Exemplo n.º 1
0
        private static bool SetUpPreviousAlerts(FidoReturnValues lFidoReturnValues, bool isRunDirector)
        {
            lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
            if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
            {
                isRunDirector = PreviousAlert(lFidoReturnValues);
            }

            return(isRunDirector);
        }
Exemplo n.º 2
0
        private static FidoReturnValues FormatInfectionReturnValues(FidoReturnValues lFidoReturnValues)
        {
            lFidoReturnValues.Cyphort.DstIP   = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_ip;
            lFidoReturnValues.Cyphort.Domain  = new List <string>();
            lFidoReturnValues.Cyphort.URL     = new List <string>();
            lFidoReturnValues.Cyphort.MD5Hash = new List <string>();

            try
            {
                foreach (var infection in lFidoReturnValues.Cyphort.IncidentDetails.Incident.InfectionArray)
                {
                    lFidoReturnValues.Cyphort.EventID = infection.Infection_id;
                    lFidoReturnValues.AlertID         = infection.Infection_id;
                    lFidoReturnValues.Cyphort.URL.Add(string.Empty);
                    lFidoReturnValues.Cyphort.MD5Hash.Add(string.Empty);
                    lFidoReturnValues.Cyphort.Domain.Add(infection.Cnc_servers);
                    lFidoReturnValues.DNSName = infection.Cnc_servers.Replace(".", "(.)");

                    var isRunDirector = false;
                    //Check to see if ID has been processed before
                    lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
                    if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
                    {
                        isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.Cyphort.EventID, lFidoReturnValues.Cyphort.EventTime);
                    }
                    if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR"))
                    {
                        continue;
                    }
                    //todo: build better filetype versus targetted OS, then remove this.
                    lFidoReturnValues.IsTargetOS = true;
                    Console.WriteLine(@"Processing CNC incident " + lFidoReturnValues.Cyphort.EventID + @" through to the Director.");
                    TheDirector.Direct(lFidoReturnValues);
                }
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 infection return:" + e);
            }


            return(lFidoReturnValues);
        }
Exemplo n.º 3
0
        private static void ParsePan(Object_PaloAlto_Class.PanReturn panReturn)
        {
            try
            {
                foreach (var entry in panReturn.Result.Log.Logs.Entry)
                {
                    if (entry.App == "dns")
                    {
                        continue;
                    }

                    Console.WriteLine(@"Processing PAN " + entry.SubType + @" event.");

                    //initialize generic variables for PAN values
                    var lFidoReturnValues = new FidoReturnValues();
                    if (lFidoReturnValues.PreviousAlerts == null)
                    {
                        lFidoReturnValues.PreviousAlerts = new EventAlerts();
                    }

                    if (lFidoReturnValues.PaloAlto == null)
                    {
                        lFidoReturnValues.PaloAlto = new PaloAltoReturnValues();
                    }

                    //Convert PAN classifications to more readable values
                    lFidoReturnValues.MalwareType      = entry.Type + " " + entry.SubType;
                    lFidoReturnValues.CurrentDetector  = "panv1";
                    lFidoReturnValues.PaloAlto.EventID = entry.EventID;
                    lFidoReturnValues.AlertID          = entry.EventID;
                    if (entry.Direction == "client-to-server")
                    {
                        lFidoReturnValues.PaloAlto.isDst = true;
                    }
                    else
                    {
                        lFidoReturnValues.PaloAlto.isDst = false;
                    }

                    if (lFidoReturnValues.PaloAlto.isDst)
                    {
                        lFidoReturnValues.SrcIP          = entry.SrcIP;
                        lFidoReturnValues.DstIP          = entry.DstIP;
                        lFidoReturnValues.PaloAlto.DstIp = entry.DstIP;
                    }
                    else
                    {
                        lFidoReturnValues.SrcIP          = entry.DstIP;
                        lFidoReturnValues.DstIP          = entry.SrcIP;
                        lFidoReturnValues.PaloAlto.DstIp = entry.SrcIP;
                    }

                    if (!string.IsNullOrEmpty(entry.DstUser))
                    {
                        lFidoReturnValues.PaloAlto.DstUser = entry.DstUser.Replace(@"corp\", string.Empty);
                        lFidoReturnValues.Username         = entry.DstUser;
                    }


