//function to send email
public static void Send(string sTo, string sCC, string sFrom, string sSubject, string sBody, List <string> lGaugeAttachment, string sEmailAttachment)
{
var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var sSMTPServer = Object_Fido_Configs.GetAsString("fido.email.smtpsvr", null);
try
{
var mMessage = new MailMessage {
IsBodyHtml = true
};
mMessage.AddRecepients(sTo, sCC);
mMessage.AddMain(sFrom, sSubject, sBody, lGaugeAttachment);
if (!string.IsNullOrEmpty(sEmailAttachment))
{
var sAttachment = new Attachment(sEmailAttachment);
mMessage.Attachments.Add(sAttachment);
}
mMessage.SendMessage();
}
catch (Exception e)
{
Send(sErrorEmail, sFidoEmail, sFidoEmail, "Fido Error", "Fido Failed: Generic error sending email." + e, null, null);
throw;
}
}
public static void SendEmail(string sErrorSubject, string sErrorMessage)
{
var isGoingToRun = Object_Fido_Configs.GetAsBool("fido.email.runerroremail", false);
var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var isTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
if (!isGoingToRun)
{
return;
}
if (isTest)
{
sErrorSubject = "Test: " + sErrorSubject;
}
Logging_Fido.RunLogging(sErrorMessage);
var Rmail = new Emailfields
{
To = sErrorEmail,
CC = "",
From = sFidoEmail,
Subject = sErrorSubject,
Body = sErrorMessage,
EmailAttach = null,
GaugeAttatch = null
};
Email_Send.Send(Rmail);
Console.WriteLine(sErrorMessage);
Thread.Sleep(1000);
}
private static List<Object_VirusTotal_IP.IPReport> ParseIP(string[] sIP)
{
//The below is a placeholder for when this will be encrypted.
//var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null);
var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null);
var vtLogin = new VirusTotal(sVTKey);
//test code to workaround rate limiting
List<Object_VirusTotal_IP.IPReport> sVirusTotalIP = null;
try
{
if (sIP != null)
{
var sVTIPreturn = GetIPReport(sIP, sVTKey);
if (sVTIPreturn != null)
{
sVirusTotalIP = sVTIPreturn;
return sVirusTotalIP;
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT URL area:" + e);
}
return sVirusTotalIP;
}
internal static void SendMessage(this MailMessage mMessage)
{
using (var sSMTP = new SmtpClient(sSMTPServer))
{
Console.WriteLine(@"Sending FIDO email.");
var sSMTPUser = Object_Fido_Configs.GetAsString("fido.smtp.smtpuserid", string.Empty);
var sSMTPPwd = Object_Fido_Configs.GetAsString("fido.smtp.smtppwd", string.Empty);
sSMTP.Credentials = new NetworkCredential(sSMTPUser, sSMTPPwd);
sSMTP.Send(mMessage);
sSMTP.Dispose();
}
}
private static List <string> Getmanagerinfo(string sUserDN)
{
try
{
var lManagerValues = new List <string>();
string domainPath = Object_Fido_Configs.GetAsString("fido.ldap.basedn", string.Empty);
string user = Object_Fido_Configs.GetAsString("fido.ldap.userid", string.Empty);
string pwd = Object_Fido_Configs.GetAsString("fido.ldap.pwd", string.Empty);
var searchRoot = new DirectoryEntry(domainPath, user, pwd);
var search = new DirectorySearcher(searchRoot)
{
Filter = "(&(objectClass=user)(objectCategory=person)(distinguishedName=" + sUserDN + "))"
};
search.PropertiesToLoad.Add("mail");
search.PropertiesToLoad.Add("samaccountname");
search.PropertiesToLoad.Add("displayname");
search.PropertiesToLoad.Add("title");
search.PropertiesToLoad.Add("mobile");
SearchResultCollection resultCol = search.FindAll();
for (var counter = 0; counter < resultCol.Count; counter++)
{
//var UserNameEmailString = string.Empty;
var result = resultCol[counter];
if (result.Properties["mail"].Count > 0)
{
lManagerValues.Add((String)result.Properties["mail"][0]);
}
if (result.Properties["samaccountname"].Count > 0)
{
lManagerValues.Add((String)result.Properties["samaccountname"][0]);
}
if (result.Properties["displayname"].Count > 0)
{
lManagerValues.Add((String)result.Properties["displayname"][0]);
}
if (result.Properties["title"].Count > 0)
{
lManagerValues.Add((String)result.Properties["title"][0]);
}
if (result.Properties["mobile"].Count > 0)
{
lManagerValues.Add((String)result.Properties["mobile"][0]);
}
}
return(lManagerValues);
}
catch (Exception error)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Active Directory grab manager info area:" + error);
}
return(null);
}
public static List <FileReport> ParseHash(string[] sMD5Hash)
{
//todo: The below is a placeholder for when this will be encrypted.
//var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null);
var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null);
var vtLogin = new VirusTotal(sVTKey);
var sVirusTotalHash = new List <FileReport>();
var fidoDB = new SqLiteDB();
var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal"));
//todo: remove all the sleeps with a configurable option of whether to sleep AND a
//configurable integer value for the timer. Currently putting these in for the free
//API, but need to account for someone having access to the paid API.
