private static List<Object_VirusTotal_IP.IPReport> ParseIP(string[] sIP)
{
//The below is a placeholder for when this will be encrypted.
//var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null);
var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null);
var vtLogin = new VirusTotal(sVTKey);
//test code to workaround rate limiting
List<Object_VirusTotal_IP.IPReport> sVirusTotalIP = null;
try
{
if (sIP != null)
{
var sVTIPreturn = GetIPReport(sIP, sVTKey);
if (sVTIPreturn != null)
{
sVirusTotalIP = sVTIPreturn;
return sVirusTotalIP;
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT URL area:" + e);
}
return sVirusTotalIP;
}
private static void GetCyphortIncident(FidoReturnValues lFidoReturnValues)
{
Console.WriteLine(@"Pulling Cyphort incident details.");
//currently needed to bypass site without a valid cert.
//todo: make ssl bypass configurable
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); };
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv3");
var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey;
request = request.Replace("%incidentid%", lFidoReturnValues.Cyphort.IncidentID);
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Method = "GET";
try
{
using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (cyphortResponse == null || cyphortResponse.StatusCode != HttpStatusCode.OK)
{
return;
}
using (var respStream = cyphortResponse.GetResponseStream())
{
if (respStream == null)
{
return;
}
var cyphortReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = cyphortReader.ReadToEnd();
var cyphortReturn = JsonConvert.DeserializeObject <Object_Cyphort_Class.CyphortIncident>(stringreturn);
if (cyphortReturn.Incident == null)
{
return;
}
lFidoReturnValues.Cyphort.IncidentDetails = new Object_Cyphort_Class.CyphortIncident();
lFidoReturnValues.Cyphort.IncidentDetails = cyphortReturn;
ChangeDNSName(lFidoReturnValues);
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_download == "1")
{
lFidoReturnValues = FormatDownloadReturnValues(lFidoReturnValues);
}
if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_infection == "1")
{
lFidoReturnValues = FormatInfectionReturnValues(lFidoReturnValues);
}
DoesNotChangeAnyThing(lFidoReturnValues);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector getting json:" + e);
}
}
private static void GetCyphortIncident(FidoReturnValues lFidoReturnValues)
{
Console.WriteLine(@"Pulling Cyphort incident details.");
//currently needed to bypass site without a valid cert.
//todo: make ssl bypass configurable
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); };
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv3");
var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey;
request = request.Replace("%incidentid%", lFidoReturnValues.Cyphort.IncidentID);
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Method = "GET";
try
{
using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK)
{
lFidoReturnValues = getResponseStream(cyphortResponse.GetResponseStream(), lFidoReturnValues);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector getting json:" + e);
}
}
public static void SendEmail(string sErrorSubject, string sErrorMessage)
{
var isGoingToRun = Object_Fido_Configs.GetAsBool("fido.email.runerroremail", false);
var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var isTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
if (!isGoingToRun)
{
return;
}
if (isTest)
{
sErrorSubject = "Test: " + sErrorSubject;
}
Logging_Fido.RunLogging(sErrorMessage);
var Rmail = new Emailfields
{
To = sErrorEmail,
CC = "",
From = sFidoEmail,
Subject = sErrorSubject,
Body = sErrorMessage,
EmailAttach = null,
GaugeAttatch = null
};
Email_Send.Send(Rmail);
Console.WriteLine(sErrorMessage);
Thread.Sleep(1000);
}
//function to send email
public static void Send(string sTo, string sCC, string sFrom, string sSubject, string sBody, List <string> lGaugeAttachment, string sEmailAttachment)
{
var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var sSMTPServer = Object_Fido_Configs.GetAsString("fido.email.smtpsvr", null);
try
{
var mMessage = new MailMessage {
IsBodyHtml = true
};
mMessage.AddRecepients(sTo, sCC);
mMessage.AddMain(sFrom, sSubject, sBody, lGaugeAttachment);
if (!string.IsNullOrEmpty(sEmailAttachment))
{
var sAttachment = new Attachment(sEmailAttachment);
mMessage.Attachments.Add(sAttachment);
}
mMessage.SendMessage();
}
catch (Exception e)
{
Send(sErrorEmail, sFidoEmail, sFidoEmail, "Fido Error", "Fido Failed: Generic error sending email." + e, null, null);
throw;
}
}