                    lFidoReturnValues.PaloAlto.EventTime = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture);
                    lFidoReturnValues.TimeOccurred       = entry.ReceivedTime.ToString(CultureInfo.InvariantCulture);

                    var isRunDirector = false;
                    //Check to see if ID has been processed before
                    lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
                    if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
                    {
                        isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues, lFidoReturnValues.PaloAlto.EventID, lFidoReturnValues.PaloAlto.EventTime);
                    }
                    if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR"))
                    {
                        continue;
                    }
                    //todo: build better filetype versus targetted OS, then remove this.
                    lFidoReturnValues.IsTargetOS = true;
                    Console.WriteLine(@"Processing PAN incident " + lFidoReturnValues.PaloAlto.EventID + @" through to the Director.");
                    TheDirector.Direct(lFidoReturnValues);
                }
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in PANv1 Detector parse:" + e);
            }
        }
Exemplo n.º 4
0
        private static FidoReturnValues FormatDownloadReturnValues(FidoReturnValues lFidoReturnValues)
        {
            lFidoReturnValues.Cyphort.DstIP   = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_ip;
            lFidoReturnValues.Cyphort.URL     = new List <string>();
            lFidoReturnValues.Cyphort.MD5Hash = new List <string>();
            lFidoReturnValues.Cyphort.Domain  = new List <string>();

            try
            {
                foreach (var download in lFidoReturnValues.Cyphort.IncidentDetails.Incident.DownloadArray)
                {
                    if (!string.IsNullOrEmpty(download.Event_id))
                    {
                        lFidoReturnValues.Cyphort.EventID = download.Event_id;
                    }
                    if (!string.IsNullOrEmpty(download.Event_id))
                    {
                        lFidoReturnValues.AlertID = download.Event_id;
                    }
                    if (!string.IsNullOrEmpty(download.Source_url))
                    {
                        lFidoReturnValues.Cyphort.URL.Add(download.Source_url);
                        lFidoReturnValues.Url = new List <string> {
                            download.Source_url
                        };
                    }
                    if (!string.IsNullOrEmpty(download.File_md5_string))
                    {
                        lFidoReturnValues.Cyphort.MD5Hash.Add(download.File_md5_string);
                        lFidoReturnValues.Hash = new List <string> {
                            download.File_md5_string
                        };
                    }
                    if (download.Req_headers != null)
                    {
                        lFidoReturnValues.Cyphort.Domain.Add(download.Req_headers.Host);
                        lFidoReturnValues.DNSName = download.Req_headers.Host.Replace(".", "(.)");
                    }

                    //Check to see if ID has been processed before
                    var isRunDirector = false;
                    lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
                    if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
                    {
                        isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.Cyphort.EventID, lFidoReturnValues.Cyphort.EventTime);
                    }
                    if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR"))
                    {
                        continue;
                    }
                    //todo: build better filetype versus targetted OS, then remove this.
                    lFidoReturnValues.IsTargetOS = true;
                    Console.WriteLine(@"Processing download incident " + lFidoReturnValues.Cyphort.EventID + @" through to the Director.");
                    TheDirector.Direct(lFidoReturnValues);
                }
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 download return:" + e);
            }

            return(lFidoReturnValues);
        }
Exemplo n.º 5
0
        //This function will grab the API information and build a query string.
        //Then it will assign the json return to an object. If any of the objects
        //have a value they will be sent to ParseCyphort helper function.
        //public static void GetCyphortAlerts()
        //{


        //  Console.WriteLine(@"Running Cyphort v2 detector.");
        //  //currently needed to bypass site without a valid cert.
        //  //todo: make ssl bypass configurable
        //  ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
        //  ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

