Exemplo n.º 1
0
        private static FidoReturnValues ProtectWiseHash(FidoReturnValues lFidoReturnValues)
        {
            //if ProtectWise has hashes send to threat feeds
            if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
            {
                if ((lFidoReturnValues.ProtectWise != null) && (lFidoReturnValues.ProtectWise.MD5 != null) && (lFidoReturnValues.ProtectWise.MD5.Any()))
                {
                    if (lFidoReturnValues.ProtectWise.VirusTotal == null)
                    {
                        lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues();
                    }
                    Console.WriteLine(@"Sending ProtectWise hashes to VirusTotal.");
                    var MD5Hash = new List <string> {
                        lFidoReturnValues.ProtectWise.MD5
                    };
                    lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(MD5Hash);
                }
            }

            if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
            {
                Console.WriteLine(@"Sending ProtectWise hashes to ThreatGRID.");
                lFidoReturnValues = SendProtectWiseToThreatGRID(lFidoReturnValues);
            }

            return(lFidoReturnValues);
        }
Exemplo n.º 2
0
        public static void SendEmail(string sErrorSubject, string sErrorMessage)
        {
            var isGoingToRun = Object_Fido_Configs.GetAsBool("fido.email.runerroremail", false);
            var sErrorEmail  = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
            var sFidoEmail   = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
            var isTest       = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);

            if (!isGoingToRun)
            {
                return;
            }
            if (isTest)
            {
                sErrorSubject = "Test: " + sErrorSubject;
            }


            Logging_Fido.RunLogging(sErrorMessage);

            var Rmail = new Emailfields
            {
                To           = sErrorEmail,
                CC           = "",
                From         = sFidoEmail,
                Subject      = sErrorSubject,
                Body         = sErrorMessage,
                EmailAttach  = null,
                GaugeAttatch = null
            };

            Email_Send.Send(Rmail);

            Console.WriteLine(sErrorMessage);
            Thread.Sleep(1000);
        }
Exemplo n.º 3
0
        private static Dictionary <string, string> CarbonBlackBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements)
        {
            try
            {
                if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
                {
                    replacements = CarbonBlackVTReplacements(lFidoReturnValues, replacements);
                }

                if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
                {
                    replacements = CarbonBlackGeoReplacements(lFidoReturnValues, replacements);
                }

                if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
                {
                    replacements = CarbonBlackThreatGRIDReplacements(lFidoReturnValues, replacements);
                }

                return(replacements);
            }
            catch (Exception e)
            {
                throw e;
            }
        }
Exemplo n.º 4
0
        private static FidoReturnValues FireEyeHash(FidoReturnValues lFidoReturnValues)
        {
            //if FireEye has hashes send to threat feeds
            if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
            {
                if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any()))
                {
                    if (lFidoReturnValues.FireEye.VirusTotal == null)
                    {
                        lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues();
                    }
                    Console.WriteLine(@"Sending FireEye hashes to VirusTotal.");
                    lFidoReturnValues.FireEye.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.FireEye.MD5Hash);
                }
            }

            //todo: decide if FireEye should go to ThreatGRID
            //if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
            //{
            //  Console.WriteLine(@"Sending FireEye hashes to ThreatGRID.");
            //  lFidoReturnValues = SendFireEyeToThreatGRID(lFidoReturnValues);
            //}

            return(lFidoReturnValues);
        }
Exemplo n.º 5
0
 private void PrepareFidoReturnValues(FidoReturnValues lFidoReturnValues)
 {
     lFidoReturnValues = SummaryEmail(lFidoReturnValues);
     lFidoReturnValues.Recommendation = ReturnRecommendation(lFidoReturnValues);
     lFidoReturnValues.SummaryEmail   = ReplacingValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
     lFidoReturnValues.SummaryEmail   = ReplacingBadGuyValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
     lFidoReturnValues.IsTest         = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
 }
Exemplo n.º 6
0
        private static FidoReturnValues SendProtectWiseToVirusTotal(FidoReturnValues lFidoReturnValues)
        {
            if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
            {
                return(lFidoReturnValues);
            }

            var sIPToCheck = new List <string>();