try
{
if (sMD5Hash.Any())
{
if (sMD5Hash.Count() < 4)
{
if (!isPaidFeed)
{
Thread.Sleep(1000);
}
sVirusTotalHash.AddRange(sMD5Hash.Where(sHash => !string.IsNullOrEmpty(sHash)).Select(vtLogin.GetFileReport).Where(sVtmd5Return => sVtmd5Return != null));
}
else if (sMD5Hash.Count() >= 4)
{
if (!isPaidFeed)
{
Thread.Sleep(1000);
}
for (var i = 0; i < sMD5Hash.Count(); i++)
{
Console.WriteLine(@"Processing hash #" + (i + 1) + @" of " + sMD5Hash.Count() + @" " + sMD5Hash[i] + @".");
sVirusTotalHash.Add(vtLogin.GetFileReport(sMD5Hash[i]));
if (!isPaidFeed)
{
Console.WriteLine(@"Pausing 17 seconds to not overload VT.");
Thread.Sleep(17000);
}
}
}
return(sVirusTotalHash);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT Hash area:" + e);
}
return(sVirusTotalHash);
}
private void SetupSyslog()
{
//Load fido configs from database
Object_Fido_Configs.LoadConfigFromDb("config");
//Setup syslog
var server1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost");
var port1 = Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514);
var facility1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1");
var sender1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido");
var layout1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)");
//SysLogger.Setup(server1, port1, facility1, sender1, layout1);
}
public static void DownloadReputationFeed()
{
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return(true); });
var sDownloadUrl = Object_Fido_Configs.GetAsString("fido.securityfeed.alienvault.url", null);
if (sDownloadUrl == null)
{
return;
}
var wcAlientVaultWebClient = new WebClient();
wcAlientVaultWebClient.DownloadFile("http://reputation.alienvault.com/reputation.data", Application.StartupPath + "\\threat feeds\\reputation.data");
}
//get sql sources from fido XML
public static IEnumerable <string> GetSqlSources()
{
string[] sSQLSources = null;
try
{
sSQLSources = Object_Fido_Configs.GetAsString("fido.sysmgmt.params.types", null).Split(',');
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception in getsqlsources area:" + e);
}
return(sSQLSources);
}
private Dictionary <string, string> GetSysLogParams()
{
var result = new Dictionary <string, string>();
result.add("server", Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost"));
result.add("port", Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514));
result.add("facility", Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1"));
result.add("sender", Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido"));
result.add("layout", Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)"));
result.add("isParamTest", Object_Fido_Configs.GetAsBool("fido.application.teststartup", true));
result.add("detectors", Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(','));
return(result);
}
public static List <string> GetFileInfo(IEnumerable <string> lFileHash, Bit9ReturnValues lBit9ReturnValues)
{
var lBit9Info = new List <string>();
var oBit9Return = new object[69];
var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null);
sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1");
var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode);
var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode);
var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null);
var sDb = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null);
try
{
//todo: take connection string and encrypt to put in XML config
var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDb + ";connection timeout=60");
if (lFileHash != null)
{
//todo: SQL injection. Store query in database and fill variables when retrieving
foreach (var CMD in lFileHash.Select(sFileHash => "SELECT * FROM [das].[dbo].[Fido_FileInstanceInfo] WHERE MD5 = '" + sFileHash + "'").Select(sQuery => new SqlCommand(sQuery, vConnection)))
{
CMD.CommandType = CommandType.Text;
ReadBit9Info(vConnection, CMD, oBit9Return, lBit9Info);
}
}
else if (lBit9ReturnValues != null)
{
//todo: SQL injection. Store query in database and fill values when retrieving
var sQuery = "SELECT * FROM [das].[dbo].[Fido_FileInstanceInfo] WHERE FILE_NAME = '" + lBit9ReturnValues.FileName.ToLower() + "' AND Path_Name = '" + lBit9ReturnValues.FilePath.ToLower() + "' AND Computer_Name = '" + lBit9ReturnValues.HostName + "'";
var CMD = new SqlCommand(sQuery, vConnection)
{
CommandType = CommandType.Text
};
ReadBit9Info(vConnection, CMD, oBit9Return, lBit9Info);
}
//if no count then no hash information exists
if (lBit9Info.Count != 0)
{
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving file information from Bit9:" + e);
}
return(lBit9Info);
}
private static CreateDirectorySearcher(string sUserId)
{
var domainPath = Object_Fido_Configs.GetAsString("fido.ldap.basedn", string.Empty);
var user = Object_Fido_Configs.GetAsString("fido.ldap.userid", string.Empty);
var pwd = Object_Fido_Configs.GetAsString("fido.ldap.pwd", string.Empty);
var searchRoot = new DirectoryEntry(domainPath, user, pwd);
var search = new DirectorySearcher(searchRoot)
{
Filter = "(&(objectClass=user)(objectCategory=person)(sAMAccountName=" + sUserId + "))"
};
AddPropertiesToLoad(search);
return(search);
}
//if getevents is positive, get machine name and IP
private static IEnumerable <string> GetHost(string sMD5)
{
var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null);
sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1");
var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode);
var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode);
var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null);
var sDB = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null);
var oBit9Return = new object[4];
var lHostInfo = new List <string>();
try
{
//todo: encrypt and retrived these values from DB.