private static FidoReturnValues ProtectWiseHash(FidoReturnValues lFidoReturnValues)
{
//if ProtectWise has hashes send to threat feeds
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
if ((lFidoReturnValues.ProtectWise != null) && (lFidoReturnValues.ProtectWise.MD5 != null) && (lFidoReturnValues.ProtectWise.MD5.Any()))
{
if (lFidoReturnValues.ProtectWise.VirusTotal == null)
{
lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Sending ProtectWise hashes to VirusTotal.");
var MD5Hash = new List <string> {
lFidoReturnValues.ProtectWise.MD5
};
lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(MD5Hash);
}
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
Console.WriteLine(@"Sending ProtectWise hashes to ThreatGRID.");
lFidoReturnValues = SendProtectWiseToThreatGRID(lFidoReturnValues);
}
return(lFidoReturnValues);
}
private static Dictionary <string, string> CarbonBlackBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements)
{
try
{
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
replacements = CarbonBlackVTReplacements(lFidoReturnValues, replacements);
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
replacements = CarbonBlackGeoReplacements(lFidoReturnValues, replacements);
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
replacements = CarbonBlackThreatGRIDReplacements(lFidoReturnValues, replacements);
}
return(replacements);
}
catch (Exception e)
{
throw e;
}
}
private static FidoReturnValues FireEyeHash(FidoReturnValues lFidoReturnValues)
{
//if FireEye has hashes send to threat feeds
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any()))
{
if (lFidoReturnValues.FireEye.VirusTotal == null)
{
lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Sending FireEye hashes to VirusTotal.");
lFidoReturnValues.FireEye.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.FireEye.MD5Hash);
}
}
//todo: decide if FireEye should go to ThreatGRID
//if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
//{
// Console.WriteLine(@"Sending FireEye hashes to ThreatGRID.");
// lFidoReturnValues = SendFireEyeToThreatGRID(lFidoReturnValues);
//}
return(lFidoReturnValues);
}
private void PrepareFidoReturnValues(FidoReturnValues lFidoReturnValues)
{
lFidoReturnValues = SummaryEmail(lFidoReturnValues);
lFidoReturnValues.Recommendation = ReturnRecommendation(lFidoReturnValues);
lFidoReturnValues.SummaryEmail = ReplacingValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
lFidoReturnValues.SummaryEmail = ReplacingBadGuyValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
lFidoReturnValues.IsTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
}
private static FidoReturnValues SendProtectWiseToVirusTotal(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
return(lFidoReturnValues);
}
var sIPToCheck = new List <string>();
if (lFidoReturnValues.ProtectWise.VirusTotal == null)
{
lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues();
}
//send ProtectWise return to VT URL API
if (lFidoReturnValues.ProtectWise.IncidentDetails.Data != null)
{
if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null)
{
Console.WriteLine(@"Sending ProtectWise URLs to VirusTotal.");
var URL = new List <string> {
lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url
};
var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL);
if (vtURLReturn != null)
{
lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn;
}
}
else if (lFidoReturnValues.ProtectWise.URL != null)
{
Console.WriteLine(@"Sending ProtectWise destination IP to VirusTotal.");
var URL = new List <string> {
lFidoReturnValues.ProtectWise.URL
};
var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL);
if (vtURLReturn != null)
{
lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn;
}
}
}
if (lFidoReturnValues.ProtectWise.DstIP != null)
{
sIPToCheck.Add(lFidoReturnValues.ProtectWise.DstIP);
}
sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();
//send ProtectWise return to VT IP API
if (sIPToCheck.Any())
{
Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
lFidoReturnValues.ProtectWise.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
//todo: move the url to the database
lFidoReturnValues.ProtectWise.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.ProtectWise.DstIP + "/information/";
}
return(lFidoReturnValues);
}
public static void InsertEventToDB(FidoReturnValues lFidoReturnValues)
{
var iKeepAlive = Object_Fido_Configs.GetAsInt("fido.application.unnownkeepalive", 0);
var db = new SqLiteDB();
var data = new Dictionary <String, String>
{
{ "timer", iKeepAlive.ToString(CultureInfo.InvariantCulture) },