            if (lFidoReturnValues.ProtectWise.VirusTotal == null)
            {
                lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues();
            }
            //send ProtectWise return to VT URL API
            if (lFidoReturnValues.ProtectWise.IncidentDetails.Data != null)
            {
                if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null)
                {
                    Console.WriteLine(@"Sending ProtectWise URLs to VirusTotal.");
                    var URL = new List <string> {
                        lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url
                    };
                    var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL);
                    if (vtURLReturn != null)
                    {
                        lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn;
                    }
                }
                else if (lFidoReturnValues.ProtectWise.URL != null)
                {
                    Console.WriteLine(@"Sending ProtectWise destination IP to VirusTotal.");
                    var URL = new List <string> {
                        lFidoReturnValues.ProtectWise.URL
                    };
                    var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL);
                    if (vtURLReturn != null)
                    {
                        lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn;
                    }
                }
            }

            if (lFidoReturnValues.ProtectWise.DstIP != null)
            {
                sIPToCheck.Add(lFidoReturnValues.ProtectWise.DstIP);
            }

            sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();
            //send ProtectWise return to VT IP API
            if (sIPToCheck.Any())
            {
                Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
                lFidoReturnValues.ProtectWise.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
                //todo: move the url to the database
                lFidoReturnValues.ProtectWise.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.ProtectWise.DstIP + "/information/";
            }
            return(lFidoReturnValues);
        }
Exemplo n.º 7
0
        private static FidoReturnValues SendCyphortToThreatGRID(FidoReturnValues lFidoReturnValues)
        {
            if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
            {
                return(lFidoReturnValues);
            }

            Int16 iDays = -7;

            lFidoReturnValues.Cyphort.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays);
            while (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) < 50)
            {
                if (iDays < -364)
                {
                    break;
                }
                iDays = (Int16)(iDays * 2);
                lFidoReturnValues.Cyphort.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays);
            }

            Console.WriteLine(@"Successfully found ThreatGRID IP data (" + lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount + @" records)... storing in Fido.");

            if (Convert.ToDouble(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) == 0)
            {
                return(lFidoReturnValues);
            }

            //todo: make the below integer values configurable by storing them in the DB
            var vTGItemCount = 0;

            if (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) < 25)
            {
                vTGItemCount = Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount);
            }
            if (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) >= 25)
            {
                vTGItemCount = 25;
            }

            for (var i = 0; i < vTGItemCount; i++)
            {
                if (i >= 50)
                {
                    continue;
                }
                if (lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo == null)
                {
                    lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo = new List <Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info>();
                }
                lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Add(Feeds_ThreatGRID.ThreatInfo(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.Items[i].HashID));
            }

            return(lFidoReturnValues);
        }
Exemplo n.º 8
0
        private Dictionary <string, string> GetSysLogParams()
        {
            var result = new Dictionary <string, string>();

            result.add("server", Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost"));
            result.add("port", Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514));
            result.add("facility", Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1"));
            result.add("sender", Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido"));
            result.add("layout", Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)"));
            result.add("isParamTest", Object_Fido_Configs.GetAsBool("fido.application.teststartup", true));
            result.add("detectors", Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(','));

            return(result);
        }
Exemplo n.º 9
0
        public static FidoReturnValues ThreatGRIDIPInfo(FidoReturnValues lFidoReturnValues)
        {
            if (Object_Fido_Configs.GetAsBool("fido.director.alienvault", false))
            {
                return(lFidoReturnValues);
            }

            if (!String.IsNullOrEmpty(lFidoReturnValues.DstIP))
            {
                if (lFidoReturnValues.FireEye != null)
                {
                    if (lFidoReturnValues.FireEye.ThreatGRID == null)
                    {
                        lFidoReturnValues.FireEye.ThreatGRID = new ThreatGridReturnValues();
                    }
                    lFidoReturnValues.FireEye.ThreatGRID.IPInfo = Feeds_ThreatGRID.HlInfo(lFidoReturnValues.DstIP);
                }
                if (lFidoReturnValues.Cyphort != null)
                {
                    if (lFidoReturnValues.Cyphort.ThreatGRID == null)
                    {
                        lFidoReturnValues.Cyphort.ThreatGRID = new ThreatGridReturnValues();
                    }
                    lFidoReturnValues.Cyphort.ThreatGRID.IPInfo = Feeds_ThreatGRID.HlInfo(lFidoReturnValues.DstIP);
                }
                if (lFidoReturnValues.ProtectWise != null)
                {
                    if (lFidoReturnValues.ProtectWise.ThreatGRID == null)
                    {
                        lFidoReturnValues.ProtectWise.ThreatGRID = new ThreatGridReturnValues();
                    }
                    lFidoReturnValues.ProtectWise.ThreatGRID.IPInfo = Feeds_ThreatGRID.HlInfo(lFidoReturnValues.DstIP);
                }
                if (lFidoReturnValues.PaloAlto != null)
                {
                    if (lFidoReturnValues.PaloAlto.ThreatGRID == null)
                    {
                        lFidoReturnValues.PaloAlto.ThreatGRID = new ThreatGridReturnValues();
                    }
                    lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo = Feeds_ThreatGRID.HlInfo(lFidoReturnValues.DstIP);
                }
            }
            return(lFidoReturnValues);
        }
Exemplo n.º 10
0
        public static void SendEmail(string sErrorSubject, string sErrorMessage)
        {
            var isGoingToRun = Object_Fido_Configs.GetAsBool("fido.email.runerroremail", false);
            var sErrorEmail  = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
            var sFidoEmail   = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
            var isTest       = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);

