private static List<Object_VirusTotal_IP.IPReport> ParseIP(string[] sIP) { //The below is a placeholder for when this will be encrypted. //var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null); var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null); var vtLogin = new VirusTotal(sVTKey); //test code to workaround rate limiting List<Object_VirusTotal_IP.IPReport> sVirusTotalIP = null; try { if (sIP != null) { var sVTIPreturn = GetIPReport(sIP, sVTKey); if (sVTIPreturn != null) { sVirusTotalIP = sVTIPreturn; return sVirusTotalIP; } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT URL area:" + e); } return sVirusTotalIP; }
private static void GetCyphortIncident(FidoReturnValues lFidoReturnValues) { Console.WriteLine(@"Pulling Cyphort incident details."); //currently needed to bypass site without a valid cert. //todo: make ssl bypass configurable ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); }; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv3"); var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey; request = request.Replace("%incidentid%", lFidoReturnValues.Cyphort.IncidentID); var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Method = "GET"; try { using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse) { if (cyphortResponse == null || cyphortResponse.StatusCode != HttpStatusCode.OK) { return; } using (var respStream = cyphortResponse.GetResponseStream()) { if (respStream == null) { return; } var cyphortReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = cyphortReader.ReadToEnd(); var cyphortReturn = JsonConvert.DeserializeObject <Object_Cyphort_Class.CyphortIncident>(stringreturn); if (cyphortReturn.Incident == null) { return; } lFidoReturnValues.Cyphort.IncidentDetails = new Object_Cyphort_Class.CyphortIncident(); lFidoReturnValues.Cyphort.IncidentDetails = cyphortReturn; ChangeDNSName(lFidoReturnValues); if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_download == "1") { lFidoReturnValues = FormatDownloadReturnValues(lFidoReturnValues); } if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_infection == "1") { lFidoReturnValues = FormatInfectionReturnValues(lFidoReturnValues); } DoesNotChangeAnyThing(lFidoReturnValues); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector getting json:" + e); } }
private static void GetCyphortIncident(FidoReturnValues lFidoReturnValues) { Console.WriteLine(@"Pulling Cyphort incident details."); //currently needed to bypass site without a valid cert. //todo: make ssl bypass configurable ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); }; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv3"); var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey; request = request.Replace("%incidentid%", lFidoReturnValues.Cyphort.IncidentID); var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Method = "GET"; try { using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse) { if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK) { lFidoReturnValues = getResponseStream(cyphortResponse.GetResponseStream(), lFidoReturnValues); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector getting json:" + e); } }
public static void SendEmail(string sErrorSubject, string sErrorMessage) { var isGoingToRun = Object_Fido_Configs.GetAsBool("fido.email.runerroremail", false); var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null); var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null); var isTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true); if (!isGoingToRun) { return; } if (isTest) { sErrorSubject = "Test: " + sErrorSubject; } Logging_Fido.RunLogging(sErrorMessage); var Rmail = new Emailfields { To = sErrorEmail, CC = "", From = sFidoEmail, Subject = sErrorSubject, Body = sErrorMessage, EmailAttach = null, GaugeAttatch = null }; Email_Send.Send(Rmail); Console.WriteLine(sErrorMessage); Thread.Sleep(1000); }
//function to send email public static void Send(string sTo, string sCC, string sFrom, string sSubject, string sBody, List <string> lGaugeAttachment, string sEmailAttachment) { var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null); var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null); var sSMTPServer = Object_Fido_Configs.GetAsString("fido.email.smtpsvr", null); try { var mMessage = new MailMessage { IsBodyHtml = true }; mMessage.AddRecepients(sTo, sCC); mMessage.AddMain(sFrom, sSubject, sBody, lGaugeAttachment); if (!string.IsNullOrEmpty(sEmailAttachment)) { var sAttachment = new Attachment(sEmailAttachment); mMessage.Attachments.Add(sAttachment); } mMessage.SendMessage(); } catch (Exception e) { Send(sErrorEmail, sFidoEmail, sFidoEmail, "Fido Error", "Fido Failed: Generic error sending email." + e, null, null); throw; } }
