public IEnumerable <(IcsMitreTechnique, IcsMitreTactic, string, string, string)> ParseCotpEvent(KeyValuePair <NoticeDataLine, IEnumerable <DataLine> > noticeLine) { if (!noticeLine.Value.Any()) { return(null); } var isoCotpLine = noticeLine.Value.Where(line => line is IsoCotpDataLine).FirstOrDefault(); if (!(isoCotpLine is IsoCotpDataLine isoCotpDataLine)) { return(null); } // ISO-COTP is the wrapper protocol for S7Comm data. Of all possible ISO-COTP // PDU types, only Data is interesting, and should be parsed by the S7Comm parser switch (isoCotpDataLine.PDUType) { case "Data": return(_s7CommParser.ParseS7CommEvent(noticeLine)); case "Connect Request": case "Connect Confirm": default: break; } return(null); }
public IEnumerable <(IcsMitreTechnique, IcsMitreTactic, string, string, string)> ParseNotices(IDictionary <NoticeDataLine, IEnumerable <DataLine> > noticeDictionary, IEnumerable <DataLine> filesDataLines) { var results = new List <(IcsMitreTechnique, IcsMitreTactic, string, string, string)>(); // Loops through the notices and their corresponding DataLine objects, // adding any results to the list foreach (var noticeLine in noticeDictionary) { switch (noticeLine.Key.NoticeType) { case "CommonPorts::Common_Port": { if (_commonPortParser.ParseCommonPort(noticeLine) is ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> commonPortResult) { results.Add(commonPortResult); } break; } case "DNS_TUNNELS::OversizedQuery": { if (_tunnelingParser.ParseDnsTunnel(noticeLine) is ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> dnsTunnelResult) { results.Add(dnsTunnelResult); } break; } case "DNSSpoof::DNSCachePoisoning": break; case "Scan::Port_Scan": case "Scan::Address_Scan": { var scanDetectionResult = ScanDetectionParser.ParsePortScanSummary(noticeLine); results.Add(scanDetectionResult); break; } case "HTTP_USER_AGENT::MicroBrowser": { if (_microBrowserParser.ParseHttpEvent(noticeLine, filesDataLines) is IEnumerable <ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> > httpResult) { foreach (var result in httpResult) { results.Add(result); } } break; } case "ModbusLogging::ModbusEvent": { if (_modbusParser.ParseModbusEvent(noticeLine) is IEnumerable <ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> > modbusResult) { foreach (var result in modbusResult) { results.Add(result); } } break; } case "SMB_LOGGING::SMB1Command": { if (_smbParser.ParseSmb1Event(noticeLine) is ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> smb1Result) { results.Add(smb1Result); } break; } case "SMB_LOGGING::SMB2Command": { if (_smbParser.ParseSmb2Event(noticeLine) is ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> smb2Result) { results.Add(smb2Result); } break; } case "RDPDetection::RDPSuccess": case "RDPDetectuib::RDPFailure": { if (_rdpParser.ParseRDPEvent(noticeLine) is ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> rdpResult) { results.Add(rdpResult); } break; } case "SecureShell::SshSuccess": case "SecureShell::SshFailure": { if (_sshParser.ParseSSHEvent(noticeLine) is ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> sshResult) { results.Add(sshResult); } break; } case "VNC::VNCSuccess": case "VNC::VNCFailure": { if (_vncParser.ParseVNCEvent(noticeLine) is ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> vncResult) { results.Add(vncResult); } break; } case "TelnetShell::LoginSuccess": case "TelnetShell::LoginFailure": { if (_telnetParser.ParseTelnetEvent(noticeLine) is ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> telnetResult) { results.Add(telnetResult); } break; } case "S7CommLogging::IsoCotp": { if (_isoCotpParser.ParseCotpEvent(noticeLine) is IEnumerable <ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> > isoCotpResult) { foreach (var result in isoCotpResult) { results.Add(result); } } break; } case "S7CommLogging::S7CommData": { if (_s7CommParser.ParseS7CommEvent(noticeLine) is IEnumerable <ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> > s7CommResult) { foreach (var result in s7CommResult) { results.Add(result); } } break; } case "PortableExecutables::FtpPE": { if (_ftpParser.ParsePEEvent(noticeLine) is IEnumerable <ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> > ftpResult) { foreach (var result in ftpResult) { results.Add(result); } } break; } case "PortableExecutables::NonFtpPE": { if (_filesParser.ParsePEEvent(noticeLine) is IEnumerable <ValueTuple <IcsMitreTechnique, IcsMitreTactic, string, string, string> > filesResult) { foreach (var result in filesResult) { results.Add(result); } } break; } case "ARPSPOOF::Unsolicited_Reply": { var arpSpoofResult = ArpSpoofParser.ParseUnsolicitedReply(noticeLine); results.Add(arpSpoofResult); break; } default: break; } } return(results.Any() ? results : null); }