var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDB + ";connection timeout=10");
//todo: SQL injection. Store query in database and modify variables when retrieving
var sQuery = "SELECT [Computer_Name],[IP_Address], [Executed], [Deleted] FROM [das].[dbo].[Fido_FileInstanceInfo] Where MD5 = '" + sMD5 + "'";
using (var cmd = new SqlCommand(sQuery, vConnection)
{
CommandType = CommandType.Text
})
{
vConnection.Open();
using (var objReader = cmd.ExecuteReader())
{
if (objReader.HasRows)
{
while (objReader.Read())
{
var quant = objReader.GetSqlValues(oBit9Return);
if (oBit9Return.GetValue(0) != null)
{
lHostInfo.Add(oBit9Return.GetValue(0) + "," + oBit9Return.GetValue(1) + "," + oBit9Return.GetValue(2) + "," + oBit9Return.GetValue(3));
}
}
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving host information from Bit9:" + e);
}
return(lHostInfo);
}
private void SendMail(string sSubject, FidoReturnValues lFidoReturnValues)
{
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var sPrimaryEmail = Object_Fido_Configs.GetAsString("fido.email.primaryemail", null);
var sSecondaryEmail = Object_Fido_Configs.GetAsString("fido.email.secondaryemail", null);
var sNonAlertEmail = Object_Fido_Configs.GetAsString("fido.email.nonalertemail", null);
var lAttachment = GetAttachmentList();
if (lFidoReturnValues.IsSendAlert)
{
Email_Send.Send(sPrimaryEmail, sSecondaryEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null);
}
else
{
Email_Send.Send(sNonAlertEmail, sNonAlertEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null);
}
}
//function to send email
public static void Send(Email email)
{
var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
try
{
var mMessage = new MailMessage();
if (SetupEmailMessage(email, out mMessage))
{
SendEmail(mMessage);
}
}
catch (Exception e)
{
Send(sErrorEmail, sFidoEmail, sFidoEmail, "Fido Error", "Fido Failed: Generic error sending email." + e, null, null);
throw;
}
}
//get sql connection string and sql query
public static List <string> GetSqlConfigs(string sSource)
{
var lQueryConfig = new List <string>();
try
{
lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlconnstring", null));
lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlqueryip", null));
lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlqueryhostname", null));
if (sSource == "jamf")
{
lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlqueryextattrib", null));
lQueryConfig.Add(Object_Fido_Configs.GetAsString("fido.sysmgmt." + sSource + ".sqlqueryos", null));
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in getsqlconfigs area:" + e);
}
return(lQueryConfig);
}
public static void SendEmail(string sErrorSubject, string sErrorMessage)
{
var isGoingToRun = Object_Fido_Configs.GetAsBool("fido.email.runerroremail", false);
var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var isTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
if (!isGoingToRun)
{
return;
}
if (isTest)
{
sErrorSubject = "Test: " + sErrorSubject;
}
Logging_Fido.RunLogging(sErrorMessage);
Email_Send.Send(sErrorEmail, sFidoEmail, sFidoEmail, sErrorSubject, sErrorMessage, null, null);
Console.WriteLine(sErrorMessage);
Thread.Sleep(1000);
}
//This is the detector call for bit9. Its purpose is to get
//the most recent hashes (last 60 secs (or so)) and parse them
//over to our security feeds. If the security feeds find
//relevant information get hostname/ip and call TheDirector.
public static void GetEvents()
{
var lFidoReturnValues = new FidoReturnValues();
try
{
Console.WriteLine(@"Running Bit9 detector.");
var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null);
sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1");
var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode);
var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode);
var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null);
var sDb = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null);
var sBit9DetectorQuery = Object_Fido_Configs.GetAsString("fido.detectors.bit9.query", null);
var sTempConn = Object_Fido_Configs.GetAsString("fido.detectors.bit9.connectionstring", null);
var replacements = new Dictionary <string, string>
{
{ "sUserID", sUserID },
{ "sPwd", sPwd },
{ "sBit9Server", sBit9Server },
{ "sDB", sDb }
};
//sTempConn = replacements.Aggregate(sTempConn, (current, srep) => current.Replace(srep.Key, srep.Value));
//todo: SQL injection. really? this was the best you could think of? remove this and do it properly.
var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDb + ";connection timeout=60");
var sqlCmd = new SqlCommand(sBit9DetectorQuery, vConnection)
{
CommandType = CommandType.Text
};
var lBit9Hash = new List <string>();
vConnection.Open();
using (var objReader = sqlCmd.ExecuteReader())
{
if (objReader.HasRows)
{
Console.WriteLine(@"New hashes found...");
while (objReader.Read())
{
var oBit9Return = new object[objReader.FieldCount];
var quant = objReader.GetSqlValues(oBit9Return);
if (oBit9Return.GetValue(4) != null)
{
lBit9Hash.Add(oBit9Return.GetValue(4).ToString());
}
}
}
}
if (lBit9Hash.Count == 0)
{
return;
}
Console.WriteLine(@"Processing " + lBit9Hash.Count().ToString(CultureInfo.InvariantCulture) + @" hashes.");
var aryBit9Hash = lBit9Hash.ToArray();
lFidoReturnValues.Hash = lBit9Hash;
//todo: write additional code to include other threat feeds.