private static FidoReturnValues ProtectWiseHash(FidoReturnValues lFidoReturnValues) { //if ProtectWise has hashes send to threat feeds if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { if ((lFidoReturnValues.ProtectWise != null) && (lFidoReturnValues.ProtectWise.MD5 != null) && (lFidoReturnValues.ProtectWise.MD5.Any())) { if (lFidoReturnValues.ProtectWise.VirusTotal == null) { lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues(); } Console.WriteLine(@"Sending ProtectWise hashes to VirusTotal."); var MD5Hash = new List <string> { lFidoReturnValues.ProtectWise.MD5 }; lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(MD5Hash); } } if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { Console.WriteLine(@"Sending ProtectWise hashes to ThreatGRID."); lFidoReturnValues = SendProtectWiseToThreatGRID(lFidoReturnValues); } return(lFidoReturnValues); }
private static Dictionary <string, string> CarbonBlackBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements) { try { if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { replacements = CarbonBlackVTReplacements(lFidoReturnValues, replacements); } if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { replacements = CarbonBlackGeoReplacements(lFidoReturnValues, replacements); } if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { replacements = CarbonBlackThreatGRIDReplacements(lFidoReturnValues, replacements); } return(replacements); } catch (Exception e) { throw e; } }
private static FidoReturnValues FireEyeHash(FidoReturnValues lFidoReturnValues) { //if FireEye has hashes send to threat feeds if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any())) { if (lFidoReturnValues.FireEye.VirusTotal == null) { lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues(); } Console.WriteLine(@"Sending FireEye hashes to VirusTotal."); lFidoReturnValues.FireEye.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.FireEye.MD5Hash); } } //todo: decide if FireEye should go to ThreatGRID //if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) //{ // Console.WriteLine(@"Sending FireEye hashes to ThreatGRID."); // lFidoReturnValues = SendFireEyeToThreatGRID(lFidoReturnValues); //} return(lFidoReturnValues); }
private void PrepareFidoReturnValues(FidoReturnValues lFidoReturnValues) { lFidoReturnValues = SummaryEmail(lFidoReturnValues); lFidoReturnValues.Recommendation = ReturnRecommendation(lFidoReturnValues); lFidoReturnValues.SummaryEmail = ReplacingValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues); lFidoReturnValues.SummaryEmail = ReplacingBadGuyValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues); lFidoReturnValues.IsTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true); }
private static FidoReturnValues SendProtectWiseToVirusTotal(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { return(lFidoReturnValues); } var sIPToCheck = new List <string>(); if (lFidoReturnValues.ProtectWise.VirusTotal == null) { lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues(); } //send ProtectWise return to VT URL API if (lFidoReturnValues.ProtectWise.IncidentDetails.Data != null) { if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null) { Console.WriteLine(@"Sending ProtectWise URLs to VirusTotal."); var URL = new List <string> { lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url }; var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL); if (vtURLReturn != null) { lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn; } } else if (lFidoReturnValues.ProtectWise.URL != null) { Console.WriteLine(@"Sending ProtectWise destination IP to VirusTotal."); var URL = new List <string> { lFidoReturnValues.ProtectWise.URL }; var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL); if (vtURLReturn != null) { lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn; } } } if (lFidoReturnValues.ProtectWise.DstIP != null) { sIPToCheck.Add(lFidoReturnValues.ProtectWise.DstIP); } sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList(); //send ProtectWise return to VT IP API if (sIPToCheck.Any()) { Console.WriteLine(@"Getting detailed IP information from VirusTotal."); lFidoReturnValues.ProtectWise.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck); //todo: move the url to the database lFidoReturnValues.ProtectWise.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.ProtectWise.DstIP + "/information/"; } return(lFidoReturnValues); }