{ "ip_address", lFidoReturnValues.SrcIP },
{ "hostname", lFidoReturnValues.Hostname.ToLower() },
{ "timestamp", Convert.ToDateTime(lFidoReturnValues.TimeOccurred).ToString(CultureInfo.InvariantCulture) },
{ "previous_score", lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) },
{ "alert_id", lFidoReturnValues.AlertID }
};
try
{
//insert event to primary alert table
db.Insert("event_alerts", data);
const string eventAlerts = @"select count() from event_alerts";
var newRow = db.ExecuteScalar(eventAlerts);
//if there is threat data then insert otherwise
//todo: figure out a better way to find out if a detector is empty
if (lFidoReturnValues.Bit9 != null | lFidoReturnValues.Antivirus != null | lFidoReturnValues.FireEye != null |
lFidoReturnValues.Cyphort != null | lFidoReturnValues.ProtectWise != null | lFidoReturnValues.PaloAlto != null)
{
UpdateThreatToDB(lFidoReturnValues, newRow);
}
//if there is machine data then insert otherwise
if ((lFidoReturnValues.Landesk != null) | (lFidoReturnValues.Jamf != null))
{
UpdateMachineToDB(lFidoReturnValues, newRow);
}
//if there is user data then insert otherwise
if (lFidoReturnValues.UserInfo != null)
{
UpdateUserToDB(lFidoReturnValues, newRow);
}
//if there is detailed threat data insert
//if there is histiorical url data insert
UpdateHistoricalURLInfo(lFidoReturnValues);
UpdateHistoricalHashInfo(lFidoReturnValues);
UpdateHistoricalIPInfo(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error",
"Fido Failed: {0} Exception caught in insert of event alert to fidodb:" + e);
}
}
private static void CloseCarbonBlackAlert(FidoReturnValues lFidoReturnValues)
{
Console.WriteLine(@"Closing CarbonBlack event for: " + lFidoReturnValues.AlertID + @".");
//currently needed to bypass site without a valid cert.
//todo: make ssl bypass configurable
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); };
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("carbonblackv1");
var request = parseConfigs.Server + parseConfigs.Query2 + lFidoReturnValues.AlertID + parseConfigs.Query3;
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Method = "POST";
alertRequest.ContentType = "application/json";
alertRequest.Headers[@"X-Auth-Token"] = parseConfigs.APIKey;
try
{
using (var cbResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (cbResponse != null && cbResponse.StatusCode == HttpStatusCode.OK)
{
using (var respStream = cbResponse.GetResponseStream())
{
if (respStream == null)
{
return;
}
var cbReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = cbReader.ReadToEnd();
if (stringreturn == "[]")
{
return;
}
var cbReturn = JsonConvert.DeserializeObject <Object_CarbonBlack_Alert_Class.CarbonBlack>(stringreturn);
if (cbReturn != null)
{
ParseCarbonBlackAlert(cbReturn);
}
var responseStream = cbResponse.GetResponseStream();
if (responseStream != null)
{
responseStream.Dispose();
}
cbResponse.Close();
Console.WriteLine(@"Finished retreiving CB alerts.");
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black alert area:" + e);
}
}
private static FidoReturnValues SendCyphortToThreatGRID(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
return(lFidoReturnValues);
}
Int16 iDays = -7;
lFidoReturnValues.Cyphort.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays);
while (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) < 50)
{
if (iDays < -364)
{
break;
}
iDays = (Int16)(iDays * 2);
lFidoReturnValues.Cyphort.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays);
}
Console.WriteLine(@"Successfully found ThreatGRID IP data (" + lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount + @" records)... storing in Fido.");
if (Convert.ToDouble(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) == 0)
{
return(lFidoReturnValues);
}
//todo: make the below integer values configurable by storing them in the DB
var vTGItemCount = 0;
if (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) < 25)
{
vTGItemCount = Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount);
}
if (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) >= 25)
{
vTGItemCount = 25;
}
for (var i = 0; i < vTGItemCount; i++)
{
if (i >= 50)
{
continue;
}
if (lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo == null)
{
lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo = new List <Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info>();
}
lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Add(Feeds_ThreatGRID.ThreatInfo(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.Items[i].HashID));
}