var vtReturn = Feeds_VirusTotal.ParseHash(aryBit9Hash);
if (!vtReturn.Any())
{
return;
}
//todo: if return is 'not seen before' right helper function to upload file to threat feed.
foreach (var vtEntry in vtReturn)
{
if (vtEntry.Positives <= 0)
{
continue;
}
var sHostInfo = GetHost(vtEntry.Resource);
foreach (var sHostInfoList in sHostInfo)
{
var sSingleHostInfo = sHostInfoList.Split(',');
var sHostName = sSingleHostInfo[0].Split('\\');
//todo: need to write second tree for when file hasn't
//executed, but does still exist on the system,
//sSingleHostInfo[1].ToLower() == "yes"
if (sSingleHostInfo[2].ToLower() != "yes")
{
continue;
}
if (lFidoReturnValues.Bit9 == null)
{
lFidoReturnValues.Bit9 = new Bit9ReturnValues();
}
if (lFidoReturnValues.Bit9.VTReport == null)
{
lFidoReturnValues.Bit9.VTReport = new List <FileReport>();
}
lFidoReturnValues.IsHostKnown = true;
lFidoReturnValues.Hostname = sHostName[1];
lFidoReturnValues.SrcIP = sSingleHostInfo[1];
lFidoReturnValues.Bit9.HostName = sSingleHostInfo[0];
lFidoReturnValues.Bit9.VTReport.Add(vtEntry);
lFidoReturnValues.Bit9.FileExecuted = sSingleHostInfo[2];
lFidoReturnValues.Bit9.FileDeleted = sSingleHostInfo[3];
lFidoReturnValues.CurrentDetector = "bit9";
lFidoReturnValues.MalwareType = "Malicious file";
lFidoReturnValues.IsTargetOS = true;
lFidoReturnValues.DstIP = string.Empty;
var lMD5 = new List <string> {
vtEntry.MD5
};
lMD5 = GetFileInfo(lMD5, lFidoReturnValues.Bit9);
lFidoReturnValues.Bit9.FileName = lMD5[5] + @"\" + lMD5[6];
lFidoReturnValues.Bit9.FileThreat = lMD5[51];
lFidoReturnValues.Bit9.FileTrust = lMD5[50];
//lFidoReturnValues.Hash = new List<FileReport> {vtEntry.MD5};
Console.WriteLine(@"Malicious hashes found... continue to process.");
TheDirector.Direct(lFidoReturnValues);
}
}
vConnection.Close();
Console.WriteLine(@"Exiting Bit9 detector.");
}
catch (Exception e)
{
// Get stack trace for the exception with source file information
var st = new StackTrace(e, true);
// Get the top stack frame
var frame = st.GetFrame(0);
// Get the line number from the stack frame
var line = frame.GetFileLineNumber();
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving alerts from Bit9 on line " + line + ":" + e);
}
}
//function to send email
public static void Send(string sTo, string sCC, string sFrom, string sSubject, string sBody, List <string> lGaugeAttachment, string sEmailAttachment)
{
var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var sSMTPServer = Object_Fido_Configs.GetAsString("fido.email.smtpsvr", null);
try
{
var mMessage = new MailMessage {
IsBodyHtml = true
};
if (!string.IsNullOrEmpty(sTo))
{
mMessage.To.Add(sTo);
}
else
{
Send(sErrorEmail, "", sFidoEmail, "Fido Error", "Fido Failed: No sender specified in email.", null, null);
}
if (!string.IsNullOrEmpty(sCC))
{
mMessage.CC.Add(sCC);
}
mMessage.From = new MailAddress(sFrom);
mMessage.Body = sBody;
mMessage.Subject = sSubject;
if (lGaugeAttachment != null)
{
if (mMessage.Body != null)
{
var htmlView = AlternateView.CreateAlternateViewFromString(mMessage.Body.Trim(), null, "text/html");
for (var i = 0; i < lGaugeAttachment.Count(); i++)
{
switch (i)
{
case 0:
var totalscore = new LinkedResource(lGaugeAttachment[i], "image/jpg")
{
ContentId = "totalscore"
};
htmlView.LinkedResources.Add(totalscore);
break;
case 1:
var userscore = new LinkedResource(lGaugeAttachment[i], "image/png")
{
ContentId = "userscore"
};
htmlView.LinkedResources.Add(userscore);
break;
case 2:
var machinescore = new LinkedResource(lGaugeAttachment[i], "image/png")
{
ContentId = "machinescore"
};
htmlView.LinkedResources.Add(machinescore);
break;
case 3:
var threatscore = new LinkedResource(lGaugeAttachment[i], "image/png")
{
ContentId = "threatscore"
};
htmlView.LinkedResources.Add(threatscore);
break;
}
}
mMessage.AlternateViews.Add(htmlView);
}
}
if (!string.IsNullOrEmpty(sEmailAttachment))
{
var sAttachment = new Attachment(sEmailAttachment);
mMessage.Attachments.Add(sAttachment);
}
using (var sSMTP = new SmtpClient(sSMTPServer))
{
Console.WriteLine(@"Sending FIDO email.");
var sSMTPUser = Object_Fido_Configs.GetAsString("fido.smtp.smtpuserid", string.Empty);
var sSMTPPwd = Object_Fido_Configs.GetAsString("fido.smtp.smtppwd", string.Empty);
sSMTP.Credentials = new NetworkCredential(sSMTPUser, sSMTPPwd);
sSMTP.Send(mMessage);
sSMTP.Dispose();
}
}
catch (Exception e)
{
Send(sErrorEmail, sFidoEmail, sFidoEmail, "Fido Error", "Fido Failed: Generic error sending email." + e, null, null);
throw;
}
}
//The load will grab configurations for what FIDO is monitoring,
//then go to each configured external system to parse any alerts.
//Finally, FIDO is configured to pause per iteration on a
//configurable timed basis.
private void Fido_Load(object sender, EventArgs aug)
{
//Disabled the current time during current iteration.
timer1.Enabled = false;
Hide();
if (!ConfigurationOK())
{
Application.Exit();
}
SetupSyslog();
//Beginning of primary area which starts parsing of alerts.
var isParamTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
var sDetectors = Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(',');
try
{
Console.WriteLine(isParamTest ? @"Running test configs." : @"Running production configs.");
foreach (var detect in sDetectors)
{
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs(detect);
//Get the detector, ie, email, log, web service, etc.