public static void InsertEventToDB(FidoReturnValues lFidoReturnValues) { var iKeepAlive = Object_Fido_Configs.GetAsInt("fido.application.unnownkeepalive", 0); var db = new SqLiteDB(); var data = new Dictionary <String, String> { { "timer", iKeepAlive.ToString(CultureInfo.InvariantCulture) }, { "ip_address", lFidoReturnValues.SrcIP }, { "hostname", lFidoReturnValues.Hostname.ToLower() }, { "timestamp", Convert.ToDateTime(lFidoReturnValues.TimeOccurred).ToString(CultureInfo.InvariantCulture) }, { "previous_score", lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) }, { "alert_id", lFidoReturnValues.AlertID } }; try { //insert event to primary alert table db.Insert("event_alerts", data); const string eventAlerts = @"select count() from event_alerts"; var newRow = db.ExecuteScalar(eventAlerts); //if there is threat data then insert otherwise //todo: figure out a better way to find out if a detector is empty if (lFidoReturnValues.Bit9 != null | lFidoReturnValues.Antivirus != null | lFidoReturnValues.FireEye != null | lFidoReturnValues.Cyphort != null | lFidoReturnValues.ProtectWise != null | lFidoReturnValues.PaloAlto != null) { UpdateThreatToDB(lFidoReturnValues, newRow); } //if there is machine data then insert otherwise if ((lFidoReturnValues.Landesk != null) | (lFidoReturnValues.Jamf != null)) { UpdateMachineToDB(lFidoReturnValues, newRow); } //if there is user data then insert otherwise if (lFidoReturnValues.UserInfo != null) { UpdateUserToDB(lFidoReturnValues, newRow); } //if there is detailed threat data insert //if there is histiorical url data insert UpdateHistoricalURLInfo(lFidoReturnValues); UpdateHistoricalHashInfo(lFidoReturnValues); UpdateHistoricalIPInfo(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in insert of event alert to fidodb:" + e); } }
private static void CloseCarbonBlackAlert(FidoReturnValues lFidoReturnValues) { Console.WriteLine(@"Closing CarbonBlack event for: " + lFidoReturnValues.AlertID + @"."); //currently needed to bypass site without a valid cert. //todo: make ssl bypass configurable ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); }; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("carbonblackv1"); var request = parseConfigs.Server + parseConfigs.Query2 + lFidoReturnValues.AlertID + parseConfigs.Query3; var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Method = "POST"; alertRequest.ContentType = "application/json"; alertRequest.Headers[@"X-Auth-Token"] = parseConfigs.APIKey; try { using (var cbResponse = alertRequest.GetResponse() as HttpWebResponse) { if (cbResponse != null && cbResponse.StatusCode == HttpStatusCode.OK) { using (var respStream = cbResponse.GetResponseStream()) { if (respStream == null) { return; } var cbReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = cbReader.ReadToEnd(); if (stringreturn == "[]") { return; } var cbReturn = JsonConvert.DeserializeObject <Object_CarbonBlack_Alert_Class.CarbonBlack>(stringreturn); if (cbReturn != null) { ParseCarbonBlackAlert(cbReturn); } var responseStream = cbResponse.GetResponseStream(); if (responseStream != null) { responseStream.Dispose(); } cbResponse.Close(); Console.WriteLine(@"Finished retreiving CB alerts."); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black alert area:" + e); } }
private static FidoReturnValues SendCyphortToThreatGRID(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { return(lFidoReturnValues); } Int16 iDays = -7; lFidoReturnValues.Cyphort.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays); while (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) < 50) { if (iDays < -364) { break; } iDays = (Int16)(iDays * 2); lFidoReturnValues.Cyphort.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays); } Console.WriteLine(@"Successfully found ThreatGRID IP data (" + lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount + @" records)... storing in Fido."); if (Convert.ToDouble(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) == 0) { return(lFidoReturnValues); } //todo: make the below integer values configurable by storing them in the DB var vTGItemCount = 0; if (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) < 25) { vTGItemCount = Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount); } if (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) >= 25) { vTGItemCount = 25; } for (var i = 0; i < vTGItemCount; i++) { if (i >= 50) { continue; } if (lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo == null) { lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo = new List <Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info>(); } lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Add(Feeds_ThreatGRID.ThreatInfo(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.Items[i].HashID)); } return(lFidoReturnValues); }