        //  var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv2");
        //  var request = parseConfigs.Server + parseConfigs.Query + parseConfigs.APIKey;
        //  var alertRequest = (HttpWebRequest)WebRequest.Create(request);
        //  alertRequest.Method = "GET";
        //  try
        //  {
        //    using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse)
        //    {
        //      if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK)
        //      {
        //        using (var respStream = cyphortResponse.GetResponseStream())
        //        {
        //          if (respStream == null) return;
        //          var cyphortReader = new StreamReader(respStream, Encoding.UTF8);
        //          var stringreturn = cyphortReader.ReadToEnd();
        //          var cyphortReturn = JsonConvert.DeserializeObject<CyphortClass>(stringreturn);
        //          if (cyphortReturn.correlations_array.Any() | cyphortReturn.infections_array.Any() | cyphortReturn.downloads_array.Any())
        //          {
        //            ParseCyphort(cyphortReturn);
        //          }
        //          var responseStream = cyphortResponse.GetResponseStream();
        //          if (responseStream != null) responseStream.Dispose();
        //          cyphortResponse.Close();
        //          Console.WriteLine(@"Finished processing Cyphort detector.");
        //        }
        //      }
        //    }
        //  }
        //  catch (Exception e)
        //  {
        //    Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphort Detector getting json:" + e);
        //  }
        //}

        //Helper function to assign important values to FidoReturnValues objects and then
        //handoff to TheDirector for FIDO processing.
        private static void ParseCyphort(CyphortClass cyphortReturn)
        {
            try
            {
                if (cyphortReturn.correlations_array != null && cyphortReturn.correlations_array.Any())
                {
                    cyphortReturn.correlations_array = cyphortReturn.correlations_array.Reverse().ToArray();
                    for (var i = 0; i < cyphortReturn.correlations_array.Count(); i++)
                    {
                        Console.WriteLine(@"Processing correlation alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.correlations_array.Count().ToString(CultureInfo.InvariantCulture) + @".");
                        var lFidoReturnValues = new FidoReturnValues();
                        var isRunDirector     = false;
                        if (lFidoReturnValues.PreviousAlerts == null)
                        {
                            lFidoReturnValues.PreviousAlerts = new EventAlerts();
                        }

                        if (lFidoReturnValues.Cyphort == null)
                        {
                            lFidoReturnValues.Cyphort = new CyphortReturnValues();
                        }
                        if (cyphortReturn.correlations_array[i][4].Contains(":"))
                        {
                            continue;
                        }
                        lFidoReturnValues.SrcIP             = cyphortReturn.correlations_array[i][4];
                        lFidoReturnValues.MalwareType       = cyphortReturn.correlations_array[i][19] + " and download";
                        lFidoReturnValues.DstIP             = cyphortReturn.correlations_array[i][16];
                        lFidoReturnValues.Cyphort.DstIP     = cyphortReturn.correlations_array[i][16];
                        lFidoReturnValues.TimeOccurred      = Convert.ToDateTime(cyphortReturn.correlations_array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
                        lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.correlations_array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
                        lFidoReturnValues.Cyphort.EventID   = cyphortReturn.correlations_array[i][1];
                        lFidoReturnValues.AlertID           = lFidoReturnValues.Cyphort.EventID;
                        lFidoReturnValues.Cyphort.URL       = new List <string> {
                            cyphortReturn.correlations_array[i][12]
                        };
                        lFidoReturnValues.Url = new List <string> {
                            cyphortReturn.correlations_array[i][12]
                        };
                        lFidoReturnValues.Cyphort.Domain = new List <string> {
                            cyphortReturn.correlations_array[i][11]
                        };
                        lFidoReturnValues.Cyphort.MD5Hash = new List <string> {
                            cyphortReturn.correlations_array[i][7]
                        };
                        lFidoReturnValues.Hash = new List <string> {
                            cyphortReturn.correlations_array[i][7]
                        };
                        lFidoReturnValues.CurrentDetector = "cyphortv2";

                        //Using the Hostname/SrcIP, check the FidoDB to see if any previous alerts were generated
                        lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);

                        //If previous alerts were generated then run PreviousAlert to compare the AlertID of the newly generated
                        //alert versus previous alerts.
                        if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
                        {
                            isRunDirector = PreviousAlert(lFidoReturnValues);
                        }

