//function for FireEye MPS to parse each email to get source, destination, MAC addr, type of //attack, time it occured and important URLs public static void FireEyeEmailReceive(string sEmailBody, string sSubject) { try { Console.WriteLine(@"Running FireEye MPS detector."); var sSubjectArray = sSubject.Split(':'); var malwareType = sSubjectArray[0]; FidoReturnValues lFidoReturnValues; //the below code is hacky and needs to be optimized. I couldn't //think of a better way to write it and it works... so fix it or shut up. //get additional information from the alert such as hashes, URLs, etc if (IsMalwareType(malwareType)) { Console.WriteLine(@"Malware-callback detected"); Logging_Fido.RunLogging(malwareType + "!"); lFidoReturnValues = FireEyeParse(sEmailBody, false); if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP)) { return; } SetReturnValue(lFidoReturnValues); } else if (malwareType != null && String.Compare(malwareType, "web-infection detected", StringComparison.Ordinal) == 0) { Console.WriteLine(@"Web-infection detected."); Logging_Fido.RunLogging(malwareType + "!"); lFidoReturnValues = FireEyeParse(sEmailBody, true); if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP)) { return; } SetReturnValue(lFidoReturnValues); } else if (malwareType != null && String.Compare(malwareType, "infection-match detected", StringComparison.Ordinal) == 0) { Console.WriteLine(@"Infection-match detected."); Logging_Fido.RunLogging(malwareType + "!"); lFidoReturnValues = FireEyeParse(sEmailBody, false); if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP)) { return; } SetReturnValue(lFidoReturnValues); } Console.WriteLine(@"Exiting FireEye detector."); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught receiving FireEye email:" + e); } }
private void XX(FidoReturnValues fidoReturnValues, bool isWebInfection) { Logging_Fido.RunLogging(malwareType + "!"); fidoReturnValues = FireEyeParse(sEmailBody, isWebInfection); if (!Fido_NetSegments.isEmptySrcIP(fidoReturnValues.SrcIP)) { return; } fidoReturnValues.IsTargetOS = true; //hand of process to get more information about the host fidoReturnValues.MalwareType = sSubjectArray[0]; fidoReturnValues.CurrentDetector = "mps"; TheDirector.Direct(fidoReturnValues); }
//function for FireEye MPS to parse each email to get source, destination, MAC addr, type of //attack, time it occured and important URLs public static void FireEyeEmailReceive(string sEmailBody, string sSubject) { try { Console.WriteLine(@"Running FireEye MPS detector."); var sSubjectArray = sSubject.Split(':'); var malwareType = sSubjectArray[0]; FidoReturnValues lFidoReturnValues; //the below code is hacky and needs to be optimized. I couldn't //think of a better way to write it and it works... so fix it or shut up. //get additional information from the alert such as hashes, URLs, etc if (string.IsNullOrEmpty(malwareType) && (String.Compare(malwareType, "malware-callback detected", StringComparison.Ordinal) == 0) || (String.Compare(malwareType, "malware-object detected", StringComparison.Ordinal) == 0)) { Console.WriteLine(@"Malware-callback detected"); Logging_Fido.RunLogging(malwareType + "!"); lFidoReturnValues = FireEyeParse(sEmailBody, false); if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP)) { return; } lFidoReturnValues.IsTargetOS = true; //hand of process to get more information about the host lFidoReturnValues.MalwareType = sSubjectArray[0]; lFidoReturnValues.CurrentDetector = "mps"; TheDirector.Direct(lFidoReturnValues); //consider do an else in case srcip comes back empty //else //{ //} } else if (malwareType != null && String.Compare(malwareType, "web-infection detected", StringComparison.Ordinal) == 0) { Console.WriteLine(@"Web-infection detected."); Logging_Fido.RunLogging(malwareType + "!"); lFidoReturnValues = FireEyeParse(sEmailBody, true); if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP)) { return; } lFidoReturnValues.IsTargetOS = true; //hand of process to get more information about the host lFidoReturnValues.MalwareType = sSubjectArray[0]; lFidoReturnValues.CurrentDetector = "mps"; TheDirector.Direct(lFidoReturnValues); //consider do an else in case srcip comes back empty //else //{ //} } else if (malwareType != null && String.Compare(malwareType, "infection-match detected", StringComparison.Ordinal) == 0) { Console.WriteLine(@"Infection-match detected."); Logging_Fido.RunLogging(malwareType + "!"); lFidoReturnValues = FireEyeParse(sEmailBody, false); if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP)) { return; } lFidoReturnValues.IsTargetOS = true; //hand of process to get more information about the host lFidoReturnValues.MalwareType = sSubjectArray[0]; lFidoReturnValues.CurrentDetector = "mps"; TheDirector.Direct(lFidoReturnValues); //consider do an else in case srcip comes back empty //else //{ //} } Console.WriteLine(@"Exiting FireEye detector."); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught receiving FireEye email:" + e); } }