private static List <string> Getmanagerinfo(string sUserDN) { try { var lManagerValues = new List <string>(); string domainPath = Object_Fido_Configs.GetAsString("fido.ldap.basedn", string.Empty); string user = Object_Fido_Configs.GetAsString("fido.ldap.userid", string.Empty); string pwd = Object_Fido_Configs.GetAsString("fido.ldap.pwd", string.Empty); var searchRoot = new DirectoryEntry(domainPath, user, pwd); var search = new DirectorySearcher(searchRoot) { Filter = "(&(objectClass=user)(objectCategory=person)(distinguishedName=" + sUserDN + "))" }; search.PropertiesToLoad.Add("mail"); search.PropertiesToLoad.Add("samaccountname"); search.PropertiesToLoad.Add("displayname"); search.PropertiesToLoad.Add("title"); search.PropertiesToLoad.Add("mobile"); SearchResultCollection resultCol = search.FindAll(); for (var counter = 0; counter < resultCol.Count; counter++) { //var UserNameEmailString = string.Empty; var result = resultCol[counter]; if (result.Properties["mail"].Count > 0) { lManagerValues.Add((String)result.Properties["mail"][0]); } if (result.Properties["samaccountname"].Count > 0) { lManagerValues.Add((String)result.Properties["samaccountname"][0]); } if (result.Properties["displayname"].Count > 0) { lManagerValues.Add((String)result.Properties["displayname"][0]); } if (result.Properties["title"].Count > 0) { lManagerValues.Add((String)result.Properties["title"][0]); } if (result.Properties["mobile"].Count > 0) { lManagerValues.Add((String)result.Properties["mobile"][0]); } } return(lManagerValues); } catch (Exception error) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Active Directory grab manager info area:" + error); } return(null); }
internal static void SendMessage(this MailMessage mMessage) { using (var sSMTP = new SmtpClient(sSMTPServer)) { Console.WriteLine(@"Sending FIDO email."); var sSMTPUser = Object_Fido_Configs.GetAsString("fido.smtp.smtpuserid", string.Empty); var sSMTPPwd = Object_Fido_Configs.GetAsString("fido.smtp.smtppwd", string.Empty); sSMTP.Credentials = new NetworkCredential(sSMTPUser, sSMTPPwd); sSMTP.Send(mMessage); sSMTP.Dispose(); } }
public static List <FileReport> ParseHash(string[] sMD5Hash) { //todo: The below is a placeholder for when this will be encrypted. //var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null); var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null); var vtLogin = new VirusTotal(sVTKey); var sVirusTotalHash = new List <FileReport>(); var fidoDB = new SqLiteDB(); var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal")); //todo: remove all the sleeps with a configurable option of whether to sleep AND a //configurable integer value for the timer. Currently putting these in for the free //API, but need to account for someone having access to the paid API. try { if (sMD5Hash.Any()) { if (sMD5Hash.Count() < 4) { if (!isPaidFeed) { Thread.Sleep(1000); } sVirusTotalHash.AddRange(sMD5Hash.Where(sHash => !string.IsNullOrEmpty(sHash)).Select(vtLogin.GetFileReport).Where(sVtmd5Return => sVtmd5Return != null)); } else if (sMD5Hash.Count() >= 4) { if (!isPaidFeed) { Thread.Sleep(1000); } for (var i = 0; i < sMD5Hash.Count(); i++) { Console.WriteLine(@"Processing hash #" + (i + 1) + @" of " + sMD5Hash.Count() + @" " + sMD5Hash[i] + @"."); sVirusTotalHash.Add(vtLogin.GetFileReport(sMD5Hash[i])); if (!isPaidFeed) { Console.WriteLine(@"Pausing 17 seconds to not overload VT."); Thread.Sleep(17000); } } } return(sVirusTotalHash); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT Hash area:" + e); } return(sVirusTotalHash); }
public static void GetProtectWiseEvents() { Console.WriteLine(@"Running ProtectWise v1 detector."); ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("protectwisev1-event"); var getTime = DateTime.Now.ToUniversalTime(); var timer = parseConfigs.Query3.Trim(); var timeRange = Convert.ToDouble(timer) * -1; var oldtime = getTime.AddMinutes(timeRange); var currentTime = ToEpochTime(getTime).ToString(CultureInfo.InvariantCulture) + "000"; var newoldtime = ToEpochTime(oldtime).ToString(CultureInfo.InvariantCulture) + "000"; var request = parseConfigs.Server + parseConfigs.Query.Replace("%currenttime%", currentTime).Replace("%minustime%", newoldtime); var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Headers[@"X-Access-Token"] = parseConfigs.APIKey; alertRequest.Method = "GET"; try { using (var protectwiseResponse = alertRequest.GetResponse() as HttpWebResponse) { if (protectwiseResponse != null && protectwiseResponse.StatusCode == HttpStatusCode.OK) { using (var respStream = protectwiseResponse.GetResponseStream()) { if (respStream == null) { return; } var protectwiseReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = protectwiseReader.ReadToEnd(); var protectwiseReturn = JsonConvert.DeserializeObject <Object_ProtectWise_Threat_ConfigClass.ProtectWise_Events>(stringreturn); if (protectwiseReturn.Events != null) { ParseProtectWiseEvent(protectwiseReturn); } var responseStream = protectwiseResponse.GetResponseStream(); if (responseStream != null) { responseStream.Dispose(); } protectwiseResponse.Close(); Console.WriteLine(@"Finished processing ProtectWise events detector."); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 Detector when getting json:" + e); } }
private void SetupSyslog() { //Load fido configs from database Object_Fido_Configs.LoadConfigFromDb("config"); //Setup syslog var server1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost"); var port1 = Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514); var facility1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1"); var sender1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido"); var layout1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)"); //SysLogger.Setup(server1, port1, facility1, sender1, layout1); }
public static void DownloadReputationFeed() { ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return(true); }); var sDownloadUrl = Object_Fido_Configs.GetAsString("fido.securityfeed.alienvault.url", null); if (sDownloadUrl == null) { return; } var wcAlientVaultWebClient = new WebClient(); wcAlientVaultWebClient.DownloadFile("http://reputation.alienvault.com/reputation.data", Application.StartupPath + "\\threat feeds\\reputation.data"); }
//get sql sources from fido XML public static IEnumerable <string> GetSqlSources() { string[] sSQLSources = null; try { sSQLSources = Object_Fido_Configs.GetAsString("fido.sysmgmt.params.types", null).Split(','); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception in getsqlsources area:" + e); } return(sSQLSources); }
public static void RunPANJob(string jobID) { Console.WriteLine(@"Running PAN job " + jobID + @"."); ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return(true); }); var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("panv1"); var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey; request = request.Replace("%jobid%", jobID); var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Timeout = 180000; alertRequest.Method = "GET"; try { using (var panResponse = alertRequest.GetResponse() as HttpWebResponse) { if (panResponse != null && panResponse.StatusCode == HttpStatusCode.OK) { using (var respStream = panResponse.GetResponseStream()) { if (respStream == null) { return; } var panReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = panReader.ReadToEnd(); if (stringreturn.TrimStart().StartsWith("<")) { XmlDocument doc = new XmlDocument(); doc.LoadXml(stringreturn); stringreturn = JsonConvert.SerializeXmlNode(doc, Formatting.None, true); } var panReturn = JsonConvert.DeserializeObject <Object_PaloAlto_Class.PanReturn>(stringreturn); if ((panReturn == null) || (panReturn.Result.Log.Logs.Entry == null)) { return; } ParsePan(panReturn); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in PAN v1 Detector getting json:" + e); } }
public static void GetPANJob() { Console.WriteLine(@"Running PAN v1 detector."); ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return(true); }); var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("panv1"); var request = parseConfigs.Server + parseConfigs.Query + parseConfigs.APIKey; var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Method = "GET"; try { using (var panResponse = alertRequest.GetResponse() as HttpWebResponse) { if (panResponse != null && panResponse.StatusCode == HttpStatusCode.OK) { using (var respStream = panResponse.GetResponseStream()) { if (respStream == null) { return; } var panReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = panReader.ReadToEnd(); if (stringreturn.TrimStart().StartsWith("<")) { XmlDocument doc = new XmlDocument(); doc.LoadXml(stringreturn); stringreturn = JsonConvert.SerializeXmlNode(doc, Formatting.None, true); } var panReturn = JsonConvert.DeserializeObject <Object_PaloAlto_Class.GetJob>(stringreturn); if (string.IsNullOrEmpty(panReturn.Result.Job)) { return; } //We need to let the PAN finish processing the request before trying to pull the report Thread.Sleep(10000); RunPANJob(panReturn.Result.Job); Console.WriteLine(@"Finished processing PAN v1 detector."); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in PAN v1 Detector getting json:" + e); } }
