public static Dictionary <string, string> PaloAltoBadGuyReturn(FidoReturnValues lFidoReturnValues, MD5Hashes md5Hashes, URLs urls, Dictionary <string, string> replacements) { if (lFidoReturnValues.PaloAlto.VirusTotal != null) { if (lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn != null) { for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn.Count(); i++) { if (lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn[i].Positives > 0) { lFidoReturnValues.BadHashs += 1; md5Hashes.lBadMD5Hashes.Add(lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn[i].Permalink); } else { md5Hashes.lGoodMD5Hashes.Add(lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn[i].Permalink); } } } if (lFidoReturnValues.PaloAlto.VirusTotal.URLReturn != null) { for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.URLReturn.Count(); i++) { if (lFidoReturnValues.PaloAlto.VirusTotal.URLReturn[i].Positives > 0) { lFidoReturnValues.BadUrLs += 1; urls.lBadURLs.Add(lFidoReturnValues.PaloAlto.VirusTotal.URLReturn[i].Permalink); } else { urls.lGoodURLs.Add(lFidoReturnValues.PaloAlto.VirusTotal.URLReturn[i].Permalink); } } } if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn != null) { if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedCommunicatingSamples != null) { for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedCommunicatingSamples.Count(); i++) { if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedCommunicatingSamples[i].Positives > 0) { lFidoReturnValues.BadDetectedComms += 1; } } } if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedDownloadedSamples != null) { for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedDownloadedSamples.Count(); i++) { if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedDownloadedSamples[i].Positives > 0) { lFidoReturnValues.BadDetectedDownloads += 1; } } } if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedUrls != null) { for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedUrls.Count(); i++) { if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedUrls[i].Positives > 0) { lFidoReturnValues.BadDetectedUrls += 1; } } } } } //Check Bit9 for values replacements.Add("%bit9threat%", "Not Configured"); replacements.Add("%bit9trust%", "Not Configured"); replacements = PaloAltoBadGuyReplacements(lFidoReturnValues, replacements); return(replacements); }
public static Dictionary <string, string> ProtectWiseBadGuyReturn(FidoReturnValues lFidoReturnValues, MD5Hashes md5Hashes, URLs urls, Dictionary <string, string> replacements) { if (lFidoReturnValues.ProtectWise.VirusTotal != null) { if (lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn != null) { for (var i = 0; i < lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn.Count(); i++) { if (lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn[i].Positives > 0) { lFidoReturnValues.BadHashs += 1; md5Hashes.lBadMD5Hashes.Add(lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn[i].Permalink); } else { md5Hashes.lGoodMD5Hashes.Add(lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn[i].Permalink); } } } if (lFidoReturnValues.ProtectWise.VirusTotal.URLReturn != null) { for (var i = 0; i < lFidoReturnValues.ProtectWise.VirusTotal.URLReturn.Count(); i++) { if (lFidoReturnValues.ProtectWise.VirusTotal.URLReturn[i].Positives > 0) { lFidoReturnValues.BadUrLs += 1; urls.lBadURLs.Add(lFidoReturnValues.ProtectWise.VirusTotal.URLReturn[i].Permalink); } else { urls.lGoodURLs.Add(lFidoReturnValues.ProtectWise.VirusTotal.URLReturn[i].Permalink); } } } if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn != null) { if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedCommunicatingSamples != null) { for (var i = 0; i < lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedCommunicatingSamples.Count(); i++) { if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedCommunicatingSamples[i].Positives > 0) { lFidoReturnValues.BadDetectedComms += 1; } } } if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedDownloadedSamples != null) { for (var i = 0; i < lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedDownloadedSamples.Count(); i++) { if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedDownloadedSamples[i].Positives > 0) { lFidoReturnValues.BadDetectedDownloads += 1; } } } if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedUrls != null) { for (var i = 0; i < lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedUrls.Count(); i++) { if (lFidoReturnValues.ProtectWise.VirusTotal.IPReturn[0].DetectedUrls[i].Positives > 0) { lFidoReturnValues.BadDetectedUrls += 1; } } } } } //Check AlienVault for values if (lFidoReturnValues.ProtectWise.AlienVault != null) { replacements.Add("%alienrisk%", lFidoReturnValues.ProtectWise.AlienVault.Risk.ToString(CultureInfo.InvariantCulture)); replacements.Add("%alienreliable%", lFidoReturnValues.ProtectWise.AlienVault.Reliability.ToString(CultureInfo.InvariantCulture)); replacements.Add("%alienactivity%", lFidoReturnValues.ProtectWise.AlienVault.Activity ?? string.Empty); } else { replacements.Add("%alienrisk%", "Not Found"); replacements.Add("%alienreliable%", "Not Found"); replacements.Add("%alienactivity%", string.Empty); } //Check Bit9 for values replacements.Add("%bit9threat%", "Not Configured"); replacements.Add("%bit9trust%", "Not Configured"); replacements = ProtectWiseBadGuyReplacements(lFidoReturnValues, replacements); return(replacements); }
private static Dictionary <string, string> VTReplacements(FidoReturnValues lFidoReturnValues, MD5Hashes md5Hashes, URLs urls, Dictionary <string, string> replacements) { if (md5Hashes.lBadMD5Hashes.Count() == 1) { replacements.Add("%totalbadfiles%", "<a href='" + md5Hashes.lBadMD5Hashes[0] + "'>" + lFidoReturnValues.BadHashs.ToString(CultureInfo.InvariantCulture) + "</a>"); } else if (lFidoReturnValues.BadHashs > 1) { var sBadReplacement = string.Empty; for (var i = 0; i < lFidoReturnValues.BadHashs; i++) { if (i == (lFidoReturnValues.BadHashs - 1)) { sBadReplacement += "<a href='" + md5Hashes.lBadMD5Hashes[i] + "'>" + (i + 1).ToString(CultureInfo.InvariantCulture) + "</a>"; } else { sBadReplacement += "<a href='" + md5Hashes.lBadMD5Hashes[i] + "'>" + (i + 1).ToString(CultureInfo.InvariantCulture) + "</a>, "; } } replacements.Add("%totalbadfiles%", sBadReplacement); } else { replacements.Add("%totalbadfiles%", "0"); } if (md5Hashes.lGoodMD5Hashes.Count() == 1) { replacements.Add("%totalgoodfiles%", "<a href='" + md5Hashes.lGoodMD5Hashes[0] + "'>1</a>"); } else if (md5Hashes.lGoodMD5Hashes.Count() > 1) { string sGoodReplacement; sGoodReplacement = "<a href=''>1.." + md5Hashes.lGoodMD5Hashes.Count + "</a>"; replacements.Add("%totalgoodfiles%", sGoodReplacement); } else { replacements.Add("%totalgoodfiles%", "0"); } if (urls.lBadURLs.Count() == 1) { replacements.Add("%totalbadurls%", "<a href='" + urls.lBadURLs[0] + "'>1</a>"); } else if (lFidoReturnValues.BadUrLs > 1) { var sNewReplacement = string.Empty; for (var i = 0; i < lFidoReturnValues.BadUrLs - 1; i++) { if (i == (urls.lBadURLs.Count() - 1)) { sNewReplacement += "<a href='" + urls.lBadURLs[i] + "'>" + (i + 1).ToString(CultureInfo.InvariantCulture) + "</a>"; } else { sNewReplacement += "<a href='" + urls.lBadURLs[i] + "'>" + (i + 1).ToString(CultureInfo.InvariantCulture) + "</a>, "; } } replacements.Add("%totalbadurls%", sNewReplacement); } else { replacements.Add("%totalbadurls%", "0"); } if (urls.lGoodURLs.Count() == 1) { replacements.Add("%totalgoodurls%", "<a href='" + urls.lGoodURLs[0] + "'>1</a>"); } else if (urls.lGoodURLs.Count() > 1) { var sGoodReplacement = string.Empty; sGoodReplacement += "<a href=''>1.." + urls.lGoodURLs.Count + "</a>"; replacements.Add("%totalgoodurls%", sGoodReplacement); } else { replacements.Add("%totalgoodurls%", "0"); } return(replacements); }