            if (!isGoingToRun)
            {
                return;
            }
            if (isTest)
            {
                sErrorSubject = "Test: " + sErrorSubject;
            }


            Logging_Fido.RunLogging(sErrorMessage);
            Email_Send.Send(sErrorEmail, sFidoEmail, sFidoEmail, sErrorSubject, sErrorMessage, null, null);
            Console.WriteLine(sErrorMessage);
            Thread.Sleep(1000);
        }
Exemplo n.º 11
0
        private static FidoReturnValues SendPaloAltoToAlienVault(FidoReturnValues lFidoReturnValues)
        {
            if (Object_Fido_Configs.GetAsBool("fido.director.alienvault", false))
            {
                return(lFidoReturnValues);
            }

            //initialize AlienVault area if null
            if (lFidoReturnValues.PaloAlto.AlienVault == null)
            {
                lFidoReturnValues.PaloAlto.AlienVault = new AlienVaultReturnValues();
            }

            //next send PAN return to AlienVault
            if ((lFidoReturnValues.PaloAlto != null) && (lFidoReturnValues.PaloAlto.DstIp != null))
            {
                Console.WriteLine(@"Getting IP informaiton from AlienVault.");
                lFidoReturnValues.PaloAlto.AlienVault = Feeds_AlientVault.AlienVaultIP(lFidoReturnValues.PaloAlto.DstIp);
            }

            return(lFidoReturnValues);
        }
Exemplo n.º 12
0
        private static FidoReturnValues SendPaloAltoToVirusTotal(FidoReturnValues lFidoReturnValues)
        {
            if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
            {
                return(lFidoReturnValues);
            }

            var sIPToCheck = new List <string> {
                lFidoReturnValues.PaloAlto.DstIp
            };

            //send ProtectWise return to VT IP API
            if (lFidoReturnValues.PaloAlto.DstIp.Any())
            {
                if (lFidoReturnValues.PaloAlto.VirusTotal == null)
                {
                    lFidoReturnValues.PaloAlto.VirusTotal = new VirusTotalReturnValues();
                }

                Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
                try
                {
                    var IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
                    if (IPReturn != null)
                    {
                        lFidoReturnValues.PaloAlto.VirusTotal.IPReturn = IPReturn;
                    }
                }
                catch (Exception e)
                {
                    Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in retrieving VT IP information:" + e);
                }

                //todo: move the url to the database
                lFidoReturnValues.PaloAlto.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.PaloAlto.DstIp + "/information/";
            }
            return(lFidoReturnValues);
        }
Exemplo n.º 13
0
        private static FidoReturnValues CyphortHash(FidoReturnValues lFidoReturnValues)
        {
            //if Cyphort has hashes send to threat feeds
            if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
            {
                if ((lFidoReturnValues.Cyphort != null) && (lFidoReturnValues.Cyphort.MD5Hash != null) && (lFidoReturnValues.Cyphort.MD5Hash.Any()))
                {
                    if (lFidoReturnValues.Cyphort.VirusTotal == null)
                    {
                        lFidoReturnValues.Cyphort.VirusTotal = new VirusTotalReturnValues();
                    }
                    Console.WriteLine(@"Sending Cyphort hashes to VirusTotal.");
                    lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.Cyphort.MD5Hash);
                }
            }

            if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
            {
                Console.WriteLine(@"Sending Cyphort hashes to ThreatGRID.");
                lFidoReturnValues = SendCyphortToThreatGRID(lFidoReturnValues);
            }
            return(lFidoReturnValues);
        }
Exemplo n.º 14
0
        private static FidoReturnValues SendPaloAltoToThreatGRID(FidoReturnValues lFidoReturnValues)
        {
            if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
            {
                return(lFidoReturnValues);
            }