var sDetectorType = parseConfigs.DetectorType;
switch (sDetectorType)
{
case "api":
Console.WriteLine(@"Loading webservice receiver.");
Recieve_API.DirectToEngine(sDetectorType, detect);
break;
case "log":
Console.WriteLine(@"Loaded log receiver.");
var sDefaultServer = parseConfigs.Server;
var sDefaultFile = parseConfigs.File;
var sVendor = parseConfigs.Vendor;
Receive_Logging.DirectToEngine(detect, sVendor, sDefaultServer, sDefaultFile, isParamTest);
break;
case "sql":
Console.WriteLine(@"Loaded sql receiver.");
Receive_SQL.DirectToEngine(sDetectorType, detect);
break;
case "email":
Console.WriteLine(@"Loaded email receiver.");
var sEmailVendor = Object_Fido_Configs.GetAsString("fido.email.vendor", "imap");
var sDetectorsEmail = parseConfigs.EmailFrom;
var sDetectorsFolder = parseConfigs.Folder;
Receive_Email.ReadEmail(sEmailVendor, sDetectorsFolder, null, sDetectorsEmail, isParamTest);
break;
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in fidomain area:" + e);
}
//Sleep for X # of seconds per iteration specified in Fido configuration
Application.DoEvents();
var iSleep = Object_Fido_Configs.GetAsInt("fido.application.sleepiteration", 5);
Console.WriteLine(@"Fido processing complete... sleeping for " + (iSleep / 1000).ToString(CultureInfo.InvariantCulture) + @" seconds.");
Thread.Sleep(iSleep);
timer1.Enabled = true;
}
//module to compose notifications
public static void Notify(FidoReturnValues lFidoReturnValues)
{
try
{
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var sPrimaryEmail = Object_Fido_Configs.GetAsString("fido.email.primaryemail", null);
var sSecondaryEmail = Object_Fido_Configs.GetAsString("fido.email.secondaryemail", null);
var sNonAlertEmail = Object_Fido_Configs.GetAsString("fido.email.nonalertemail", null);
var lAttachment = new List <string>
{
Application.StartupPath + "\\media\\gauge\\total" + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) + ".png",
Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture) + ".png",
Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture) + ".png",
Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture) + ".png"
};
string sSubject;
if (lFidoReturnValues.IsPreviousAlert)
{
sSubject = @"Previously Alerted! Fido Alert: " + lFidoReturnValues.MalwareType + ". ";
}
else
{
sSubject = @"Fido Alert: " + lFidoReturnValues.MalwareType + ". ";
}
if (lFidoReturnValues.IsHostKnown)
{
sSubject += "Hostname = " + lFidoReturnValues.Hostname;
}
else
{
sSubject += "Hostname = Unknown (" + lFidoReturnValues.SrcIP + ")";
}
lFidoReturnValues = SummaryEmail(lFidoReturnValues);
lFidoReturnValues.Recommendation = ReturnRecommendation(lFidoReturnValues);
lFidoReturnValues.SummaryEmail = ReplacingValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
lFidoReturnValues.SummaryEmail = ReplacingBadGuyValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
if (!lFidoReturnValues.IsTargetOS)
{
sSubject = "Fido InfoSec only Alert : Target OS does not match.";
}
else if (!lFidoReturnValues.IsSendAlert)
{
sSubject = "Fido InfoSec only alert. " + lFidoReturnValues.MalwareType + ". Hostname = " + lFidoReturnValues.Hostname + " (" + lFidoReturnValues.SrcIP + ")";
}
lFidoReturnValues.IsTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
if (lFidoReturnValues.IsTest)
{
sSubject = @"TEST: " + sSubject;
}
if (lFidoReturnValues.IsSendAlert)
{
Email_Send.Send(sPrimaryEmail, sSecondaryEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null);
}
else
{
Email_Send.Send(sNonAlertEmail, sNonAlertEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null);
}
}
catch (Exception e)
{
Console.WriteLine(@"Error creating FIDO email. " + e);
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to threat feeds:" + e);
}
}
private static string ReplacingBadGuyValues(string sHtmlBody, FidoReturnValues lFidoReturnValues)
{
var replacements = new Dictionary <string, string>();
var detectors = Object_Fido_Configs.GetAsString("fido.application.detectors", null).Split(',');
var lBadMD5Hashes = new List <string>();
var lBadURLs = new List <string>();
var lGoodMD5Hashes = new List <string>();
var lGoodURLs = new List <string>();
replacements.Add("%threatip%", lFidoReturnValues.DstIP ?? string.Empty);
replacements.Add("%dnsname%", lFidoReturnValues.DNSName ?? string.Empty);
replacements.Add("%timeoccurred%", lFidoReturnValues.TimeOccurred + " (UTC)" ?? DateTime.Now.ToString(CultureInfo.InvariantCulture));
replacements.Add("%malwaretype%", lFidoReturnValues.MalwareType ?? "unknown");
replacements.Add("%detector%", lFidoReturnValues.CurrentDetector ?? string.Empty);
replacements.Add("%prevmach%", lFidoReturnValues.IsMachSeenBefore ? lFidoReturnValues.IsMachSeenBefore.ToString() + " " + lFidoReturnValues.PreviousAlerts.TimeStamp : "No");
replacements.Add("%prevuser%", lFidoReturnValues.IsUserSeenBefore ? lFidoReturnValues.IsUserSeenBefore.ToString() + " " + lFidoReturnValues.PreviousAlerts.TimeStamp : "No");
replacements.Add("%prevurl%", lFidoReturnValues.IsUrlSeenBefore ? lFidoReturnValues.IsUrlSeenBefore.ToString() : "No");
replacements.Add("%prevhash%", lFidoReturnValues.IsHashSeenBefore ? lFidoReturnValues.IsHashSeenBefore.ToString() : "No");
replacements.Add("%previp%", lFidoReturnValues.IsIPSeenBefore ? lFidoReturnValues.IsIPSeenBefore.ToString() : "No");
if (lFidoReturnValues.CurrentDetector == "antivirus")
{
replacements = Notfication_Helper.AntivirusReplacements(lFidoReturnValues);
}
if (lFidoReturnValues.CurrentDetector == "bit9")
{
if (!string.IsNullOrEmpty(lFidoReturnValues.Bit9.FileName))
{
replacements.Add("%bit9_filename%", lFidoReturnValues.Bit9.FileName);
}
}
if (lFidoReturnValues.CurrentDetector == "carbonblackv1")
{
if (!string.IsNullOrEmpty(lFidoReturnValues.CB.Alert.ProcessPath))
{
replacements.Add("%threatfile%", lFidoReturnValues.CB.Alert.ProcessPath);
}
if (!string.IsNullOrEmpty(lFidoReturnValues.CB.Alert.ProcessPath))
{
replacements.Add("%hostcount%", lFidoReturnValues.CB.Alert.HostCount + @" other host(s) have this file.");
}
if (!string.IsNullOrEmpty(lFidoReturnValues.CB.Alert.ProcessPath))
{
replacements.Add("%netconns%", lFidoReturnValues.CB.Alert.NetConn + @" network connections initiated by this file.");
}
}
if (lFidoReturnValues.Detectors != null)
{
var sListOfDetectors = lFidoReturnValues.Detectors.Aggregate(string.Empty, (current, sDetector) => current + (sDetector + ", "));
replacements.Add("%detectors%", sListOfDetectors);
}
else
{
replacements.Add("%detectors%", "No");
}
replacements = Notfication_Helper.StartReplacements(lFidoReturnValues, detectors, lBadMD5Hashes, lGoodMD5Hashes, lBadURLs, lGoodURLs, replacements);
return(replacements.Aggregate(sHtmlBody, (current, replacement) => current.Replace(replacement.Key, replacement.Value)));
}
//simple check to see if Bit9 is configured in Fido
public static bool IsBit9Installed()
{
var sDetectors = Object_Fido_Configs.GetAsString("fido.application.detectors", null).Split(',');
return(sDetectors.Any(detector => detector.ToLower() == "bit9"));
}
private static List<UrlReport> ParseUrl(IEnumerable<string> sURL)
{
//The below is a placeholder for when this will be encrypted.
