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to date data." + e); // returnCode = false; // } // return returnCode; //} public bool Insert(String tableName, Dictionary <String, String> data) { var columns = ""; var values = ""; var returnCode = true; foreach (KeyValuePair <String, String> val in data) { columns += String.Format(" {0},", val.Key.ToString(CultureInfo.InvariantCulture)); values += String.Format(" '{0}',", val.Value); } columns = columns.Substring(0, columns.Length - 1); values = values.Substring(0, values.Length - 1); try { ExecuteNonQuery(String.Format("insert into {0}({1}) values({2});", tableName, columns, values)); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to get insert data." + e); returnCode = false; } return(returnCode); }
internal static Object_ThreatGRID_IP_ConfigClass.ParseConfigs GetThreatGridConfigs(string detect) { //todo: move this to the database, assign a variable to 'detect' and replace being using in GEtFidoConfigs var query = @"SELECT * from configs_threatfeed_threatgrid WHERE api_call = '" + detect + @"'"; var fidoTemp = GetThreatGridTable(query); var fidoReturn = new Object_ThreatGRID_IP_ConfigClass.ParseConfigs(); try { if (fidoTemp != null) { fidoReturn = Object_ThreatGRID_IP_ConfigClass.FormatParse(fidoTemp); } if (fidoReturn != null) { return(fidoReturn); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to gather parse configs." + e); } return(null); }
//todo: below is highlighted out until we start parsing previous alerts again //private static FidoReturnValues GetPreviousUserAlerts(FidoReturnValues lFidoReturnValues) //{ //} //private static FidoReturnValues GetPreviousMachineAlerts(FidoReturnValues lFidoReturnValues) //{ //} private static EventAlerts FormatEventAlert(DataTable dbReturn) { try { var reformat = new EventAlerts { PrimKey = Convert.ToInt32(dbReturn.Rows[0].ItemArray[0]), Timer = Convert.ToInt32(dbReturn.Rows[0].ItemArray[1]), IP = Convert.ToString(dbReturn.Rows[0].ItemArray[2]), Hostname = Convert.ToString(dbReturn.Rows[0].ItemArray[3]), TimeStamp = Convert.ToString(dbReturn.Rows[0].ItemArray[4]), PreviousScore = Convert.ToInt32(dbReturn.Rows[0].ItemArray[5]), AlertID = Convert.ToString(dbReturn.Rows[0].ItemArray[6]) }; EventAlerts lEventAlerts = reformat; return(lEventAlerts); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format event alerts return." + e); } return(null); }
private static void ParsePan(Object_PaloAlto_Class.PanReturn panReturn) { try { foreach (var entry in panReturn.Result.Log.Logs.Entry) { if (entry.App == "dns") { continue; } Console.WriteLine(@"Processing PAN " + entry.SubType + @" event."); //initialize generic variables for PAN values var lFidoReturnValues = new FidoReturnValues(); if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.PaloAlto == null) { lFidoReturnValues.PaloAlto = new PaloAltoReturnValues(); } //Convert PAN classifications to more readable values lFidoReturnValues.MalwareType = entry.Type + " " + entry.SubType; lFidoReturnValues.CurrentDetector = "panv1"; lFidoReturnValues.PaloAlto.EventID = entry.EventID; lFidoReturnValues.AlertID = entry.EventID; if (entry.Direction == "client-to-server") { lFidoReturnValues.PaloAlto.isDst = true; } else { lFidoReturnValues.PaloAlto.isDst = false; } if (lFidoReturnValues.PaloAlto.isDst) { lFidoReturnValues.SrcIP = entry.SrcIP; lFidoReturnValues.DstIP = entry.DstIP; lFidoReturnValues.PaloAlto.DstIp = entry.DstIP; } else { lFidoReturnValues.SrcIP = entry.DstIP; lFidoReturnValues.DstIP = entry.SrcIP; lFidoReturnValues.PaloAlto.DstIp = entry.SrcIP; } if (!string.IsNullOrEmpty(entry.DstUser)) { lFidoReturnValues.PaloAlto.DstUser = entry.DstUser.Replace(@"corp\", string.Empty); lFidoReturnValues.Username = entry.DstUser; } lFidoReturnValues.PaloAlto.EventTime = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture); lFidoReturnValues.TimeOccurred = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture); var isRunDirector = false; //Check to see if ID has been processed before lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues, lFidoReturnValues.PaloAlto.EventID, lFidoReturnValues.PaloAlto.EventTime); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; Console.WriteLine(@"Processing PAN incident " + lFidoReturnValues.PaloAlto.EventID + @" through to the Director."); TheDirector.Direct(lFidoReturnValues); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in PANv1 Detector parse:" + e); } }