return(lFidoReturnValues);
}
private static List <string> Getmanagerinfo(string sUserDN)
{
try
{
var lManagerValues = new List <string>();
string domainPath = Object_Fido_Configs.GetAsString("fido.ldap.basedn", string.Empty);
string user = Object_Fido_Configs.GetAsString("fido.ldap.userid", string.Empty);
string pwd = Object_Fido_Configs.GetAsString("fido.ldap.pwd", string.Empty);
var searchRoot = new DirectoryEntry(domainPath, user, pwd);
var search = new DirectorySearcher(searchRoot)
{
Filter = "(&(objectClass=user)(objectCategory=person)(distinguishedName=" + sUserDN + "))"
};
search.PropertiesToLoad.Add("mail");
search.PropertiesToLoad.Add("samaccountname");
search.PropertiesToLoad.Add("displayname");
search.PropertiesToLoad.Add("title");
search.PropertiesToLoad.Add("mobile");
SearchResultCollection resultCol = search.FindAll();
for (var counter = 0; counter < resultCol.Count; counter++)
{
//var UserNameEmailString = string.Empty;
var result = resultCol[counter];
if (result.Properties["mail"].Count > 0)
{
lManagerValues.Add((String)result.Properties["mail"][0]);
}
if (result.Properties["samaccountname"].Count > 0)
{
lManagerValues.Add((String)result.Properties["samaccountname"][0]);
}
if (result.Properties["displayname"].Count > 0)
{
lManagerValues.Add((String)result.Properties["displayname"][0]);
}
if (result.Properties["title"].Count > 0)
{
lManagerValues.Add((String)result.Properties["title"][0]);
}
if (result.Properties["mobile"].Count > 0)
{
lManagerValues.Add((String)result.Properties["mobile"][0]);
}
}
return(lManagerValues);
}
catch (Exception error)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Active Directory grab manager info area:" + error);
}
return(null);
}
internal static void SendMessage(this MailMessage mMessage)
{
using (var sSMTP = new SmtpClient(sSMTPServer))
{
Console.WriteLine(@"Sending FIDO email.");
var sSMTPUser = Object_Fido_Configs.GetAsString("fido.smtp.smtpuserid", string.Empty);
var sSMTPPwd = Object_Fido_Configs.GetAsString("fido.smtp.smtppwd", string.Empty);
sSMTP.Credentials = new NetworkCredential(sSMTPUser, sSMTPPwd);
sSMTP.Send(mMessage);
sSMTP.Dispose();
}
}
public static List <FileReport> ParseHash(string[] sMD5Hash)
{
//todo: The below is a placeholder for when this will be encrypted.
//var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null);
var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null);
var vtLogin = new VirusTotal(sVTKey);
var sVirusTotalHash = new List <FileReport>();
var fidoDB = new SqLiteDB();
var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal"));
//todo: remove all the sleeps with a configurable option of whether to sleep AND a
//configurable integer value for the timer. Currently putting these in for the free
//API, but need to account for someone having access to the paid API.
try
{
if (sMD5Hash.Any())
{
if (sMD5Hash.Count() < 4)
{
if (!isPaidFeed)
{
Thread.Sleep(1000);
}
sVirusTotalHash.AddRange(sMD5Hash.Where(sHash => !string.IsNullOrEmpty(sHash)).Select(vtLogin.GetFileReport).Where(sVtmd5Return => sVtmd5Return != null));
}
else if (sMD5Hash.Count() >= 4)
{
if (!isPaidFeed)
{
Thread.Sleep(1000);
}
for (var i = 0; i < sMD5Hash.Count(); i++)
{
Console.WriteLine(@"Processing hash #" + (i + 1) + @" of " + sMD5Hash.Count() + @" " + sMD5Hash[i] + @".");
sVirusTotalHash.Add(vtLogin.GetFileReport(sMD5Hash[i]));
if (!isPaidFeed)
{
Console.WriteLine(@"Pausing 17 seconds to not overload VT.");
Thread.Sleep(17000);
}
}
}
return(sVirusTotalHash);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT Hash area:" + e);
}
return(sVirusTotalHash);
}
public static void GetProtectWiseEvents()
{
Console.WriteLine(@"Running ProtectWise v1 detector.");
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("protectwisev1-event");
var getTime = DateTime.Now.ToUniversalTime();
var timer = parseConfigs.Query3.Trim();
var timeRange = Convert.ToDouble(timer) * -1;
var oldtime = getTime.AddMinutes(timeRange);
var currentTime = ToEpochTime(getTime).ToString(CultureInfo.InvariantCulture) + "000";
var newoldtime = ToEpochTime(oldtime).ToString(CultureInfo.InvariantCulture) + "000";
var request = parseConfigs.Server + parseConfigs.Query.Replace("%currenttime%", currentTime).Replace("%minustime%", newoldtime);
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Headers[@"X-Access-Token"] = parseConfigs.APIKey;
alertRequest.Method = "GET";
try
{
using (var protectwiseResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (protectwiseResponse != null && protectwiseResponse.StatusCode == HttpStatusCode.OK)