//var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null);
var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null);
var vtLogin = new VirusTotal(sVTKey);
var isRateLimited = Object_Fido_Configs.GetAsBool("fido.securityfeed.virustotal.ratelimited", false);
List<UrlReport> sVirusTotalUrl = null;
var sVTURLreturn = new List<UrlReport>();
var newurl = string.Empty;
var url = sURL as IList<string> ?? sURL.ToList();
var fidoDB = new SqLiteDB();
var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal"));
try
{
if (sURL != null)
{
for (var i = 0; i < url.Count(); i++)
{
if (!url[i].Contains("http://"))
{
newurl = "http://" + url[i];
}
else
{
newurl = url[i];
}
if (!isPaidFeed) Thread.Sleep(15000);
var sVTURLtemp = new List<UrlReport> { vtLogin.GetUrlReport(newurl) };
if (!isPaidFeed) Thread.Sleep(20000);
var icount = 1;
if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object")
{
Console.WriteLine(sVTURLtemp[0].VerboseMsg);
Console.WriteLine(newurl);
sVTURLreturn.Add(sVTURLtemp[0]);
continue;
}
while (sVTURLtemp[0].VerboseMsg == "The requested resource is not among the finished, queued or pending scans" && icount <= 3)
{
Console.WriteLine(sVTURLtemp[0].VerboseMsg);
Console.WriteLine(newurl);
sVTURLtemp.RemoveAt(0);
vtLogin.ScanUrl(newurl);
//todo: move sleep integer to db
Thread.Sleep(120000);
icount++;
sVTURLtemp.Add(vtLogin.GetUrlReport(newurl));
if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object")
{
Console.WriteLine(sVTURLtemp[0].VerboseMsg);
Console.WriteLine(newurl);
sVTURLreturn.Add(sVTURLtemp[0]);
}
}
//if (icount == 1)
//{
// sVTURLreturn.Add(sVTURLtemp[0]);
//}
}
if (sVTURLreturn.Any())
{
sVirusTotalUrl = sVTURLreturn;
return sVirusTotalUrl;
}
}
}
catch (Exception e)
{
if (e.Message == "You have reached the 5 requests pr. min. limit of VirusTotal")
{
if (!isPaidFeed) Thread.Sleep(60000);
sVirusTotalUrl = ParseUrl(url);
return sVirusTotalUrl;
}
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT URL area:" + e);
}
return sVirusTotalUrl;
}
//The load will grab configurations for what FIDO is monitoring,
//then go to each configured external system to parse any alerts.
//Finally, FIDO is configured to pause per iteration on a
//configurable timed basis.
private void Fido_Load(object sender, EventArgs aug)
{
//Disabled the current time during current iteration.
timer1.Enabled = false;
Hide();
//Check to see if Fido configurations exists and if not
//fail with prompt that configurations are not found.
Console.Clear();
var sAppStartupPath = Application.StartupPath + @"\data\fido.db";
if (!File.Exists(sAppStartupPath))
{
Console.WriteLine(@"Failed to load FIDO DB.");
Application.Exit();
}
else
{
Console.WriteLine(@"Loaded FIDO DB successfully.");
}
//Load fido configs from database
Object_Fido_Configs.LoadConfigFromDb("config");
//Setup syslog
var server1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost");
var port1 = Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514);
var facility1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1");
var sender1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido");
var layout1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)");
//SysLogger.Setup(server1, port1, facility1, sender1, layout1);
//Beginning of primary area which starts parsing of alerts.
var isParamTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
var sDetectors = Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(',');
try
{
Console.WriteLine(isParamTest ? @"Running test configs." : @"Running production configs.");
foreach (var detect in sDetectors)
{
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs(detect);
//Get the detector, ie, email, log, web service, etc.
var sDetectorType = parseConfigs.DetectorType;
switch (sDetectorType)
{
case "api":
Console.WriteLine(@"Loading webservice receiver.");
Recieve_API.DirectToEngine(sDetectorType, detect);
break;
case "log":
Console.WriteLine(@"Loaded log receiver.");
var sDefaultServer = parseConfigs.Server;
var sDefaultFile = parseConfigs.File;
var sVendor = parseConfigs.Vendor;
Receive_Logging.DirectToEngine(detect, sVendor, sDefaultServer, sDefaultFile, isParamTest);
break;
case "sql":
Console.WriteLine(@"Loaded sql receiver.");
Receive_SQL.DirectToEngine(sDetectorType, detect);
break;
case "email":
Console.WriteLine(@"Loaded email receiver.");
var sEmailVendor = Object_Fido_Configs.GetAsString("fido.email.vendor", "imap");
var sDetectorsEmail = parseConfigs.EmailFrom;
var sDetectorsFolder = parseConfigs.Folder;
Receive_Email.ReadEmail(sEmailVendor, sDetectorsFolder, null, sDetectorsEmail, isParamTest);
break;
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in fidomain area:" + e);
}
//Sleep for X # of seconds per iteration specified in Fido configuration
Application.DoEvents();
var iSleep = Object_Fido_Configs.GetAsInt("fido.application.sleepiteration", 5);
Console.WriteLine(@"Fido processing complete... sleeping for " + (iSleep / 1000).ToString(CultureInfo.InvariantCulture) + @" seconds.");
Thread.Sleep(iSleep);
timer1.Enabled = true;
}
//ReadEmail is the handler for email based detectors. It is designed
//to retrieve email from a configured email service and parse the alerts
public static void ReadEmail(string sVendor, string sFolderName, string sFolderNameTest, string sDetectorEmail, bool isParamTest)
{
switch (sVendor)
{
//Outlook based email plugin which requires the Outlook client to be installed.