public static UserReturnValues Getuserinfo(string sUserId) { try { var lUserInfo = new UserReturnValues(); var domainPath = Object_Fido_Configs.GetAsString("fido.ldap.basedn", string.Empty); var user = Object_Fido_Configs.GetAsString("fido.ldap.userid", string.Empty); var pwd = Object_Fido_Configs.GetAsString("fido.ldap.pwd", string.Empty); var searchRoot = new DirectoryEntry(domainPath, user, pwd); var search = new DirectorySearcher(searchRoot) { Filter = "(&(objectClass=user)(objectCategory=person)(sAMAccountName=" + sUserId + "))" }; search.PropertiesToLoad.Add("samaccountname"); search.PropertiesToLoad.Add("mail"); search.PropertiesToLoad.Add("displayname"); search.PropertiesToLoad.Add("department"); search.PropertiesToLoad.Add("title"); search.PropertiesToLoad.Add("employeeType"); search.PropertiesToLoad.Add("manager"); search.PropertiesToLoad.Add("info"); search.PropertiesToLoad.Add("l"); search.PropertiesToLoad.Add("st"); search.PropertiesToLoad.Add("streetAddress"); search.PropertiesToLoad.Add("mobile"); lUserInfo.UserEmail = string.Empty; lUserInfo.UserID = string.Empty; lUserInfo.Username = string.Empty; lUserInfo.Department = string.Empty; lUserInfo.Title = string.Empty; lUserInfo.EmployeeType = string.Empty; lUserInfo.CubeLocation = string.Empty; lUserInfo.City = string.Empty; lUserInfo.State = string.Empty; lUserInfo.StreetAddress = string.Empty; lUserInfo.MobileNumber = string.Empty; lUserInfo.ManagerID = string.Empty; lUserInfo.ManagerMail = string.Empty; lUserInfo.ManagerMobile = string.Empty; lUserInfo.ManagerTitle = string.Empty; lUserInfo.ManagerName = string.Empty; var resultCol = search.FindAll(); if (!resultCol.PropertiesLoaded.Any() && resultCol == null) { return(lUserInfo); } for (var counter = 0; counter < resultCol.Count; counter++) { var result = resultCol[counter]; if (result.Properties.Contains("samaccountname") && result.Properties.Contains("mail") && result.Properties.Contains("displayname")) { if (result.Properties["mail"].Count > 0) { lUserInfo.UserEmail = (String)result.Properties["mail"][0] ?? string.Empty; } if (result.Properties["samaccountname"].Count > 0) { lUserInfo.UserID = (String)result.Properties["samaccountname"][0] ?? string.Empty; } if (result.Properties["displayname"].Count > 0) { lUserInfo.Username = (String)result.Properties["displayname"][0] ?? string.Empty; } if (result.Properties["department"].Count > 0) { lUserInfo.Department = (String)result.Properties["department"][0] ?? string.Empty; } if (result.Properties["title"].Count > 0) { lUserInfo.Title = (String)result.Properties["title"][0] ?? string.Empty; } if (result.Properties["employeeType"].Count > 0) { lUserInfo.EmployeeType = (String)result.Properties["employeeType"][0] ?? string.Empty; } if (result.Properties["manager"].Count > 0) { lUserInfo.ManagerName = (String)result.Properties["manager"][0] ?? string.Empty; } if (result.Properties["info"].Count > 0) { lUserInfo.CubeLocation = (String)result.Properties["info"][0] ?? string.Empty; } if (result.Properties["l"].Count > 0) { lUserInfo.City = (String)result.Properties["l"][0] ?? string.Empty; } if (result.Properties["st"].Count > 0) { lUserInfo.State = (String)result.Properties["st"][0] ?? string.Empty; } if (result.Properties["streetAddress"].Count > 0) { lUserInfo.StreetAddress = (String)result.Properties["streetAddress"][0] ?? string.Empty; } if (result.Properties["mobile"].Count > 0) { lUserInfo.MobileNumber = (String)result.Properties["mobile"][0] ?? string.Empty; } } if (string.IsNullOrEmpty(lUserInfo.ManagerName)) { continue; } var lManagerValues = Getmanagerinfo(lUserInfo.ManagerName); for (var i = 0; i < lManagerValues.Count; i++) { if (!lManagerValues[i].Any()) { continue; } switch (i) { case 0: lUserInfo.ManagerMail = lManagerValues[0]; break; case 1: lUserInfo.ManagerID = lManagerValues[1]; break; case 2: lUserInfo.ManagerName = lManagerValues[2]; break; case 3: lUserInfo.ManagerTitle = lManagerValues[3]; break; case 4: lUserInfo.ManagerMobile = lManagerValues[4]; break; } } } return(lUserInfo); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Active Directory grab user info area:" + e); } return(null); }