                        //If the type of alert is a test alert then exit, or if the alert is has already been processed
                        if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY"))
                        {
                            continue;
                        }
                        //todo: build better filetype versus targetted OS, then remove this.
                        lFidoReturnValues.IsTargetOS = true;
                        TheDirector.Direct(lFidoReturnValues);
                    }
                }

                if (cyphortReturn.downloads_array != null && cyphortReturn.downloads_array.Any())
                {
                    cyphortReturn.downloads_array = cyphortReturn.downloads_array.Reverse().ToArray();
                    for (var i = 0; i < cyphortReturn.downloads_array.Count(); i++)
                    {
                        Console.WriteLine(@"Processing download alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.downloads_array.Count().ToString(CultureInfo.InvariantCulture) + @".");
                        var lFidoReturnValues = new FidoReturnValues();
                        var isRunDirector     = false;
                        if (lFidoReturnValues.PreviousAlerts == null)
                        {
                            lFidoReturnValues.PreviousAlerts = new EventAlerts();
                        }
                        if (lFidoReturnValues.Cyphort == null)
                        {
                            lFidoReturnValues.Cyphort = new CyphortReturnValues();
                        }
                        if (cyphortReturn.downloads_array[i][4].Contains(":"))
                        {
                            continue;
                        }
                        lFidoReturnValues.SrcIP             = cyphortReturn.downloads_array[i][4];
                        lFidoReturnValues.MalwareType       = cyphortReturn.downloads_array[i][20] + " download detected";
                        lFidoReturnValues.DstIP             = cyphortReturn.downloads_array[i][16];
                        lFidoReturnValues.Cyphort.DstIP     = cyphortReturn.downloads_array[i][16];
                        lFidoReturnValues.TimeOccurred      = Convert.ToDateTime(cyphortReturn.downloads_array[i][2]).ToString(CultureInfo.InvariantCulture);
                        lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.downloads_array[i][2]).ToString(CultureInfo.InvariantCulture);
                        lFidoReturnValues.Cyphort.EventID   = cyphortReturn.downloads_array[i][0];
                        lFidoReturnValues.AlertID           = lFidoReturnValues.Cyphort.EventID;
                        lFidoReturnValues.Cyphort.URL       = new List <string> {
                            cyphortReturn.downloads_array[i][12]
                        };
                        lFidoReturnValues.Url = new List <string> {
                            cyphortReturn.downloads_array[i][12]
                        };
                        lFidoReturnValues.Cyphort.Domain = new List <string> {
                            cyphortReturn.downloads_array[i][11]
                        };
                        lFidoReturnValues.Cyphort.MD5Hash = new List <string> {
                            cyphortReturn.downloads_array[i][7]
                        };
                        lFidoReturnValues.Hash = new List <string> {
                            cyphortReturn.downloads_array[i][7]
                        };
                        lFidoReturnValues.CurrentDetector = "cyphortv2";
                        lFidoReturnValues.PreviousAlerts  = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
                        if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
                        {
                            isRunDirector = PreviousAlert(lFidoReturnValues);
                        }
                        if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY"))
                        {
                            continue;
                        }
                        //todo: build better filetype versus targetted OS, then remove this.
                        lFidoReturnValues.IsTargetOS = true;
                        TheDirector.Direct(lFidoReturnValues);
                    }
                }

                if (cyphortReturn.infections_array != null && cyphortReturn.infections_array.Any())
                {
                    cyphortReturn.infections_array = cyphortReturn.infections_array.Reverse().ToArray();
                    for (var i = 0; i < cyphortReturn.infections_array.Count(); i++)
                    {
                        Console.WriteLine(@"Processing infection alert " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.infections_array.Count().ToString(CultureInfo.InvariantCulture) + @".");
                        var lFidoReturnValues = new FidoReturnValues();
                        var isRunDirector     = false;
                        if (lFidoReturnValues.PreviousAlerts == null)
                        {
                            lFidoReturnValues.PreviousAlerts = new EventAlerts();
                        }