{
using (var respStream = protectwiseResponse.GetResponseStream())
{
if (respStream == null)
{
return;
}
var protectwiseReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = protectwiseReader.ReadToEnd();
var protectwiseReturn = JsonConvert.DeserializeObject <Object_ProtectWise_Threat_ConfigClass.ProtectWise_Events>(stringreturn);
if (protectwiseReturn.Events != null)
{
ParseProtectWiseEvent(protectwiseReturn);
}
var responseStream = protectwiseResponse.GetResponseStream();
if (responseStream != null)
{
responseStream.Dispose();
}
protectwiseResponse.Close();
Console.WriteLine(@"Finished processing ProtectWise events detector.");
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 Detector when getting json:" + e);
}
}
private void SetupSyslog()
{
//Load fido configs from database
Object_Fido_Configs.LoadConfigFromDb("config");
//Setup syslog
var server1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost");
var port1 = Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514);
var facility1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1");
var sender1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido");
var layout1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)");
//SysLogger.Setup(server1, port1, facility1, sender1, layout1);
}
public static void DownloadReputationFeed()
{
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return(true); });
var sDownloadUrl = Object_Fido_Configs.GetAsString("fido.securityfeed.alienvault.url", null);
if (sDownloadUrl == null)
{
return;
}
var wcAlientVaultWebClient = new WebClient();
wcAlientVaultWebClient.DownloadFile("http://reputation.alienvault.com/reputation.data", Application.StartupPath + "\\threat feeds\\reputation.data");
}
//get sql sources from fido XML
public static IEnumerable <string> GetSqlSources()
{
string[] sSQLSources = null;
try
{
sSQLSources = Object_Fido_Configs.GetAsString("fido.sysmgmt.params.types", null).Split(',');
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception in getsqlsources area:" + e);
}
return(sSQLSources);
}
public static void RunPANJob(string jobID)
{
Console.WriteLine(@"Running PAN job " + jobID + @".");
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return(true); });
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("panv1");
var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey;
request = request.Replace("%jobid%", jobID);
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Timeout = 180000;
alertRequest.Method = "GET";
try
{
using (var panResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (panResponse != null && panResponse.StatusCode == HttpStatusCode.OK)
{
using (var respStream = panResponse.GetResponseStream())
{
if (respStream == null)
{
return;
}
var panReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = panReader.ReadToEnd();
if (stringreturn.TrimStart().StartsWith("<"))
{
XmlDocument doc = new XmlDocument();
doc.LoadXml(stringreturn);
stringreturn = JsonConvert.SerializeXmlNode(doc, Formatting.None, true);
}
var panReturn = JsonConvert.DeserializeObject <Object_PaloAlto_Class.PanReturn>(stringreturn);
if ((panReturn == null) || (panReturn.Result.Log.Logs.Entry == null))
{
return;
}
ParsePan(panReturn);
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in PAN v1 Detector getting json:" + e);
}
}
public static void GetPANJob()
{
Console.WriteLine(@"Running PAN v1 detector.");
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return(true); });
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("panv1");
var request = parseConfigs.Server + parseConfigs.Query + parseConfigs.APIKey;
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Method = "GET";
try
{
using (var panResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (panResponse != null && panResponse.StatusCode == HttpStatusCode.OK)
{
using (var respStream = panResponse.GetResponseStream())
{
if (respStream == null)
{
return;
}
var panReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = panReader.ReadToEnd();
if (stringreturn.TrimStart().StartsWith("<"))
{
XmlDocument doc = new XmlDocument();
doc.LoadXml(stringreturn);
stringreturn = JsonConvert.SerializeXmlNode(doc, Formatting.None, true);
}
var panReturn = JsonConvert.DeserializeObject <Object_PaloAlto_Class.GetJob>(stringreturn);
if (string.IsNullOrEmpty(panReturn.Result.Job))
{
return;
}
//We need to let the PAN finish processing the request before trying to pull the report
Thread.Sleep(10000);
RunPANJob(panReturn.Result.Job);
Console.WriteLine(@"Finished processing PAN v1 detector.");
