public static List <FileReport> ParseHash(string[] sMD5Hash) { //todo: The below is a placeholder for when this will be encrypted. //var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null); var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null); var vtLogin = new VirusTotal(sVTKey); var sVirusTotalHash = new List <FileReport>(); var fidoDB = new SqLiteDB(); var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal")); //todo: remove all the sleeps with a configurable option of whether to sleep AND a //configurable integer value for the timer. Currently putting these in for the free //API, but need to account for someone having access to the paid API. try { if (sMD5Hash.Any()) { if (sMD5Hash.Count() < 4) { if (!isPaidFeed) { Thread.Sleep(1000); } sVirusTotalHash.AddRange(sMD5Hash.Where(sHash => !string.IsNullOrEmpty(sHash)).Select(vtLogin.GetFileReport).Where(sVtmd5Return => sVtmd5Return != null)); } else if (sMD5Hash.Count() >= 4) { if (!isPaidFeed) { Thread.Sleep(1000); } for (var i = 0; i < sMD5Hash.Count(); i++) { Console.WriteLine(@"Processing hash #" + (i + 1) + @" of " + sMD5Hash.Count() + @" " + sMD5Hash[i] + @"."); sVirusTotalHash.Add(vtLogin.GetFileReport(sMD5Hash[i])); if (!isPaidFeed) { Console.WriteLine(@"Pausing 17 seconds to not overload VT."); Thread.Sleep(17000); } } } return(sVirusTotalHash); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT Hash area:" + e); } return(sVirusTotalHash); }
public bool CheckFidoWhitelist(string sDstIP, List <string> sHash, string sDomain, List <string> sUrl) { var isFound = false; var sqlQuery = new SqLiteDB(); if (!string.IsNullOrEmpty(sDstIP)) { var qDstIPReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + sDstIP + "'"); if (!string.IsNullOrEmpty(qDstIPReturn)) { isFound = true; } } if (sHash != null) { foreach (var hash in sHash) { var qHashReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + hash + "'"); if (!string.IsNullOrEmpty(qHashReturn)) { isFound = true; } } } if (!string.IsNullOrEmpty(sDomain)) { var qDomainReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + sDomain + "'"); if (!string.IsNullOrEmpty(qDomainReturn)) { isFound = true; } } if (sUrl != null) { foreach (var url in sUrl) { var qUrlReturn = sqlQuery.ExecuteScalar("Select * from event_whitelist where artifact = '" + url + "'"); if (!string.IsNullOrEmpty(qUrlReturn)) { isFound = true; } } } return(isFound); }
private static DataTable GetThreatGridTable(string query) { var fidoSQlite = new SqLiteDB(); var fidoData = new DataTable(); try { fidoData = fidoSQlite.GetDataTable(query); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e); } return(fidoData); }
private static ParseCBConfigs ParseDetectorConfigs(string detect) { //todo: move this to the database, assign a variable to 'detect' and replace being using in GEtFidoConfigs var query = @"SELECT * from configs_sysmgmt_carbonblack WHERE api_call = '" + detect + @"'"; var fidoSQlite = new SqLiteDB(); var fidoData = new DataTable(); var cbReturn = new ParseCBConfigs(); try { fidoData = fidoSQlite.GetDataTable(query); cbReturn = CBConfigs(fidoData); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e); } return(cbReturn); }