                        if (lFidoReturnValues.Cyphort == null)
                        {
                            lFidoReturnValues.Cyphort = new CyphortReturnValues();
                        }
                        if (cyphortReturn.infections_array[i][4].Contains(":"))
                        {
                            continue;
                        }
                        lFidoReturnValues.SrcIP             = cyphortReturn.infections_array[i][4];
                        lFidoReturnValues.MalwareType       = "C&C external communication detected";
                        lFidoReturnValues.DstIP             = cyphortReturn.infections_array[i][16];
                        lFidoReturnValues.Cyphort.DstIP     = cyphortReturn.infections_array[i][16];
                        lFidoReturnValues.TimeOccurred      = Convert.ToDateTime(cyphortReturn.infections_array[i][2]).ToString(CultureInfo.InvariantCulture);
                        lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.infections_array[i][2]).ToString(CultureInfo.InvariantCulture);
                        lFidoReturnValues.Cyphort.EventID   = cyphortReturn.infections_array[i][1];
                        lFidoReturnValues.AlertID           = lFidoReturnValues.Cyphort.EventID;
                        lFidoReturnValues.Cyphort.URL       = new List <string> {
                            cyphortReturn.infections_array[i][12]
                        };
                        lFidoReturnValues.Url = new List <string> {
                            cyphortReturn.infections_array[i][12]
                        };
                        lFidoReturnValues.Cyphort.Domain = new List <string> {
                            cyphortReturn.infections_array[i][11]
                        };
                        lFidoReturnValues.Cyphort.MD5Hash = new List <string> {
                            cyphortReturn.infections_array[i][7]
                        };
                        lFidoReturnValues.Hash = new List <string> {
                            cyphortReturn.infections_array[i][7]
                        };
                        lFidoReturnValues.CurrentDetector = "cyphortv2";
                        lFidoReturnValues.PreviousAlerts  = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
                        if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
                        {
                            isRunDirector = PreviousAlert(lFidoReturnValues);
                        }
                        if (isRunDirector || lFidoReturnValues.MalwareType.Contains("VIRUS_EICAR_TEST_FILE.CY"))
                        {
                            continue;
                        }
                        //todo: build better filetype versus targetted OS, then remove this.
                        lFidoReturnValues.IsTargetOS = true;
                        TheDirector.Direct(lFidoReturnValues);
                    }
                }
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphort Detector parse:" + e);
            }
        }
Exemplo n.º 6
0
        private static void ParseProtectWiseObservation(Object_ProtectWise_Threat_ConfigClass.ProtectWise_Search_Event protectwiseReturn, string malwareType)
        {
            try
            {
                //protectwiseReturn.Observations = protectwiseReturn.Observations.Reverse().ToArray();
                for (var i = 0; i < protectwiseReturn.Observations.Count(); i++)
                {
                    if (protectwiseReturn.Observations[i].Flow.IP.DstIP == "0.0.0.0")
                    {
                        continue;
                    }
                    Console.WriteLine(@"Processing ProtectWise observation " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + protectwiseReturn.Observations.Count().ToString(CultureInfo.InvariantCulture) + @".");

                    //initialize generic variables for Cyphort values
                    var lFidoReturnValues = new FidoReturnValues();
                    if (lFidoReturnValues.PreviousAlerts == null)
                    {
                        lFidoReturnValues.PreviousAlerts = new EventAlerts();
                    }

                    if (lFidoReturnValues.ProtectWise == null)
                    {
                        lFidoReturnValues.ProtectWise = new ProtectWiseReturnValues();
                    }
                    lFidoReturnValues.ProtectWise.EventDetails = protectwiseReturn;

                    lFidoReturnValues.MalwareType = protectwiseReturn.Observations[i].Category + " : " + protectwiseReturn.Observations[i].ThreatSubCategory + " (" + protectwiseReturn.Observations[i].KillChainStage + ")";