public static Dictionary <string, string> StartReplacements(FidoReturnValues lFidoReturnValues, string[] detectors, MD5Hashes md5Hashes, URLs urls, Dictionary <string, string> replacements) { try { //todo: put the following switch into its own function foreach (var detector in detectors) { switch (detector) { case "cyphortv2": if (lFidoReturnValues.Cyphort != null) { replacements = Notification_Cyphort_Helper.CyphortBadGuyReturn(lFidoReturnValues, md5Hashes, urls, replacements); replacements = VTReplacements(lFidoReturnValues, md5Hashes, urls, replacements); } break; case "cyphortv3": if (lFidoReturnValues.Cyphort != null) { replacements = Notification_Cyphort_Helper.CyphortBadGuyReturn(lFidoReturnValues, md5Hashes, urls, replacements); replacements = VTReplacements(lFidoReturnValues, md5Hashes, urls, replacements); } break; case "protectwisev1-event": if (lFidoReturnValues.ProtectWise != null) { replacements = Notfication_ProtectWise_Helper.ProtectWiseBadGuyReturn(lFidoReturnValues, md5Hashes, urls, replacements); replacements = VTReplacements(lFidoReturnValues, md5Hashes, urls, replacements); } break; case "carbonblackv1": if (lFidoReturnValues.CB.Alert != null) { replacements = Notification_CarbonBlack_Helper.CarbonBlackBadGuyReturn(lFidoReturnValues, md5Hashes, urls, replacements); replacements = VTReplacements(lFidoReturnValues, md5Hashes, urls, replacements); } break; case "panv1": if (lFidoReturnValues.PaloAlto != null) { replacements = Notification_PaloAlto_Helper.PaloAltoBadGuyReturn(lFidoReturnValues, md5Hashes, urls, replacements); replacements = VTReplacements(lFidoReturnValues, md5Hashes, urls, replacements); } break; case "mps": //Check Virustotal for values if (lFidoReturnValues.FireEye != null) { replacements = MPSBadGuyReturn(lFidoReturnValues, md5Hashes, urls, replacements); replacements = VTReplacements(lFidoReturnValues, md5Hashes, urls, replacements); } break; case "antivirus": break; case "ids": break; case "bit9": if (lFidoReturnValues.Bit9 != null) { if (lFidoReturnValues.Bit9.VTReport == null) { continue; } if (lFidoReturnValues.Bit9.VTReport[0].Positives > 0) { lFidoReturnValues.BadHashs += 1; md5Hashes.lBadMD5Hashes.Add(lFidoReturnValues.Bit9.VTReport[0].Permalink); } else { md5Hashes.lGoodMD5Hashes.Add(lFidoReturnValues.Bit9.VTReport[0].Permalink); } //Check Bit9 for values replacements.Add("%bit9threat%", lFidoReturnValues.Bit9.FileThreat); replacements.Add("%bit9trust%", lFidoReturnValues.Bit9.FileTrust); } break; } } return(replacements); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Notification Help:" + e); } return(replacements); }
public static Dictionary <string, string> CyphortBadGuyReturn(FidoReturnValues lFidoReturnValues, MD5Hashes md5Hashes, URLs urls, Dictionary <string, string> replacements) { if (lFidoReturnValues.Cyphort.VirusTotal != null) { if (lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn != null) { for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn.Count(); i++) { if (lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn[i].Positives > 0) { lFidoReturnValues.BadHashs += 1; md5Hashes.lBadMD5Hashes.Add(lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn[i].Permalink); } else { md5Hashes.lGoodMD5Hashes.Add(lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn[i].Permalink); } } } if (lFidoReturnValues.Cyphort.VirusTotal.URLReturn != null) { for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.URLReturn.Count(); i++) { if (lFidoReturnValues.Cyphort.VirusTotal.URLReturn[i].Positives > 0) { lFidoReturnValues.BadUrLs += 1; urls.lBadURLs.Add(lFidoReturnValues.Cyphort.VirusTotal.URLReturn[i].Permalink); } else { urls.lGoodURLs.Add(lFidoReturnValues.Cyphort.VirusTotal.URLReturn[i].Permalink); } } } if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn != null) { if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedCommunicatingSamples != null) { for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedCommunicatingSamples.Count(); i++) { if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedCommunicatingSamples[i].Positives > 0) { lFidoReturnValues.BadDetectedComms += 1; } } } if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedDownloadedSamples != null) { for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedDownloadedSamples.Count(); i++) { if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedDownloadedSamples[i].Positives > 0) { lFidoReturnValues.BadDetectedDownloads += 1; } } } if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedUrls != null) { for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedUrls.Count(); i++) { if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedUrls[i].Positives > 0) { lFidoReturnValues.BadDetectedUrls += 1; } } } } } replacements = CyphortBadGuyReplacements(lFidoReturnValues, replacements); return(replacements); }