case "outlook":
#region Microsoft Outlook Plugin
//try
//{
// //Setup connection information to mailstore
// //If logon information is null then mailstore must be open already
// //var oApp = new Microsoft.Office.Interop.Outlook.Application();
// //var sFolder = new Microsoft.Office.Interop.Outlook.Folder(sFolderName);
// //var oNameSpace = oApp.GetNamespace("MAPI");
// //oNameSpace.Logon(null, null, true, true);
// //var oInboxFolder = oNameSpace.GetDefaultFolder(Microsoft.Office.Interop.Outlook.OlDefaultFolders.olFolderInbox);
// //Outlook.Folder oFolder = oInboxFolder.Folder[sFolderName];
// //logging
// //Logging_Fido.Main.RunLogging("Running FIDO on file " + sFolderName);
// ////attach to folder and for each item in the folder then loop. During loop assign subject, body and detect malware type
// //foreach (var item in sFolder.Items)
// //{
// // var oMailItem = item as Microsoft.Office.Interop.Outlook._MailItem;
// // if (oMailItem != null)
// // {
// // var sMessageBody = oMailItem.Body;
// // }
// // if (oMailItem != null)
// // {
// // var sSubject = oMailItem.Subject;
// // }
// //List<string> sERet = scan_email(sSubject, sMessageBody, sFolderName);
// // if (sERet.First() == "Test Email")
// // {
// // oMailItem.Delete();
// // }
// // else
// // {
// // fido.Form1.Run_FIDO(sMessageBody, sERet, "fubar", false, false, true, sVendor);//MalwareType
// // oMailItem.Delete();
// // }
// }
#endregion
//}
//catch (Exception e)
//{
// Fido_Modules.Fido.Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Outlook emailreceive area:" + e);
//}
break;
case "exchange":
#region Microsoft Exchange Plugin
//still need to build out direct Exchange access
#endregion
break;
//IMAP based email plugin which has been verified to work with Gmail
case "imap":
#region IMAP Plugin
try
{
//get encrypted password and decrypt
//then login
var sfidoemail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var sfidopwd = Object_Fido_Configs.GetAsString("fido.email.fidopwd", null);
var sfidoacek = Object_Fido_Configs.GetAsString("fido.email.fidoacek", null);
var sImapServer = Object_Fido_Configs.GetAsString("fido.email.imapserver", null);
var iImapPort = Object_Fido_Configs.GetAsInt("fido.email.imapport", 0);
sfidoacek = Aes_Crypto.DecryptStringAES(sfidoacek, "1");
sfidopwd = Aes_Crypto.DecryptStringAES(sfidopwd, sfidoacek);
IImapClient gLogin = new ImapClient(sImapServer, iImapPort, sfidoemail, sfidopwd, AuthMethod.Login, true);
var sSeperator = new[] { "," };
gLogin.DefaultMailbox = isParamTest ? sFolderNameTest : sFolderName;
var listUids = new List <uint>();
//seperate out list of email addresses handed to emailreceive
//then run query based on each email from the specified folder
//and finally convert to array
string[] aryInboxSearch = sDetectorEmail.Split(sSeperator, StringSplitOptions.RemoveEmptyEntries);
foreach (var search in aryInboxSearch)
{
listUids.AddRange(gLogin.Search(SearchCondition.From(search)).ToList());
}
var uids = listUids.ToArray();
uids = uids.Take(50).ToArray();
var msg = gLogin.GetMessages(uids);
var mailMessages = msg as MailMessage[] ?? msg.ToArray();
for (var i = 0; i < mailMessages.Count(); i++)
{
var sMessageBody = mailMessages[i].Body;
var sSubject = mailMessages[i].Subject;
var sERet = ScanEmail(sSubject, sMessageBody, sFolderName, isParamTest);
if (sERet == "Test Email")
{
Console.WriteLine(@"Test email found, putting in processed folder.");
gLogin.MoveMessage(uids[i], "Processed");
}
else
{
Console.WriteLine(@"Finished processing email alert, puttig in processed folder.");
gLogin.MoveMessage(uids[i], "Processed");
}
}
#endregion
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in IMAP emailreceive area:" + e);
}
Console.WriteLine(@"Finished processing email alerts.");
break;
}
}
public static UserReturnValues Getuserinfo(string sUserId)
{
try
{
var lUserInfo = new UserReturnValues();
var domainPath = Object_Fido_Configs.GetAsString("fido.ldap.basedn", string.Empty);
var user = Object_Fido_Configs.GetAsString("fido.ldap.userid", string.Empty);
var pwd = Object_Fido_Configs.GetAsString("fido.ldap.pwd", string.Empty);
var searchRoot = new DirectoryEntry(domainPath, user, pwd);
var search = new DirectorySearcher(searchRoot)
{
Filter = "(&(objectClass=user)(objectCategory=person)(sAMAccountName=" + sUserId + "))"
};
search.PropertiesToLoad.Add("samaccountname");
search.PropertiesToLoad.Add("mail");
search.PropertiesToLoad.Add("displayname");
search.PropertiesToLoad.Add("department");
search.PropertiesToLoad.Add("title");
search.PropertiesToLoad.Add("employeeType");
search.PropertiesToLoad.Add("manager");
search.PropertiesToLoad.Add("info");
search.PropertiesToLoad.Add("l");
search.PropertiesToLoad.Add("st");
search.PropertiesToLoad.Add("streetAddress");
search.PropertiesToLoad.Add("mobile");
lUserInfo.UserEmail = string.Empty;
lUserInfo.UserID = string.Empty;
lUserInfo.Username = string.Empty;
lUserInfo.Department = string.Empty;
lUserInfo.Title = string.Empty;
lUserInfo.EmployeeType = string.Empty;