                    //Assign generic event deatils for use in TheDirector
                    lFidoReturnValues.CurrentDetector = "protectwisev1";
                    lFidoReturnValues.MalwareType     = malwareType;
                    if (!string.IsNullOrEmpty(lFidoReturnValues.ProtectWise.EventDetails.Id))
                    {
                        if (protectwiseReturn.Observations[i].Flow.IP.SrcIP == "0.0.0.0" || protectwiseReturn.Observations[i].Flow.IP.DstIP == "0.0.0.0")
                        {
                            continue;
                        }
                        lFidoReturnValues.ProtectWise.IncidentDetails = new Object_ProtectWise_Threat_ConfigClass.ProtectWise_Observation();
                        if (protectwiseReturn.Netflow[i].GEO != null)
                        {
                            lFidoReturnValues.ProtectWise.GEO = new Object_ProtectWise_Threat_ConfigClass.ProtectWise_GEO();
                            lFidoReturnValues.ProtectWise.GEO = protectwiseReturn.Netflow[i].GEO;
                        }
                        lFidoReturnValues.ProtectWise.IncidentDetails = protectwiseReturn.Observations[i];
                        if (protectwiseReturn.Observations[i].Flow.IP.DstIP.StartsWith("10."))
                        {
                            lFidoReturnValues.SrcIP             = protectwiseReturn.Observations[i].Flow.IP.DstIP;
                            lFidoReturnValues.ProtectWise.DstIP = protectwiseReturn.Observations[i].Flow.IP.SrcIP;
                            lFidoReturnValues.DstIP             = protectwiseReturn.Observations[i].Flow.IP.SrcIP;
                            lFidoReturnValues.ProtectWise.URL   = protectwiseReturn.Observations[i].Flow.IP.SrcIP;
                        }
                        else
                        {
                            lFidoReturnValues.DstIP             = protectwiseReturn.Observations[i].Flow.IP.DstIP;
                            lFidoReturnValues.ProtectWise.DstIP = protectwiseReturn.Observations[i].Flow.IP.DstIP;
                            lFidoReturnValues.SrcIP             = protectwiseReturn.Observations[i].Flow.IP.SrcIP;
                            lFidoReturnValues.ProtectWise.URL   = protectwiseReturn.Observations[i].Flow.IP.DstIP;
                        }

                        lFidoReturnValues.ProtectWise.EventID   = protectwiseReturn.Observations[i].EventID;
                        lFidoReturnValues.AlertID               = protectwiseReturn.Observations[i].EventID;
                        lFidoReturnValues.TimeOccurred          = FromEpochTime(protectwiseReturn.Observations[i].EventTime).ToString();
                        lFidoReturnValues.ProtectWise.EventTime = FromEpochTime(protectwiseReturn.Observations[i].EventTime).ToString();
                        if (protectwiseReturn.Observations[i].Data.URL_Reputation != null)
                        {
                            var getDomain = protectwiseReturn.Observations[i].Data.URL_Reputation.Url.Split('/');
                            lFidoReturnValues.DNSName = getDomain[0].Replace(".", "(.)");
                        }

                        //Check to see if ID has been processed before
                        var isRunDirector = false;
                        lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
                        if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
                        {
                            isRunDirector = AlertHelper.PreviousAlert(lFidoReturnValues, lFidoReturnValues.ProtectWise.EventID, lFidoReturnValues.ProtectWise.EventTime);
                        }
                        if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR"))
                        {
                            return;
                        }

                        if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.Ip_Reputation != null)
                        {
                            lFidoReturnValues = FormatIPReturnValues(lFidoReturnValues);
                        }

                        if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null)
                        {
                            lFidoReturnValues = FormatURLReturnValues(lFidoReturnValues);
                        }

                        if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.File_Reputation != null)
                        {
                        }

                        if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.DNS_Reputation != null)
                        {
                        }

                        if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.IdsEvent != null)
                        {
                            lFidoReturnValues = FormatIdsReturnValues(lFidoReturnValues);
                        }
                    }
                }
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 Detector parse:" + e);
            }
        }
Exemplo n.º 7
0
        private static void ParseCarbonBlackAlert(Object_CarbonBlack_Alert_Class.CarbonBlack cbReturn)
        {
            var cbHost    = string.Empty;
            var cbHostInt = 0;

            foreach (var cbEvent in cbReturn.Results)
            {
                Console.WriteLine(@"Formatting CarbonBlack event for: " + cbEvent.Hostname + @".");
                try
                {
                    //initialize generic variables for CB values
                    var lFidoReturnValues = new FidoReturnValues();
                    if (lFidoReturnValues.PreviousAlerts == null)
                    {
                        lFidoReturnValues.PreviousAlerts = new EventAlerts();
                    }