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in PAN v1 Detector getting json:" + e);
}
}
private Dictionary <string, string> GetSysLogParams()
{
var result = new Dictionary <string, string>();
result.add("server", Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost"));
result.add("port", Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514));
result.add("facility", Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1"));
result.add("sender", Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido"));
result.add("layout", Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)"));
result.add("isParamTest", Object_Fido_Configs.GetAsBool("fido.application.teststartup", true));
result.add("detectors", Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(','));
return(result);
}
public static List <string> GetFileInfo(IEnumerable <string> lFileHash, Bit9ReturnValues lBit9ReturnValues)
{
var lBit9Info = new List <string>();
var oBit9Return = new object[69];
var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null);
sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1");
var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode);
var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode);
var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null);
var sDb = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null);
try
{
//todo: take connection string and encrypt to put in XML config
var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDb + ";connection timeout=60");
if (lFileHash != null)
{
//todo: SQL injection. Store query in database and fill variables when retrieving
foreach (var CMD in lFileHash.Select(sFileHash => "SELECT * FROM [das].[dbo].[Fido_FileInstanceInfo] WHERE MD5 = '" + sFileHash + "'").Select(sQuery => new SqlCommand(sQuery, vConnection)))
{
CMD.CommandType = CommandType.Text;
ReadBit9Info(vConnection, CMD, oBit9Return, lBit9Info);
}
}
else if (lBit9ReturnValues != null)
{
//todo: SQL injection. Store query in database and fill values when retrieving
var sQuery = "SELECT * FROM [das].[dbo].[Fido_FileInstanceInfo] WHERE FILE_NAME = '" + lBit9ReturnValues.FileName.ToLower() + "' AND Path_Name = '" + lBit9ReturnValues.FilePath.ToLower() + "' AND Computer_Name = '" + lBit9ReturnValues.HostName + "'";
var CMD = new SqlCommand(sQuery, vConnection)
{
CommandType = CommandType.Text
};
ReadBit9Info(vConnection, CMD, oBit9Return, lBit9Info);
}
//if no count then no hash information exists
if (lBit9Info.Count != 0)
{
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving file information from Bit9:" + e);
}
return(lBit9Info);
}
//This function will grab the API information and build a query string.
//Then it will assign the json return to an object. If any of the objects
//have a value they will be sent to ParseCyphort helper function.
public static void GetCyphortAlerts()
{
Console.WriteLine(@"Running Cyphort v2 detector.");
//currently needed to bypass site without a valid cert.
//todo: make ssl bypass configurable
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); };
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv2");
var request = parseConfigs.Server + parseConfigs.Query + parseConfigs.APIKey;
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Method = "GET";
try
{
using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK)
{
using (var respStream = cyphortResponse.GetResponseStream())
{
if (respStream == null)
{
return;
}
var cyphortReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = cyphortReader.ReadToEnd();
var cyphortReturn = JsonConvert.DeserializeObject <CyphortClass>(stringreturn);
if (cyphortReturn.correlations_array.Any() | cyphortReturn.infections_array.Any() | cyphortReturn.downloads_array.Any())
{
ParseCyphort(cyphortReturn);
}
var responseStream = cyphortResponse.GetResponseStream();
if (responseStream != null)
{
responseStream.Dispose();
}
cyphortResponse.Close();
Console.WriteLine(@"Finished processing Cyphort detector.");
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphort Detector getting json:" + e);
}
}
private static CreateDirectorySearcher(string sUserId)
{
var domainPath = Object_Fido_Configs.GetAsString("fido.ldap.basedn", string.Empty);
var user = Object_Fido_Configs.GetAsString("fido.ldap.userid", string.Empty);
var pwd = Object_Fido_Configs.GetAsString("fido.ldap.pwd", string.Empty);
var searchRoot = new DirectoryEntry(domainPath, user, pwd);
var search = new DirectorySearcher(searchRoot)
{
Filter = "(&(objectClass=user)(objectCategory=person)(sAMAccountName=" + sUserId + "))"