lUserInfo.CubeLocation = string.Empty;
lUserInfo.City = string.Empty;
lUserInfo.State = string.Empty;
lUserInfo.StreetAddress = string.Empty;
lUserInfo.MobileNumber = string.Empty;
lUserInfo.ManagerID = string.Empty;
lUserInfo.ManagerMail = string.Empty;
lUserInfo.ManagerMobile = string.Empty;
lUserInfo.ManagerTitle = string.Empty;
lUserInfo.ManagerName = string.Empty;
var resultCol = search.FindAll();
if (!resultCol.PropertiesLoaded.Any() && resultCol == null)
{
return(lUserInfo);
}
for (var counter = 0; counter < resultCol.Count; counter++)
{
var result = resultCol[counter];
if (result.Properties.Contains("samaccountname") && result.Properties.Contains("mail") && result.Properties.Contains("displayname"))
{
if (result.Properties["mail"].Count > 0)
{
lUserInfo.UserEmail = (String)result.Properties["mail"][0] ?? string.Empty;
}
if (result.Properties["samaccountname"].Count > 0)
{
lUserInfo.UserID = (String)result.Properties["samaccountname"][0] ?? string.Empty;
}
if (result.Properties["displayname"].Count > 0)
{
lUserInfo.Username = (String)result.Properties["displayname"][0] ?? string.Empty;
}
if (result.Properties["department"].Count > 0)
{
lUserInfo.Department = (String)result.Properties["department"][0] ?? string.Empty;
}
if (result.Properties["title"].Count > 0)
{
lUserInfo.Title = (String)result.Properties["title"][0] ?? string.Empty;
}
if (result.Properties["employeeType"].Count > 0)
{
lUserInfo.EmployeeType = (String)result.Properties["employeeType"][0] ?? string.Empty;
}
if (result.Properties["manager"].Count > 0)
{
lUserInfo.ManagerName = (String)result.Properties["manager"][0] ?? string.Empty;
}
if (result.Properties["info"].Count > 0)
{
lUserInfo.CubeLocation = (String)result.Properties["info"][0] ?? string.Empty;
}
if (result.Properties["l"].Count > 0)
{
lUserInfo.City = (String)result.Properties["l"][0] ?? string.Empty;
}
if (result.Properties["st"].Count > 0)
{
lUserInfo.State = (String)result.Properties["st"][0] ?? string.Empty;
}
if (result.Properties["streetAddress"].Count > 0)
{
lUserInfo.StreetAddress = (String)result.Properties["streetAddress"][0] ?? string.Empty;
}
if (result.Properties["mobile"].Count > 0)
{
lUserInfo.MobileNumber = (String)result.Properties["mobile"][0] ?? string.Empty;
}
}
if (string.IsNullOrEmpty(lUserInfo.ManagerName))
{
continue;
}
var lManagerValues = Getmanagerinfo(lUserInfo.ManagerName);
for (var i = 0; i < lManagerValues.Count; i++)
{
if (!lManagerValues[i].Any())
{
continue;
}
switch (i)
{
case 0:
lUserInfo.ManagerMail = lManagerValues[0];
break;
case 1:
lUserInfo.ManagerID = lManagerValues[1];
break;
case 2:
lUserInfo.ManagerName = lManagerValues[2];
break;
case 3:
lUserInfo.ManagerTitle = lManagerValues[3];
break;
case 4:
lUserInfo.ManagerMobile = lManagerValues[4];
break;
}
}
}
return(lUserInfo);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Active Directory grab user info area:" + e);
}
return(null);
}
//The load will grab configurations for what FIDO is monitoring,
//then go to each configured external system to parse any alerts.
//Finally, FIDO is configured to pause per iteration on a
//configurable timed basis.
private void Fido_Load(object sender, EventArgs aug)
{
DisableCurrentTime();
CheckIfFidoConfigurationExists();
//Load fido configs from database
Object_Fido_Configs.LoadConfigFromDb("config");
var sysLogParams = GetSysLogParams();
try
{
Console.WriteLine(isParamTest ? @"Running test configs." : @"Running production configs.");
foreach (var detect in sysLogParams[detectors])
{
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs(detect);
//Get the detector, ie, email, log, web service, etc.
var sDetectorType = parseConfigs.DetectorType;
switch (sDetectorType)
{
case "api":
Console.WriteLine(@"Loading webservice receiver.");
Recieve_API.DirectToEngine(sDetectorType, detect);
break;
case "log":
Console.WriteLine(@"Loaded log receiver.");
var sDefaultServer = parseConfigs.Server;
var sDefaultFile = parseConfigs.File;
var sVendor = parseConfigs.Vendor;
Receive_Logging.DirectToEngine(detect, sVendor, sDefaultServer, sDefaultFile, isParamTest);
break;
case "sql":
Console.WriteLine(@"Loaded sql receiver.");
Receive_SQL.DirectToEngine(sDetectorType, detect);
break;
case "email":
Console.WriteLine(@"Loaded email receiver.");
var sEmailVendor = Object_Fido_Configs.GetAsString("fido.email.vendor", "imap");
var sDetectorsEmail = parseConfigs.EmailFrom;
var sDetectorsFolder = parseConfigs.Folder;
Receive_Email.ReadEmail(sEmailVendor, sDetectorsFolder, null, sDetectorsEmail, isParamTest);
break;
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in fidomain area:" + e);
}
//Sleep for X # of seconds per iteration specified in Fido configuration
Application.DoEvents();
var iSleep = Object_Fido_Configs.GetAsInt("fido.application.sleepiteration", 5);
Console.WriteLine(@"Fido processing complete... sleeping for " + (iSleep / 1000).ToString(CultureInfo.InvariantCulture) + @" seconds.");
Thread.Sleep(iSleep);
timer1.Enabled = true;
}