public bool CheckFidoWhitelist(string sDstIP, List <string> sHash, string sDomain, List <string> sUrl)
{
var isFound = false;
var sqlQuery = new SqLiteDB();
if (!string.IsNullOrEmpty(sDstIP))
{
var qDstIPReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + sDstIP + "'");
if (!string.IsNullOrEmpty(qDstIPReturn))
{
isFound = true;
}
}
if (sHash != null)
{
foreach (var hash in sHash)
{
var qHashReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + hash + "'");
if (!string.IsNullOrEmpty(qHashReturn))
{
isFound = true;
}
}
}
if (!string.IsNullOrEmpty(sDomain))
{
var qDomainReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + sDomain + "'");
if (!string.IsNullOrEmpty(qDomainReturn))
{
isFound = true;
}
}
if (sUrl != null)
{
foreach (var url in sUrl)
{
var qUrlReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + url + "'");
if (!string.IsNullOrEmpty(qUrlReturn))
{
isFound = true;
}
}
}
return(isFound);
}
public static List <FileReport> ParseHash(string[] sMD5Hash)
{
//todo: The below is a placeholder for when this will be encrypted.
//var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null);
var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null);
var vtLogin = new VirusTotal(sVTKey);
var sVirusTotalHash = new List <FileReport>();
var fidoDB = new SqLiteDB();
var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal"));
//todo: remove all the sleeps with a configurable option of whether to sleep AND a
//configurable integer value for the timer. Currently putting these in for the free
//API, but need to account for someone having access to the paid API.
try
{
if (sMD5Hash.Any())
{
if (sMD5Hash.Count() < 4)
{
if (!isPaidFeed)
{
Thread.Sleep(1000);
}
sVirusTotalHash.AddRange(sMD5Hash.Where(sHash => !string.IsNullOrEmpty(sHash)).Select(vtLogin.GetFileReport).Where(sVtmd5Return => sVtmd5Return != null));
}
else if (sMD5Hash.Count() >= 4)
{
if (!isPaidFeed)
{
Thread.Sleep(1000);
}
for (var i = 0; i < sMD5Hash.Count(); i++)
{
Console.WriteLine(@"Processing hash #" + (i + 1) + @" of " + sMD5Hash.Count() + @" " + sMD5Hash[i] + @".");
sVirusTotalHash.Add(vtLogin.GetFileReport(sMD5Hash[i]));
if (!isPaidFeed)
{
Console.WriteLine(@"Pausing 17 seconds to not overload VT.");
Thread.Sleep(17000);
}
}
}
return(sVirusTotalHash);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT Hash area:" + e);
}
return(sVirusTotalHash);
}
private static T GetResults<T>(RestRequest request, bool applyHack = false)
{
_client.BaseUrl = new Uri("http://www.virustotal.com/vtapi/v2/", UriKind.Absolute);
_client.Proxy = null;
_client.FollowRedirects = false;
T results;
var fidoDB = new SqLiteDB();
var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal"));
var response = (RestResponse)_client.Execute(request);
if (applyHack)
{
//Warning: Huge hack... sorry :(
response.Content = Regex.Replace(response.Content, "\"([\\w\\d -\\._]+)\": \\{\"detected\":", "{\"name\": \"$1\", \"detected\":", RegexOptions.Compiled | RegexOptions.CultureInvariant);
response.Content = response.Content.Replace("scans\": {", "scans\": [");
response.Content = response.Content.Replace("}}", "}]");
}
IDeserializer deserializer = new JsonDeserializer();
if (response.StatusCode == HttpStatusCode.NoContent)
{
//todo: move integer value to db
if (!isPaidFeed) Thread.Sleep(30000);
results = GetResults<T>(request, true);
return results;
}
//throw new RateLimitException("You have reached the 5 requests pr. min. limit of VirusTotal");
if (response.StatusCode == HttpStatusCode.Forbidden)
throw new AccessDeniedException("You don't have access to the service. Make sure your API key is working correctly.");
try
{
results = deserializer.Deserialize<T>(response);
}
catch (SerializationException)
{
//retry request.
try
{
_retryCounter--;
if (_retryCounter <= 0)
{
_retryCounter = Retry;
return default(T);
}
results = GetResults<T>(request, applyHack);
}
catch (SerializationException ex)
{
throw new Exception("Failed to deserialize request.", ex);
}
}
//reset retry counter
_retryCounter = Retry;
return results;
}
private static List<UrlReport> ParseUrl(IEnumerable<string> sURL)
{
//The below is a placeholder for when this will be encrypted.
//var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null);
var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null);
var vtLogin = new VirusTotal(sVTKey);
var isRateLimited = Object_Fido_Configs.GetAsBool("fido.securityfeed.virustotal.ratelimited", false);
List<UrlReport> sVirusTotalUrl = null;
var sVTURLreturn = new List<UrlReport>();
var newurl = string.Empty;
var url = sURL as IList<string> ?? sURL.ToList();
var fidoDB = new SqLiteDB();
var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal"));
try
{
if (sURL != null)
{
for (var i = 0; i < url.Count(); i++)
{
if (!url[i].Contains("http://"))
{
newurl = "http://" + url[i];
}
else
{
newurl = url[i];
}
if (!isPaidFeed) Thread.Sleep(15000);
var sVTURLtemp = new List<UrlReport> { vtLogin.GetUrlReport(newurl) };
if (!isPaidFeed) Thread.Sleep(20000);
var icount = 1;
if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object")
{
Console.WriteLine(sVTURLtemp[0].VerboseMsg);
Console.WriteLine(newurl);
sVTURLreturn.Add(sVTURLtemp[0]);
continue;
}
while (sVTURLtemp[0].VerboseMsg == "The requested resource is not among the finished, queued or pending scans" && icount <= 3)
{
Console.WriteLine(sVTURLtemp[0].VerboseMsg);
Console.WriteLine(newurl);
sVTURLtemp.RemoveAt(0);
vtLogin.ScanUrl(newurl);
//todo: move sleep integer to db
Thread.Sleep(120000);
icount++;
sVTURLtemp.Add(vtLogin.GetUrlReport(newurl));
if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object")
{
Console.WriteLine(sVTURLtemp[0].VerboseMsg);
Console.WriteLine(newurl);
sVTURLreturn.Add(sVTURLtemp[0]);
}
}
//if (icount == 1)
//{
// sVTURLreturn.Add(sVTURLtemp[0]);
//}
}
if (sVTURLreturn.Any())
{
sVirusTotalUrl = sVTURLreturn;
return sVirusTotalUrl;
}
}
}
catch (Exception e)
{
if (e.Message == "You have reached the 5 requests pr. min. limit of VirusTotal")
{
if (!isPaidFeed) Thread.Sleep(60000);
sVirusTotalUrl = ParseUrl(url);
return sVirusTotalUrl;
}
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT URL area:" + e);
}
return sVirusTotalUrl;
}