private Dictionary <string, string> GetSysLogParams() { var result = new Dictionary <string, string>(); result.add("server", Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost")); result.add("port", Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514)); result.add("facility", Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1")); result.add("sender", Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido")); result.add("layout", Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)")); result.add("isParamTest", Object_Fido_Configs.GetAsBool("fido.application.teststartup", true)); result.add("detectors", Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(',')); return(result); }
public static List <string> GetFileInfo(IEnumerable <string> lFileHash, Bit9ReturnValues lBit9ReturnValues) { var lBit9Info = new List <string>(); var oBit9Return = new object[69]; var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null); sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1"); var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode); var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode); var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null); var sDb = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null); try { //todo: take connection string and encrypt to put in XML config var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDb + ";connection timeout=60"); if (lFileHash != null) { //todo: SQL injection. Store query in database and fill variables when retrieving foreach (var CMD in lFileHash.Select(sFileHash => "SELECT * FROM [das].[dbo].[Fido_FileInstanceInfo] WHERE MD5 = '" + sFileHash + "'").Select(sQuery => new SqlCommand(sQuery, vConnection))) { CMD.CommandType = CommandType.Text; ReadBit9Info(vConnection, CMD, oBit9Return, lBit9Info); } } else if (lBit9ReturnValues != null) { //todo: SQL injection. Store query in database and fill values when retrieving var sQuery = "SELECT * FROM [das].[dbo].[Fido_FileInstanceInfo] WHERE FILE_NAME = '" + lBit9ReturnValues.FileName.ToLower() + "' AND Path_Name = '" + lBit9ReturnValues.FilePath.ToLower() + "' AND Computer_Name = '" + lBit9ReturnValues.HostName + "'"; var CMD = new SqlCommand(sQuery, vConnection) { CommandType = CommandType.Text }; ReadBit9Info(vConnection, CMD, oBit9Return, lBit9Info); } //if no count then no hash information exists if (lBit9Info.Count != 0) { } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving file information from Bit9:" + e); } return(lBit9Info); }
//This function will grab the API information and build a query string. //Then it will assign the json return to an object. If any of the objects //have a value they will be sent to ParseCyphort helper function. public static void GetCyphortAlerts() { Console.WriteLine(@"Running Cyphort v2 detector."); //currently needed to bypass site without a valid cert. //todo: make ssl bypass configurable ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); }; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv2"); var request = parseConfigs.Server + parseConfigs.Query + parseConfigs.APIKey; var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Method = "GET"; try { using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse) { if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK) { using (var respStream = cyphortResponse.GetResponseStream()) { if (respStream == null) { return; } var cyphortReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = cyphortReader.ReadToEnd(); var cyphortReturn = JsonConvert.DeserializeObject <CyphortClass>(stringreturn); if (cyphortReturn.correlations_array.Any() | cyphortReturn.infections_array.Any() | cyphortReturn.downloads_array.Any()) { ParseCyphort(cyphortReturn); } var responseStream = cyphortResponse.GetResponseStream(); if (responseStream != null) { responseStream.Dispose(); } cyphortResponse.Close(); Console.WriteLine(@"Finished processing Cyphort detector."); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphort Detector getting json:" + e); } }
