//This function will grab the API information and build a query string. //Then it will assign the json return to an object. If any of the objects //have a value they will be sent to ParseCyphort helper function. //public static void GetCyphortAlerts() //{ // Console.WriteLine(@"Running Cyphort v2 detector."); // //currently needed to bypass site without a valid cert. // //todo: make ssl bypass configurable // ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; // ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }; // var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv2"); // var request = parseConfigs.Server + parseConfigs.Query + parseConfigs.APIKey; // var alertRequest = (HttpWebRequest)WebRequest.Create(request); // alertRequest.Method = "GET"; // try // { // using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse) // { // if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK) // { // using (var respStream = cyphortResponse.GetResponseStream()) // { // if (respStream == null) return; // var cyphortReader = new StreamReader(respStream, Encoding.UTF8); // var stringreturn = cyphortReader.ReadToEnd(); // var cyphortReturn = JsonConvert.DeserializeObject<CyphortClass>(stringreturn); // if (cyphortReturn.correlations_array.Any() | cyphortReturn.infections_array.Any() | cyphortReturn.downloads_array.Any()) // { // ParseCyphort(cyphortReturn); // } // var responseStream = cyphortResponse.GetResponseStream(); // if (responseStream != null) responseStream.Dispose(); // cyphortResponse.Close(); // Console.WriteLine(@"Finished processing Cyphort detector."); // } // } // } // } // catch (Exception e) // { // Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphort Detector getting json:" + e); // } //} //Helper function to assign important values to FidoReturnValues objects and then //handoff to TheDirector for FIDO processing. private static void ParseCyphort(CyphortClass cyphortReturn) { try { if (cyphortReturn.correlations_array != null && cyphortReturn.correlations_array.Any()) { cyphortReturn.correlations_array = cyphortReturn.correlations_array.Reverse().ToArray(); for (var i = 0; i < cyphortReturn.correlations_array.Count(); i++) { Console.WriteLine(@"Processing correlation alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.correlations_array.Count().ToString(CultureInfo.InvariantCulture) + @"."); var lFidoReturnValues = new FidoReturnValues(); var isRunDirector = false; if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.Cyphort == null) { lFidoReturnValues.Cyphort = new CyphortReturnValues(); } if (cyphortReturn.correlations_array[i][4].Contains(":")) { continue; } lFidoReturnValues.SrcIP = cyphortReturn.correlations_array[i][4]; lFidoReturnValues.MalwareType = cyphortReturn.correlations_array[i][19] + " and download"; lFidoReturnValues.DstIP = cyphortReturn.correlations_array[i][16]; lFidoReturnValues.Cyphort.DstIP = cyphortReturn.correlations_array[i][16]; lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.correlations_array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.correlations_array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventID = cyphortReturn.correlations_array[i][1]; lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID; lFidoReturnValues.Cyphort.URL = new List <string> { cyphortReturn.correlations_array[i][12] }; lFidoReturnValues.Url = new List <string> { cyphortReturn.correlations_array[i][12] }; lFidoReturnValues.Cyphort.Domain = new List <string> { cyphortReturn.correlations_array[i][11] }; lFidoReturnValues.Cyphort.MD5Hash = new List <string> { cyphortReturn.correlations_array[i][7] }; lFidoReturnValues.Hash = new List <string> { cyphortReturn.correlations_array[i][7] }; lFidoReturnValues.CurrentDetector = "cyphortv2"; //Using the Hostname/SrcIP, check the FidoDB to see if any previous alerts were generated lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); //If previous alerts were generated then run PreviousAlert to compare the AlertID of the newly generated //alert versus previous alerts. if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues); } //If the type of alert is a test alert then exit, or if the alert is has already been processed if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); } } if (cyphortReturn.downloads_array != null && cyphortReturn.downloads_array.Any()) { cyphortReturn.downloads_array = cyphortReturn.downloads_array.Reverse().ToArray(); for (var i = 0; i < cyphortReturn.downloads_array.Count(); i++) { Console.WriteLine(@"Processing download alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.downloads_array.Count().ToString(CultureInfo.InvariantCulture) + @"."); var lFidoReturnValues = new FidoReturnValues(); var isRunDirector = false; if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.Cyphort == null) { lFidoReturnValues.Cyphort = new CyphortReturnValues(); } if (cyphortReturn.downloads_array[i][4].Contains(":")) { continue; } lFidoReturnValues.SrcIP = cyphortReturn.downloads_array[i][4]; lFidoReturnValues.MalwareType = cyphortReturn.downloads_array[i][20] + " download detected"; lFidoReturnValues.DstIP = cyphortReturn.downloads_array[i][16]; lFidoReturnValues.Cyphort.DstIP = cyphortReturn.downloads_array[i][16]; lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.downloads_array[i][2]).ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.downloads_array[i][2]).ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventID = cyphortReturn.downloads_array[i][0]; lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID; lFidoReturnValues.Cyphort.URL = new List <string> { cyphortReturn.downloads_array[i][12] }; lFidoReturnValues.Url = new List <string> { cyphortReturn.downloads_array[i][12] }; lFidoReturnValues.Cyphort.Domain = new List <string> { cyphortReturn.downloads_array[i][11] }; lFidoReturnValues.Cyphort.MD5Hash = new List <string> { cyphortReturn.downloads_array[i][7] }; lFidoReturnValues.Hash = new List <string> { cyphortReturn.downloads_array[i][7] }; lFidoReturnValues.CurrentDetector = "cyphortv2"; lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); } } if (cyphortReturn.infections_array != null && cyphortReturn.infections_array.Any()) { cyphortReturn.infections_array = cyphortReturn.infections_array.Reverse().ToArray(); for (var i = 0; i < cyphortReturn.infections_array.Count(); i++) { Console.WriteLine(@"Processing infection alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.infections_array.Count().ToString(CultureInfo.InvariantCulture) + @"."); var lFidoReturnValues = new FidoReturnValues(); var isRunDirector = false; if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.Cyphort == null) { lFidoReturnValues.Cyphort = new CyphortReturnValues(); } if (cyphortReturn.infections_array[i][4].Contains(":")) { continue; } lFidoReturnValues.SrcIP = cyphortReturn.infections_array[i][4]; lFidoReturnValues.MalwareType = "C&C external communication detected"; lFidoReturnValues.DstIP = cyphortReturn.infections_array[i][16]; lFidoReturnValues.Cyphort.DstIP = cyphortReturn.infections_array[i][16]; lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.infections_array[i][2]).ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.infections_array[i][2]).ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventID = cyphortReturn.infections_array[i][1]; lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID; lFidoReturnValues.Cyphort.URL = new List <string> { cyphortReturn.infections_array[i][12] }; lFidoReturnValues.Url = new List <string> { cyphortReturn.infections_array[i][12] }; lFidoReturnValues.Cyphort.Domain = new List <string> { cyphortReturn.infections_array[i][11] }; lFidoReturnValues.Cyphort.MD5Hash = new List <string> { cyphortReturn.infections_array[i][7] }; lFidoReturnValues.Hash = new List <string> { cyphortReturn.infections_array[i][7] }; lFidoReturnValues.CurrentDetector = "cyphortv2"; lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphort Detector parse:" + e); } }
//Helper function to assign important values to FidoReturnValues objects and then //handoff to TheDirector for FIDO processing. private static void ParseCyphort(CyphortClass cyphortReturn) { try { if (cyphortReturn.correlations_array != null && cyphortReturn.correlations_array.Any()) { cyphortReturn.correlations_array = cyphortReturn.correlations_array.Reverse().ToArray(); for (var i = 0; i < cyphortReturn.correlations_array.Count(); i++) { Console.WriteLine(@"Processing correlation alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.correlations_array.Count().ToString(CultureInfo.InvariantCulture) + @"."); var lFidoReturnValues = new FidoReturnValues(); var isRunDirector = false; if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.Cyphort == null) { lFidoReturnValues.Cyphort = new CyphortReturnValues(); } if (cyphortReturn.correlations_array[i][4].Contains(":")) continue; lFidoReturnValues.SrcIP = cyphortReturn.correlations_array[i][4]; lFidoReturnValues.MalwareType = cyphortReturn.correlations_array[i][19] + " and download"; lFidoReturnValues.DstIP = cyphortReturn.correlations_array[i][16]; lFidoReturnValues.Cyphort.DstIP = cyphortReturn.correlations_array[i][16]; lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.correlations_array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.correlations_array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventID = cyphortReturn.correlations_array[i][1]; lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID; lFidoReturnValues.Cyphort.URL = new List<string> { cyphortReturn.correlations_array[i][12] }; lFidoReturnValues.Url = new List<string> { cyphortReturn.correlations_array[i][12] }; lFidoReturnValues.Cyphort.Domain = new List<string> { cyphortReturn.correlations_array[i][11] }; lFidoReturnValues.Cyphort.MD5Hash = new List<string> { cyphortReturn.correlations_array[i][7] }; lFidoReturnValues.Hash = new List<string> { cyphortReturn.correlations_array[i][7] }; lFidoReturnValues.CurrentDetector = "cyphortv2"; //Using the Hostname/SrcIP, check the FidoDB to see if any previous alerts were generated lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); //If previous alerts were generated then run PreviousAlert to compare the AlertID of the newly generated //alert versus previous alerts. if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues); } //If the type of alert is a test alert then exit, or if the alert is has already been processed if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY")) continue; //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); } } if (cyphortReturn.downloads_array != null && cyphortReturn.downloads_array.Any()) { cyphortReturn.downloads_array = cyphortReturn.downloads_array.Reverse().ToArray(); for (var i = 0; i < cyphortReturn.downloads_array.Count(); i++) { Console.WriteLine(@"Processing download alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.downloads_array.Count().ToString(CultureInfo.InvariantCulture) + @"."); var lFidoReturnValues = new FidoReturnValues(); var isRunDirector = false; if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.Cyphort == null) { lFidoReturnValues.Cyphort = new CyphortReturnValues(); } if (cyphortReturn.downloads_array[i][4].Contains(":")) continue; lFidoReturnValues.SrcIP = cyphortReturn.downloads_array[i][4]; lFidoReturnValues.MalwareType = cyphortReturn.downloads_array[i][20] + " download detected"; lFidoReturnValues.DstIP = cyphortReturn.downloads_array[i][16]; lFidoReturnValues.Cyphort.DstIP = cyphortReturn.downloads_array[i][16]; lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.downloads_array[i][2]).ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.downloads_array[i][2]).ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventID = cyphortReturn.downloads_array[i][0]; lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID; lFidoReturnValues.Cyphort.URL = new List<string> {cyphortReturn.downloads_array[i][12]}; lFidoReturnValues.Url = new List<string> {cyphortReturn.downloads_array[i][12]}; lFidoReturnValues.Cyphort.Domain = new List<string> { cyphortReturn.downloads_array[i][11] }; lFidoReturnValues.Cyphort.MD5Hash = new List<string> { cyphortReturn.downloads_array[i][7] }; lFidoReturnValues.Hash = new List<string> { cyphortReturn.downloads_array[i][7] }; lFidoReturnValues.CurrentDetector = "cyphortv2"; lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY")) continue; //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); } } if (cyphortReturn.infections_array != null && cyphortReturn.infections_array.Any()) { cyphortReturn.infections_array = cyphortReturn.infections_array.Reverse().ToArray(); for (var i = 0; i < cyphortReturn.infections_array.Count(); i++) { Console.WriteLine(@"Processing infection alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.infections_array.Count().ToString(CultureInfo.InvariantCulture) + @"."); var lFidoReturnValues = new FidoReturnValues(); var isRunDirector = false; if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.Cyphort == null) { lFidoReturnValues.Cyphort = new CyphortReturnValues(); } if (cyphortReturn.infections_array[i][4].Contains(":")) continue; lFidoReturnValues.SrcIP = cyphortReturn.infections_array[i][4]; lFidoReturnValues.MalwareType = "C&C external communication detected"; lFidoReturnValues.DstIP = cyphortReturn.infections_array[i][16]; lFidoReturnValues.Cyphort.DstIP = cyphortReturn.infections_array[i][16]; lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.infections_array[i][2]).ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.infections_array[i][2]).ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventID = cyphortReturn.infections_array[i][1]; lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID; lFidoReturnValues.Cyphort.URL = new List<string> { cyphortReturn.infections_array[i][12] }; lFidoReturnValues.Url = new List<string> { cyphortReturn.infections_array[i][12] }; lFidoReturnValues.Cyphort.Domain = new List<string> { cyphortReturn.infections_array[i][11] }; lFidoReturnValues.Cyphort.MD5Hash = new List<string> { cyphortReturn.infections_array[i][7] }; lFidoReturnValues.Hash = new List<string> { cyphortReturn.infections_array[i][7] }; lFidoReturnValues.CurrentDetector = "cyphortv2"; lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY")) continue; //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphort Detector parse:" + e); } }