};
AddPropertiesToLoad(search);
return(search);
}
private static void ParseProtectWiseEvent(Object_ProtectWise_Threat_ConfigClass.ProtectWise_Events protectWiseReturn)
{
protectWiseReturn.Events = protectWiseReturn.Events.Reverse().ToArray();
foreach (var pevent in protectWiseReturn.Events)
{
Console.WriteLine(@"Gathering ProtectWise observations for event: " + pevent.Message + @".");
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("protectwisev1-event");
var request = parseConfigs.Server + parseConfigs.Query2 + pevent.Id;
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Headers[@"X-Access-Token"] = parseConfigs.APIKey;
alertRequest.Method = "GET";
try
{
using (var protectwiseResponse = alertRequest.GetResponse() as HttpWebResponse)
{
if (protectwiseResponse != null && protectwiseResponse.StatusCode == HttpStatusCode.OK)
{
using (var respStream = protectwiseResponse.GetResponseStream())
{
if (respStream == null)
{
return;
}
var protectwiseReader = new StreamReader(respStream, Encoding.UTF8);
var stringreturn = protectwiseReader.ReadToEnd();
var protectwiseReturn = JsonConvert.DeserializeObject <Object_ProtectWise_Threat_ConfigClass.ProtectWise_Search_Event>(stringreturn);
if (protectwiseReturn != null)
{
ParseProtectWiseObservation(protectwiseReturn, pevent.Message);
}
var responseStream = protectwiseResponse.GetResponseStream();
if (responseStream != null)
{
responseStream.Dispose();
}
protectwiseResponse.Close();
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 Detector when getting json:" + e);
}
}
}
private void SendMail(string sSubject, FidoReturnValues lFidoReturnValues)
{
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var sPrimaryEmail = Object_Fido_Configs.GetAsString("fido.email.primaryemail", null);
var sSecondaryEmail = Object_Fido_Configs.GetAsString("fido.email.secondaryemail", null);
var sNonAlertEmail = Object_Fido_Configs.GetAsString("fido.email.nonalertemail", null);
var lAttachment = GetAttachmentList();
if (lFidoReturnValues.IsSendAlert)
{
Email_Send.Send(sPrimaryEmail, sSecondaryEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null);
}
else
{
Email_Send.Send(sNonAlertEmail, sNonAlertEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null);
}
}
private static HttpWebRequest CreateHttpWebRequest(FidoReturnValues lFidoReturnValues)
{
//currently needed to bypass site without a valid cert.
//todo: make ssl bypass configurable
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); };
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv3");
var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey;
request = request.Replace("%incidentid%", lFidoReturnValues.Cyphort.IncidentID);
var alertRequest = (HttpWebRequest)WebRequest.Create(request);
alertRequest.Method = "GET";
return(alertRequest);
}
//if getevents is positive, get machine name and IP
private static IEnumerable <string> GetHost(string sMD5)
{
var sAcekDecode = Object_Fido_Configs.GetAsString("fido.detectors.bit9.acek", null);
sAcekDecode = Aes_Crypto.DecryptStringAES(sAcekDecode, "1");
var sUserID = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.userid", null), sAcekDecode);
var sPwd = Aes_Crypto.DecryptStringAES(Object_Fido_Configs.GetAsString("fido.detectors.bit9.pwd", null), sAcekDecode);
var sBit9Server = Object_Fido_Configs.GetAsString("fido.detectors.bit9.server", null);
var sDB = Object_Fido_Configs.GetAsString("fido.detectors.bit9.db", null);
var oBit9Return = new object[4];
var lHostInfo = new List <string>();
try
{
//todo: encrypt and retrived these values from DB.
var vConnection = new SqlConnection("user id=" + sUserID + ";password="******";Server=" + sBit9Server + ",1433;Integrated Security=sspi;Database=" + sDB + ";connection timeout=10");
//todo: SQL injection. Store query in database and modify variables when retrieving
var sQuery = "SELECT [Computer_Name],[IP_Address], [Executed], [Deleted] FROM [das].[dbo].[Fido_FileInstanceInfo] Where MD5 = '" + sMD5 + "'";
using (var cmd = new SqlCommand(sQuery, vConnection)
{
CommandType = CommandType.Text
})
{
vConnection.Open();
using (var objReader = cmd.ExecuteReader())
{
if (objReader.HasRows)
{
while (objReader.Read())
{
var quant = objReader.GetSqlValues(oBit9Return);
if (oBit9Return.GetValue(0) != null)
{
lHostInfo.Add(oBit9Return.GetValue(0) + "," + oBit9Return.GetValue(1) + "," + oBit9Return.GetValue(2) + "," + oBit9Return.GetValue(3));
}
}
}
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught retrieving host information from Bit9:" + e);
}
return(lHostInfo);
}
