//function for FireEye MPS to parse each email to get source, destination, MAC addr, type of
//attack, time it occured and important URLs
public static void FireEyeEmailReceive(string sEmailBody, string sSubject)
{
try
{
Console.WriteLine(@"Running FireEye MPS detector.");
var sSubjectArray = sSubject.Split(':');
var malwareType = sSubjectArray[0];
FidoReturnValues lFidoReturnValues;
//the below code is hacky and needs to be optimized. I couldn't
//think of a better way to write it and it works... so fix it or shut up.
//get additional information from the alert such as hashes, URLs, etc
if (IsMalwareType(malwareType))
{
Console.WriteLine(@"Malware-callback detected");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, false);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
SetReturnValue(lFidoReturnValues);
}
else if (malwareType != null && String.Compare(malwareType, "web-infection detected", StringComparison.Ordinal) == 0)
{
Console.WriteLine(@"Web-infection detected.");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, true);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
SetReturnValue(lFidoReturnValues);
}
else if (malwareType != null && String.Compare(malwareType, "infection-match detected", StringComparison.Ordinal) == 0)
{
Console.WriteLine(@"Infection-match detected.");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, false);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
SetReturnValue(lFidoReturnValues);
}
Console.WriteLine(@"Exiting FireEye detector.");
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught receiving FireEye email:" + e);
}
}
private void XX(FidoReturnValues fidoReturnValues, bool isWebInfection)
{
Logging_Fido.RunLogging(malwareType + "!");
fidoReturnValues = FireEyeParse(sEmailBody, isWebInfection);
if (!Fido_NetSegments.isEmptySrcIP(fidoReturnValues.SrcIP))
{
return;
}
fidoReturnValues.IsTargetOS = true;
//hand of process to get more information about the host
fidoReturnValues.MalwareType = sSubjectArray[0];
fidoReturnValues.CurrentDetector = "mps";
TheDirector.Direct(fidoReturnValues);
}
//function for FireEye MPS to parse each email to get source, destination, MAC addr, type of
//attack, time it occured and important URLs
public static void FireEyeEmailReceive(string sEmailBody, string sSubject)
{
try
{
Console.WriteLine(@"Running FireEye MPS detector.");
var sSubjectArray = sSubject.Split(':');
var malwareType = sSubjectArray[0];
FidoReturnValues lFidoReturnValues;
//the below code is hacky and needs to be optimized. I couldn't
//think of a better way to write it and it works... so fix it or shut up.
//get additional information from the alert such as hashes, URLs, etc
if (string.IsNullOrEmpty(malwareType) && (String.Compare(malwareType, "malware-callback detected", StringComparison.Ordinal) == 0) || (String.Compare(malwareType, "malware-object detected", StringComparison.Ordinal) == 0))
{
Console.WriteLine(@"Malware-callback detected");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, false);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
lFidoReturnValues.IsTargetOS = true;
//hand of process to get more information about the host
lFidoReturnValues.MalwareType = sSubjectArray[0];
lFidoReturnValues.CurrentDetector = "mps";
TheDirector.Direct(lFidoReturnValues);
//consider do an else in case srcip comes back empty
//else
//{
//}
}
else if (malwareType != null && String.Compare(malwareType, "web-infection detected", StringComparison.Ordinal) == 0)
{
Console.WriteLine(@"Web-infection detected.");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, true);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
lFidoReturnValues.IsTargetOS = true;
//hand of process to get more information about the host
lFidoReturnValues.MalwareType = sSubjectArray[0];
lFidoReturnValues.CurrentDetector = "mps";
TheDirector.Direct(lFidoReturnValues);
//consider do an else in case srcip comes back empty
//else
//{
//}
}
else if (malwareType != null && String.Compare(malwareType, "infection-match detected", StringComparison.Ordinal) == 0)
{
Console.WriteLine(@"Infection-match detected.");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, false);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
lFidoReturnValues.IsTargetOS = true;
//hand of process to get more information about the host
lFidoReturnValues.MalwareType = sSubjectArray[0];
lFidoReturnValues.CurrentDetector = "mps";
TheDirector.Direct(lFidoReturnValues);
//consider do an else in case srcip comes back empty
//else
//{
//}
}
Console.WriteLine(@"Exiting FireEye detector.");
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught receiving FireEye email:" + e);
}
}
