private static int[] VirusTotalPosReturnURL(VirusTotalReturnValues virusTotalReturnValues) { var iPosReturns = 0; var iPostTrojReturns = 0; var lVTReport = virusTotalReturnValues.URLReturn; foreach (var vtEntry in lVTReport.Where(vtEntry => vtEntry.Positives > 0)) { iPostTrojReturns += (from t in vtEntry.Scans where t.Result != null select t.Result.ToLower() into sResult let isTrojan = false select sResult.Contains("malicious site")).Count(isTrojan => isTrojan); iPosReturns += vtEntry.Positives; } var iReturn = new[] { iPosReturns, iPostTrojReturns }; return iReturn; }
private static List<double> VirusTotalPosIPReturn(VirusTotalReturnValues virusTotalReturnValues) { List<Object_VirusTotal_IP.IPReport> lVTReport = virusTotalReturnValues.IPReturn; double countDetectedUrls = 0; double countDetectedDownloads = 0; double countDetectedComms = 0; foreach (var vtEntry in lVTReport) { if (vtEntry.DetectedUrls != null && vtEntry.DetectedUrls.Any()) { for (var i = 0; i < vtEntry.DetectedUrls.Count(); i++) { if (vtEntry.DetectedUrls[i].Positives != null & vtEntry.DetectedUrls[i].Positives > 0) { //todo: move the below integer values to database configuration if (vtEntry.DetectedUrls[i].Positives >= 20) { countDetectedUrls = countDetectedUrls + (vtEntry.DetectedUrls[i].Positives * .5); } else if ((vtEntry.DetectedUrls[i].Positives >= 5) && (vtEntry.DetectedUrls[i].Positives < 20)) { countDetectedUrls = countDetectedUrls + (vtEntry.DetectedUrls[i].Positives * .6); } else if (vtEntry.DetectedUrls[i].Positives >= 3) { countDetectedUrls = countDetectedUrls + (vtEntry.DetectedUrls[i].Positives * .75); } } } } if (vtEntry.DetectedCommunicatingSamples != null && vtEntry.DetectedCommunicatingSamples.Any()) { for (var i = 0; i < vtEntry.DetectedCommunicatingSamples.Count(); i++) { if (vtEntry.DetectedCommunicatingSamples[i].Positives != null & vtEntry.DetectedCommunicatingSamples[i].Positives >= 3) { if (vtEntry.DetectedCommunicatingSamples[i].Positives >= 20) { countDetectedComms = countDetectedComms + (vtEntry.DetectedCommunicatingSamples[i].Positives * .65); } else if ((vtEntry.DetectedCommunicatingSamples[i].Positives >= 10) && (vtEntry.DetectedCommunicatingSamples[i].Positives < 20)) { countDetectedComms = countDetectedComms + (vtEntry.DetectedCommunicatingSamples[i].Positives * .75); } else if (vtEntry.DetectedCommunicatingSamples[i].Positives < 10) { countDetectedComms = countDetectedComms + (vtEntry.DetectedCommunicatingSamples[i].Positives * 1); } } } } if (vtEntry.DetectedDownloadedSamples != null && vtEntry.DetectedDownloadedSamples.Any()) { for (var i = 0; i < vtEntry.DetectedDownloadedSamples.Count(); i++) { if (vtEntry.DetectedDownloadedSamples[i].Positives != null & vtEntry.DetectedDownloadedSamples[i].Positives >= 3) { if (vtEntry.DetectedDownloadedSamples[i].Positives >= 20) { countDetectedDownloads = countDetectedDownloads + (vtEntry.DetectedDownloadedSamples[i].Positives * .50); } else if ((vtEntry.DetectedDownloadedSamples[i].Positives < 20) && (vtEntry.DetectedDownloadedSamples[i].Positives >= 10)) { countDetectedDownloads = countDetectedDownloads + (vtEntry.DetectedDownloadedSamples[i].Positives * .65); } else if (vtEntry.DetectedDownloadedSamples[i].Positives < 10) { countDetectedDownloads = countDetectedDownloads + (vtEntry.DetectedDownloadedSamples[i].Positives * .75); } } } } } var lReturn = new List<double> { countDetectedComms, countDetectedDownloads, countDetectedUrls }; return lReturn; }
//todo: is this still necessary? should we handle this in the bit9 module? private static FidoReturnValues FireEyeHashToBit9(FidoReturnValues lFidoReturnValues) { //Check FireEye returns and go to Bit9 to see if the hash exists, where and //if it was executed, then go to VT and pass hash info on there too var lVirusTotalReturnValues = new VirusTotalReturnValues(); List<string> sBit9FileInfo = Detect_Bit9.GetFileInfo(lFidoReturnValues.FireEye.MD5Hash, null); if (sBit9FileInfo.Count == 0) return lFidoReturnValues; if (lFidoReturnValues.Bit9 == null) { lFidoReturnValues.Bit9 = new Bit9ReturnValues {Bit9Hashes = sBit9FileInfo.ToArray()}; } else { lFidoReturnValues.Bit9.Bit9Hashes = sBit9FileInfo.ToArray(); } return lFidoReturnValues; }