                    if (lFidoReturnValues.CB == null)
                    {
                        lFidoReturnValues.CB = new CarbonBlackReturnValues {
                            Alert = new CarbonBlackAlert()
                        };
                    }
                    lFidoReturnValues.CurrentDetector        = "carbonblackv1";
                    lFidoReturnValues.CB.Alert.WatchListName = cbEvent.WatchlistName;
                    lFidoReturnValues.CB.Alert.AlertType     = cbEvent.AlertType;
                    if (lFidoReturnValues.CB.Alert.WatchListName.Contains("binary") || lFidoReturnValues.CB.Alert.AlertType.Contains("binary"))
                    {
                        lFidoReturnValues.isBinary = true;
                    }

                    var dTable = new SqLiteDB();
                    var cbData = dTable.GetDataTable(@"Select * from configs_dictionary_carbonblack");
                    var cbDict = GetDict(cbData);

                    foreach (var label in cbDict)
                    {
                        if (cbEvent.WatchlistName == label.Key)
                        {
                            lFidoReturnValues.MalwareType = label.Value;
                            break;
                        }
                    }

                    if (lFidoReturnValues.MalwareType == null)
                    {
                        lFidoReturnValues.MalwareType = "Malicious file detected.";
                    }

                    lFidoReturnValues.CB.Alert.EventID   = cbEvent.UniqueID;
                    lFidoReturnValues.AlertID            = cbEvent.UniqueID;
                    lFidoReturnValues.CB.Alert.EventTime = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
                    lFidoReturnValues.TimeOccurred       = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
                    lFidoReturnValues.Hostname           = cbEvent.Hostname;

                    //todo: this was supposed to limit the total # of alerts sent from a single host,
                    //however, it is poo and needs to be redone.
                    if (lFidoReturnValues.Hostname != cbHost)
                    {
                        cbHost = lFidoReturnValues.Hostname;
                    }
                    else
                    {
                        cbHostInt++;
                    }

                    if (cbHostInt >= 25)
                    {
                        CloseCarbonBlackAlert(lFidoReturnValues);
                    }
                    lFidoReturnValues.Username = cbEvent.Username;
                    lFidoReturnValues.Hash     = new List <string> {
                        cbEvent.MD5
                    };
                    lFidoReturnValues.CB.Alert.MD5Hash = cbEvent.MD5;
                    lFidoReturnValues.CB.Inventory     = SysMgmt_CarbonBlack.GetCarbonBlackHost(lFidoReturnValues, true);
                    if (string.IsNullOrEmpty(cbEvent.ProcessPath))
                    {
                        if (string.IsNullOrEmpty(cbEvent.ProcessPath))
                        {
                            lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ObservedFilename[0];
                        }
                    }
                    else
                    {
                        lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ProcessPath;
                    }

                    if ((cbEvent.ObservedHosts.HostCount != 0) && (cbEvent.ObservedHosts.HostCount != null))
                    {
                        lFidoReturnValues.CB.Alert.HostCount = cbEvent.ObservedHosts.HostCount.ToString(CultureInfo.InvariantCulture);
                    }
                    else
                    {
                        lFidoReturnValues.CB.Alert.HostCount = "0";
                    }

                    if ((cbEvent.NetconnCount != 0) && (cbEvent.NetconnCount != null))
                    {
                        lFidoReturnValues.CB.Alert.NetConn = cbEvent.NetconnCount.ToString(CultureInfo.InvariantCulture);
                    }
                    else
                    {
                        lFidoReturnValues.CB.Alert.NetConn = "0";
                    }

                    if (lFidoReturnValues.CB.Inventory != null)
                    {
                        var sFilter = new[] { "|", "," };
                        var sIP     = lFidoReturnValues.CB.Inventory.NetworkAdapters.Split(sFilter, StringSplitOptions.RemoveEmptyEntries);
                        lFidoReturnValues.SrcIP = sIP[0];
                    }

                    var isRunDirector = false;
                    //Check to see if ID has been processed before
                    lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
                    if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
                    {
                        isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.AlertID, lFidoReturnValues.TimeOccurred);
                    }
                    if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR"))
                    {
                        continue;
                    }
                    //todo: build better filetype versus targetted OS, then remove this.
                    lFidoReturnValues.IsTargetOS = true;
                    TheDirector.Direct(lFidoReturnValues);
                    //CloseCarbonBlackAlert(lFidoReturnValues);
                }
                catch (Exception e)
                {
                    Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black v1 Detector when formatting json:" + e);
                }
            }
        }