private static CreateDirectorySearcher(string sUserId) { var domainPath = Object_Fido_Configs.GetAsString("fido.ldap.basedn", string.Empty); var user = Object_Fido_Configs.GetAsString("fido.ldap.userid", string.Empty); var pwd = Object_Fido_Configs.GetAsString("fido.ldap.pwd", string.Empty); var searchRoot = new DirectoryEntry(domainPath, user, pwd); var search = new DirectorySearcher(searchRoot) { Filter = "(&(objectClass=user)(objectCategory=person)(sAMAccountName=" + sUserId + "))" }; AddPropertiesToLoad(search); return(search); }
private static void ParseProtectWiseEvent(Object_ProtectWise_Threat_ConfigClass.ProtectWise_Events protectWiseReturn) { protectWiseReturn.Events = protectWiseReturn.Events.Reverse().ToArray(); foreach (var pevent in protectWiseReturn.Events) { Console.WriteLine(@"Gathering ProtectWise observations for event: " + pevent.Message + @"."); ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("protectwisev1-event"); var request = parseConfigs.Server + parseConfigs.Query2 + pevent.Id; var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Headers[@"X-Access-Token"] = parseConfigs.APIKey; alertRequest.Method = "GET"; try { using (var protectwiseResponse = alertRequest.GetResponse() as HttpWebResponse) { if (protectwiseResponse != null && protectwiseResponse.StatusCode == HttpStatusCode.OK) { using (var respStream = protectwiseResponse.GetResponseStream()) { if (respStream == null) { return; } var protectwiseReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = protectwiseReader.ReadToEnd(); var protectwiseReturn = JsonConvert.DeserializeObject <Object_ProtectWise_Threat_ConfigClass.ProtectWise_Search_Event>(stringreturn); if (protectwiseReturn != null) { ParseProtectWiseObservation(protectwiseReturn, pevent.Message); } var responseStream = protectwiseResponse.GetResponseStream(); if (responseStream != null) { responseStream.Dispose(); } protectwiseResponse.Close(); } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 Detector when getting json:" + e); } } }
private void SendMail(string sSubject, FidoReturnValues lFidoReturnValues) { var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null); var sPrimaryEmail = Object_Fido_Configs.GetAsString("fido.email.primaryemail", null); var sSecondaryEmail = Object_Fido_Configs.GetAsString("fido.email.secondaryemail", null); var sNonAlertEmail = Object_Fido_Configs.GetAsString("fido.email.nonalertemail", null); var lAttachment = GetAttachmentList(); if (lFidoReturnValues.IsSendAlert) { Email_Send.Send(sPrimaryEmail, sSecondaryEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null); } else { Email_Send.Send(sNonAlertEmail, sNonAlertEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null); } }
private static HttpWebRequest CreateHttpWebRequest(FidoReturnValues lFidoReturnValues) { //currently needed to bypass site without a valid cert. //todo: make ssl bypass configurable ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); }; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv3"); var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey; request = request.Replace("%incidentid%", lFidoReturnValues.Cyphort.IncidentID); var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Method = "GET"; return(alertRequest); }
//if getevents is positive, get machine name and IP private static IEnumerable <string> GetHost(string sMD5) { var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null); sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1"); var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode); var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode); var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null); var sDB = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null); var oBit9Return = new object[4]; var lHostInfo = new List <string>(); try { //todo: encrypt and retrived these values from DB. var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDB + ";connection timeout=10"); //todo: SQL injection. Store query in database and modify variables when retrieving var sQuery = "SELECT [Computer_Name],[IP_Address], [Executed], [Deleted] FROM [das].[dbo].[Fido_FileInstanceInfo] Where MD5 = '" + sMD5 + "'"; using (var cmd = new SqlCommand(sQuery, vConnection) { CommandType = CommandType.Text }) { vConnection.Open(); using (var objReader = cmd.ExecuteReader()) { if (objReader.HasRows) { while (objReader.Read()) { var quant = objReader.GetSqlValues(oBit9Return); if (oBit9Return.GetValue(0) != null) { lHostInfo.Add(oBit9Return.GetValue(0) + "," + oBit9Return.GetValue(1) + "," + oBit9Return.GetValue(2) + "," + oBit9Return.GetValue(3)); } } } } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving host information from Bit9:" + e); } return(lHostInfo); }