private static T GetResults<T>(RestRequest request, bool applyHack = false) { _client.BaseUrl = new Uri("http://www.virustotal.com/vtapi/v2/", UriKind.Absolute); _client.Proxy = null; _client.FollowRedirects = false; T results; var fidoDB = new SqLiteDB(); var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal")); var response = (RestResponse)_client.Execute(request); if (applyHack) { //Warning: Huge hack... sorry :( response.Content = Regex.Replace(response.Content, "\"([\\w\\d -\\._]+)\": \\{\"detected\":", "{\"name\": \"$1\", \"detected\":", RegexOptions.Compiled | RegexOptions.CultureInvariant); response.Content = response.Content.Replace("scans\": {", "scans\": ["); response.Content = response.Content.Replace("}}", "}]"); } IDeserializer deserializer = new JsonDeserializer(); if (response.StatusCode == HttpStatusCode.NoContent) { //todo: move integer value to db if (!isPaidFeed) Thread.Sleep(30000); results = GetResults<T>(request, true); return results; } //throw new RateLimitException("You have reached the 5 requests pr. min. limit of VirusTotal"); if (response.StatusCode == HttpStatusCode.Forbidden) throw new AccessDeniedException("You don't have access to the service. Make sure your API key is working correctly."); try { results = deserializer.Deserialize<T>(response); } catch (SerializationException) { //retry request. try { _retryCounter--; if (_retryCounter <= 0) { _retryCounter = Retry; return default(T); } results = GetResults<T>(request, applyHack); } catch (SerializationException ex) { throw new Exception("Failed to deserialize request.", ex); } } //reset retry counter _retryCounter = Retry; return results; }
private static List<UrlReport> ParseUrl(IEnumerable<string> sURL) { //The below is a placeholder for when this will be encrypted. //var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null); var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null); var vtLogin = new VirusTotal(sVTKey); var isRateLimited = Object_Fido_Configs.GetAsBool("fido.securityfeed.virustotal.ratelimited", false); List<UrlReport> sVirusTotalUrl = null; var sVTURLreturn = new List<UrlReport>(); var newurl = string.Empty; var url = sURL as IList<string> ?? sURL.ToList(); var fidoDB = new SqLiteDB(); var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal")); try { if (sURL != null) { for (var i = 0; i < url.Count(); i++) { if (!url[i].Contains("http://")) { newurl = "http://" + url[i]; } else { newurl = url[i]; } if (!isPaidFeed) Thread.Sleep(15000); var sVTURLtemp = new List<UrlReport> { vtLogin.GetUrlReport(newurl) }; if (!isPaidFeed) Thread.Sleep(20000); var icount = 1; if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object") { Console.WriteLine(sVTURLtemp[0].VerboseMsg); Console.WriteLine(newurl); sVTURLreturn.Add(sVTURLtemp[0]); continue; } while (sVTURLtemp[0].VerboseMsg == "The requested resource is not among the finished, queued or pending scans" && icount <= 3) { Console.WriteLine(sVTURLtemp[0].VerboseMsg); Console.WriteLine(newurl); sVTURLtemp.RemoveAt(0); vtLogin.ScanUrl(newurl); //todo: move sleep integer to db Thread.Sleep(120000); icount++; sVTURLtemp.Add(vtLogin.GetUrlReport(newurl)); if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object") { Console.WriteLine(sVTURLtemp[0].VerboseMsg); Console.WriteLine(newurl); sVTURLreturn.Add(sVTURLtemp[0]); } } //if (icount == 1) //{ // sVTURLreturn.Add(sVTURLtemp[0]); //} } if (sVTURLreturn.Any()) { sVirusTotalUrl = sVTURLreturn; return sVirusTotalUrl; } } } catch (Exception e) { if (e.Message == "You have reached the 5 requests pr. min. limit of VirusTotal") { if (!isPaidFeed) Thread.Sleep(60000); sVirusTotalUrl = ParseUrl(url); return sVirusTotalUrl; } Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT URL area:" + e); } return sVirusTotalUrl; }
internal static void LoadConfigFromDb(string table) { var fidoSQLite = new SqLiteDB(); _dict = fidoSQLite.GetDataTable("select key, value from " + table).AsEnumerable().ToDictionary <DataRow, string, string>(row => row.Field <string>(0), row => row.Field <string>(1)); }
