private static void AntiVirusToBit9(FidoReturnValues lFidoReturnValues) { var lBit9ReturnValues = new Bit9ReturnValues(); var sFileInfo = lFidoReturnValues.Antivirus.FilePath.Split('\\'); if ((sFileInfo != null) && (sFileInfo.Length != 0)) { Console.WriteLine(@"Antivirus detector found! Cross-referencing with Bit9."); lBit9ReturnValues.FileName = sFileInfo[sFileInfo.Length - 1]; lFidoReturnValues.Antivirus.FileName = lBit9ReturnValues.FileName; for (var i = 0; i < sFileInfo.Length - 1; i++) { if (i == sFileInfo.Length - 2) { lBit9ReturnValues.FilePath += sFileInfo[i]; } else { if (!sFileInfo[i].Contains("'")) { lBit9ReturnValues.FilePath += sFileInfo[i] + "\\"; } else { break; } } } lBit9ReturnValues.HostName = lFidoReturnValues.Hostname; var lBit9Info = Detect_Bit9.GetFileInfo(null, lBit9ReturnValues); } }
//DirectorToEngine is the handler for SQL based detectors. It is designed //to initiate and direct configured SQL detectors to their respective module public static void DirectToEngine(string sDetector, string sVendor) { switch (sDetector) { case "sql": switch (sVendor) { case "bit9": Detect_Bit9.GetEvents(); break; case "fido": break; } break; } }
//todo: is this still necessary? should we handle this in the bit9 module? private static FidoReturnValues FireEyeHashToBit9(FidoReturnValues lFidoReturnValues) { //Check FireEye returns and go to Bit9 to see if the hash exists, where and //if it was executed, then go to VT and pass hash info on there too var lVirusTotalReturnValues = new VirusTotalReturnValues(); List <string> sBit9FileInfo = Detect_Bit9.GetFileInfo(lFidoReturnValues.FireEye.MD5Hash, null); if (sBit9FileInfo.Count == 0) { return(lFidoReturnValues); } if (lFidoReturnValues.Bit9 == null) { lFidoReturnValues.Bit9 = new Bit9ReturnValues { Bit9Hashes = sBit9FileInfo.ToArray() }; } else { lFidoReturnValues.Bit9.Bit9Hashes = sBit9FileInfo.ToArray(); } return(lFidoReturnValues); }
public static void Direct(FidoReturnValues lFidoReturnValues) { var sSrcIP = lFidoReturnValues.SrcIP; var sHostname = lFidoReturnValues.Hostname; try { //check detector values versus whitelist and exclude if true var isFound = new The_Director_Whitelist().CheckFidoWhitelist(lFidoReturnValues.DstIP, lFidoReturnValues.Hash, lFidoReturnValues.DNSName, lFidoReturnValues.Url); if (isFound) { return; } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director processing whitelist:" + e); } try { //if HostDetection is turned on, then gather information directly from host if (Object_Fido_Configs.GetAsBool("fido.director.hostdetection", true)) { lFidoReturnValues = The_Director_HostDetection.HostDetection(lFidoReturnValues, sHostname, sSrcIP); } //Write results out to console if (!string.IsNullOrEmpty(sHostname)) { Console.WriteLine(@"Detected hostname=" + sHostname + @", gathering detailed inventory."); } else { Console.WriteLine(@"Unable to detect hostname, gathering detailed inventory for " + sSrcIP + @"."); } //go to our sysmgmt data sources to get detailed inventory information if (Object_Fido_Configs.GetAsBool("fido.director.runinventory", false)) { lFidoReturnValues = The_Director_HostDetection.SQLFidoReturnValues(lFidoReturnValues, sSrcIP, sHostname); } //determine if hostname from host discover matches inventory data if (string.IsNullOrEmpty(lFidoReturnValues.Hostname)) { Console.WriteLine(@"Hostname still unknown. Proceeding to evaluate threat."); lFidoReturnValues.IsHostKnown = false; lFidoReturnValues.Hostname = "unknown"; } else if (lFidoReturnValues.Hostname.ToLower() == "unknown") { //todo: need to write code to take existing data //hold it for %configurable% minutes and then //send it out 'unmanaged' if hostinfo continues to come //back empty } else { if (Object_Fido_Configs.GetAsBool("fido.director.userdetect", false)) { lFidoReturnValues = The_Director_HostDetection.GetUserInfo(lFidoReturnValues); } } if (lFidoReturnValues.Username != null) { var runUserDetect = Object_Fido_Configs.GetAsBool("fido.director.userdetect", false); if (runUserDetect) { lFidoReturnValues = The_Director_HostDetection.GetUserInfo(lFidoReturnValues); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director gathering host information:" + e); } try { //Gather more information about destination IP address lFidoReturnValues = The_Director_ThreatFeeds_URL.ThreatGRIDIPInfo(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director gathering host IP/GEO information:" + e); } try { //todo: this area is half-baked... why is bit9 return not being assigned to lFidoReturnValues? //If detector == AV then check if AV information has a filepath/name //then parse and send to bit9 to get additional info if ((lFidoReturnValues.Antivirus != null) && (The_Director_HostDetection.IsBit9Installed())) { AntiVirusToBit9(lFidoReturnValues); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending AV info to Bit9:" + e); } try { //this area will take detector hashes and reference them against Bit9 //to see if Bit9 has seen the hash, where and if it was executed if (The_Director_HostDetection.IsBit9Installed()) { Console.WriteLine(@"Bit9 detected... cross-referencing hashes."); //if FireEye has hashes send to Bit9 if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any())) { if (lFidoReturnValues.Bit9 == null) { lFidoReturnValues.Bit9 = new Bit9ReturnValues(); } lFidoReturnValues.Bit9.Bit9Hashes = Detect_Bit9.GetFileInfo(lFidoReturnValues.FireEye.MD5Hash, null).ToArray(); //lFidoReturnValues = FireEyeHashToBit9(lFidoReturnValues); } //if FireEyeMPS has hashes send to Bit9 //if PaloAlto has hashes send to Bit9 //if Cyphort has hashes send to Bit9 //if Protectwise has hashes send to Bit9 } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to Bit9:" + e); } try { //this area will send hash data to threatfeeds to get additional information //to be used in scoring for the attack lFidoReturnValues = The_Director_ThreatFeeds_Hash.DetectorsToThreatFeeds(lFidoReturnValues); //this area will send URL data to threatfeeds to get additional information //to be used in scoring for the attack lFidoReturnValues = The_Director_ThreatFeeds_URL.DetectorsToThreatFeeds(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to threat feeds:" + e); } //Send accumulated information to the Matrix for scoring Console.WriteLine(@"Running scoring matrix."); lFidoReturnValues = Matrix.RunMatrix(lFidoReturnValues); Console.WriteLine(@"Exiting scoring matrix."); var actions = new List <string>(); //handoff to enforcement // // //todo: more whack if (!lFidoReturnValues.IsSendAlert) { actions.Add("Created Ticket"); actions.Add("Not Needed"); } else { actions.Add("Created Ticket"); actions.Add("Success"); } //Thebelow highlighted out as the Service-Now module is too proprietary //in its current form to be included with OSS. What will happen in a future //version is a module to handle the different ticketing solutions, //Service-Now, Zendesk, ServiceDesk, etc., so that tickets can be //created based on user configuration. //ServiceNowUpdate.InsertResponse(lFidoReturnValues); lFidoReturnValues.Actions = actions; //send information for notifications Console.WriteLine(@"Sending notification."); Notification.Notification.Notify(lFidoReturnValues); //Send configurable information for output to syslog //SysLogger.SendEventToSyslog(lFidoReturnValues); //todo: WTF is this? It's whack, thats what... actions.Add("Update FIDO DB"); actions.Add("Success"); //update FIDO DB with event information Console.WriteLine(@"Updating FidoDB."); Fido_UpdateDB.InsertEventToDB(lFidoReturnValues); }