public static void SendEmail(string sErrorSubject, string sErrorMessage)
{
var isGoingToRun = Object_Fido_Configs.GetAsBool("fido.email.runerroremail", false);
var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var isTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
if (!isGoingToRun)
{
return;
}
if (isTest)
{
sErrorSubject = "Test: " + sErrorSubject;
}
Logging_Fido.RunLogging(sErrorMessage);
var Rmail = new Emailfields
{
To = sErrorEmail,
CC = "",
From = sFidoEmail,
Subject = sErrorSubject,
Body = sErrorMessage,
EmailAttach = null,
GaugeAttatch = null
};
Email_Send.Send(Rmail);
Console.WriteLine(sErrorMessage);
Thread.Sleep(1000);
}
//function for FireEye MPS to parse each email to get source, destination, MAC addr, type of
//attack, time it occured and important URLs
public static void FireEyeEmailReceive(string sEmailBody, string sSubject)
{
try
{
Console.WriteLine(@"Running FireEye MPS detector.");
var sSubjectArray = sSubject.Split(':');
var malwareType = sSubjectArray[0];
FidoReturnValues lFidoReturnValues;
//the below code is hacky and needs to be optimized. I couldn't
//think of a better way to write it and it works... so fix it or shut up.
//get additional information from the alert such as hashes, URLs, etc
if (IsMalwareType(malwareType))
{
Console.WriteLine(@"Malware-callback detected");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, false);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
SetReturnValue(lFidoReturnValues);
}
else if (malwareType != null && String.Compare(malwareType, "web-infection detected", StringComparison.Ordinal) == 0)
{
Console.WriteLine(@"Web-infection detected.");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, true);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
SetReturnValue(lFidoReturnValues);
}
else if (malwareType != null && String.Compare(malwareType, "infection-match detected", StringComparison.Ordinal) == 0)
{
Console.WriteLine(@"Infection-match detected.");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, false);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
SetReturnValue(lFidoReturnValues);
}
Console.WriteLine(@"Exiting FireEye detector.");
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught receiving FireEye email:" + e);
}
}
private void XX(FidoReturnValues fidoReturnValues, bool isWebInfection)
{
Logging_Fido.RunLogging(malwareType + "!");
fidoReturnValues = FireEyeParse(sEmailBody, isWebInfection);
if (!Fido_NetSegments.isEmptySrcIP(fidoReturnValues.SrcIP))
{
return;
}
fidoReturnValues.IsTargetOS = true;
//hand of process to get more information about the host
fidoReturnValues.MalwareType = sSubjectArray[0];
fidoReturnValues.CurrentDetector = "mps";
TheDirector.Direct(fidoReturnValues);
}
public static void SendEmail(string sErrorSubject, string sErrorMessage)
{
var isGoingToRun = Object_Fido_Configs.GetAsBool("fido.email.runerroremail", false);
var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var isTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
if (!isGoingToRun)
{
return;
}
if (isTest)
{
sErrorSubject = "Test: " + sErrorSubject;
}
Logging_Fido.RunLogging(sErrorMessage);
Email_Send.Send(sErrorEmail, sFidoEmail, sFidoEmail, sErrorSubject, sErrorMessage, null, null);
Console.WriteLine(sErrorMessage);
Thread.Sleep(1000);
}
//function for FireEye MPS to parse each email to get source, destination, MAC addr, type of
//attack, time it occured and important URLs
public static void FireEyeEmailReceive(string sEmailBody, string sSubject)
{
try
{
Console.WriteLine(@"Running FireEye MPS detector.");
var sSubjectArray = sSubject.Split(':');
var malwareType = sSubjectArray[0];
FidoReturnValues lFidoReturnValues;
//the below code is hacky and needs to be optimized. I couldn't
//think of a better way to write it and it works... so fix it or shut up.
//get additional information from the alert such as hashes, URLs, etc
if (string.IsNullOrEmpty(malwareType) && (String.Compare(malwareType, "malware-callback detected", StringComparison.Ordinal) == 0) || (String.Compare(malwareType, "malware-object detected", StringComparison.Ordinal) == 0))
{
Console.WriteLine(@"Malware-callback detected");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, false);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
lFidoReturnValues.IsTargetOS = true;
//hand of process to get more information about the host
lFidoReturnValues.MalwareType = sSubjectArray[0];
lFidoReturnValues.CurrentDetector = "mps";
TheDirector.Direct(lFidoReturnValues);
//consider do an else in case srcip comes back empty
//else
//{
//}
}
else if (malwareType != null && String.Compare(malwareType, "web-infection detected", StringComparison.Ordinal) == 0)
{
Console.WriteLine(@"Web-infection detected.");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, true);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
lFidoReturnValues.IsTargetOS = true;
//hand of process to get more information about the host
lFidoReturnValues.MalwareType = sSubjectArray[0];
lFidoReturnValues.CurrentDetector = "mps";
TheDirector.Direct(lFidoReturnValues);
//consider do an else in case srcip comes back empty
//else
//{
//}
}
else if (malwareType != null && String.Compare(malwareType, "infection-match detected", StringComparison.Ordinal) == 0)
{
Console.WriteLine(@"Infection-match detected.");
Logging_Fido.RunLogging(malwareType + "!");
lFidoReturnValues = FireEyeParse(sEmailBody, false);
if (!Fido_NetSegments.isEmptySrcIP(lFidoReturnValues.SrcIP))
{
return;
}
lFidoReturnValues.IsTargetOS = true;
//hand of process to get more information about the host
lFidoReturnValues.MalwareType = sSubjectArray[0];
lFidoReturnValues.CurrentDetector = "mps";
TheDirector.Direct(lFidoReturnValues);
//consider do an else in case srcip comes back empty
//else
//{
//}
}
Console.WriteLine(@"Exiting FireEye detector.");
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught receiving FireEye email:" + e);
}
}