private static void ParseCarbonBlackAlert(Object_CarbonBlack_Alert_Class.CarbonBlack cbReturn) { var cbHost = string.Empty; var cbHostInt = 0; foreach (var cbEvent in cbReturn.Results) { Console.WriteLine(@"Formatting CarbonBlack event for: " + cbEvent.Hostname + @"."); try { //initialize generic variables for CB values var lFidoReturnValues = new FidoReturnValues(); if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.CB == null) { lFidoReturnValues.CB = new CarbonBlackReturnValues { Alert = new CarbonBlackAlert() }; } lFidoReturnValues.CurrentDetector = "carbonblackv1"; lFidoReturnValues.CB.Alert.WatchListName = cbEvent.WatchlistName; lFidoReturnValues.CB.Alert.AlertType = cbEvent.AlertType; if (lFidoReturnValues.CB.Alert.WatchListName.Contains("binary") || lFidoReturnValues.CB.Alert.AlertType.Contains("binary")) { lFidoReturnValues.isBinary = true; } var dTable = new SqLiteDB(); var cbData = dTable.GetDataTable(@"Select * from configs_dictionary_carbonblack"); var cbDict = GetDict(cbData); foreach (var label in cbDict) { if (cbEvent.WatchlistName == label.Key) { lFidoReturnValues.MalwareType = label.Value; break; } } if (lFidoReturnValues.MalwareType == null) { lFidoReturnValues.MalwareType = "Malicious file detected."; } lFidoReturnValues.CB.Alert.EventID = cbEvent.UniqueID; lFidoReturnValues.AlertID = cbEvent.UniqueID; lFidoReturnValues.CB.Alert.EventTime = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Hostname = cbEvent.Hostname; //todo: this was supposed to limit the total # of alerts sent from a single host, //however, it is poo and needs to be redone. if (lFidoReturnValues.Hostname != cbHost) { cbHost = lFidoReturnValues.Hostname; } else { cbHostInt++; } if (cbHostInt >= 25) { CloseCarbonBlackAlert(lFidoReturnValues); } lFidoReturnValues.Username = cbEvent.Username; lFidoReturnValues.Hash = new List <string> { cbEvent.MD5 }; lFidoReturnValues.CB.Alert.MD5Hash = cbEvent.MD5; lFidoReturnValues.CB.Inventory = SysMgmt_CarbonBlack.GetCarbonBlackHost(lFidoReturnValues, true); if (string.IsNullOrEmpty(cbEvent.ProcessPath)) { if (string.IsNullOrEmpty(cbEvent.ProcessPath)) { lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ObservedFilename[0]; } } else { lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ProcessPath; } if ((cbEvent.ObservedHosts.HostCount != 0) && (cbEvent.ObservedHosts.HostCount != null)) { lFidoReturnValues.CB.Alert.HostCount = cbEvent.ObservedHosts.HostCount.ToString(CultureInfo.InvariantCulture); } else { lFidoReturnValues.CB.Alert.HostCount = "0"; } if ((cbEvent.NetconnCount != 0) && (cbEvent.NetconnCount != null)) { lFidoReturnValues.CB.Alert.NetConn = cbEvent.NetconnCount.ToString(CultureInfo.InvariantCulture); } else { lFidoReturnValues.CB.Alert.NetConn = "0"; } if (lFidoReturnValues.CB.Inventory != null) { var sFilter = new[] { "|", "," }; var sIP = lFidoReturnValues.CB.Inventory.NetworkAdapters.Split(sFilter, StringSplitOptions.RemoveEmptyEntries); lFidoReturnValues.SrcIP = sIP[0]; } var isRunDirector = false; //Check to see if ID has been processed before lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.AlertID, lFidoReturnValues.TimeOccurred); } if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) { continue; } //todo: build better filetype versus targetted OS, then remove this. lFidoReturnValues.IsTargetOS = true; TheDirector.Direct(lFidoReturnValues); //CloseCarbonBlackAlert(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black v1 Detector when formatting json:" + e); } } }