            Int16 iDays = -7;

            lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays);
            while (Convert.ToInt16(lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.CurrentItemCount) < 50)
            {
                if (iDays < -364)
                {
                    break;
                }
                iDays = (Int16)(iDays * 2);
                lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays);
            }

            Console.WriteLine(@"Successfully found ThreatGRID IP data (" + lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.CurrentItemCount + @" records)... storing in Fido.");

            for (var i = 0; i < Convert.ToInt16(lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.CurrentItemCount); i++)
            {
                if (i >= 50)
                {
                    continue;
                }
                if (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo == null)
                {
                    lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo = new List <Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info>();
                }
                lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Add(Feeds_ThreatGRID.ThreatInfo(lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items[i].HashID));
            }

            return(lFidoReturnValues);
        }
Exemplo n.º 15
0
        //The load will grab configurations for what FIDO is monitoring,
        //then go to each configured external system to parse any alerts.
        //Finally, FIDO is configured to pause per iteration on a
        //configurable timed basis.
        private void Fido_Load(object sender, EventArgs aug)
        {
            //Disabled the current time during current iteration.
            timer1.Enabled = false;
            Hide();

            if (!ConfigurationOK())
            {
                Application.Exit();
            }


            SetupSyslog();

            //Beginning of primary area which starts parsing of alerts.
            var isParamTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
            var sDetectors  = Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(',');

            try
            {
                Console.WriteLine(isParamTest ? @"Running test configs." : @"Running production configs.");

                foreach (var detect in sDetectors)
                {
                    var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs(detect);
                    //Get the detector, ie, email, log, web service, etc.
                    var sDetectorType = parseConfigs.DetectorType;
                    switch (sDetectorType)
                    {
                    case "api":
                        Console.WriteLine(@"Loading webservice receiver.");
                        Recieve_API.DirectToEngine(sDetectorType, detect);
                        break;

                    case "log":
                        Console.WriteLine(@"Loaded log receiver.");
                        var sDefaultServer = parseConfigs.Server;
                        var sDefaultFile   = parseConfigs.File;
                        var sVendor        = parseConfigs.Vendor;
                        Receive_Logging.DirectToEngine(detect, sVendor, sDefaultServer, sDefaultFile, isParamTest);
                        break;

                    case "sql":
                        Console.WriteLine(@"Loaded sql receiver.");
                        Receive_SQL.DirectToEngine(sDetectorType, detect);
                        break;

                    case "email":
                        Console.WriteLine(@"Loaded email receiver.");
                        var sEmailVendor     = Object_Fido_Configs.GetAsString("fido.email.vendor", "imap");
                        var sDetectorsEmail  = parseConfigs.EmailFrom;
                        var sDetectorsFolder = parseConfigs.Folder;
                        Receive_Email.ReadEmail(sEmailVendor, sDetectorsFolder, null, sDetectorsEmail, isParamTest);
                        break;
                    }
                }
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in fidomain area:" + e);
            }

            //Sleep for X # of seconds per iteration specified in Fido configuration
            Application.DoEvents();
            var iSleep = Object_Fido_Configs.GetAsInt("fido.application.sleepiteration", 5);

            Console.WriteLine(@"Fido processing complete... sleeping for " + (iSleep / 1000).ToString(CultureInfo.InvariantCulture) + @" seconds.");
            Thread.Sleep(iSleep);
            timer1.Enabled = true;
        }
Exemplo n.º 16
0
        public static FidoReturnValues RunMatrix(FidoReturnValues lFidoReturnValues)
        {
            //Iterate through each detector and the corresponding threat feed looking for values to score
            #region ThreatScore
            Console.WriteLine(@"Starting threat feed evaluation.");
            lFidoReturnValues = Matrix_Scoring.GetDetectorsScore(lFidoReturnValues);

            #endregion

            var isRunAssett = Object_Fido_Configs.GetAsBool("fido.director.assetscore", false);
            if (isRunAssett)
            {
                #region AssetValue
                Console.WriteLine(@"Starting assest evaluation.");
                //asset evaluation
                var isPaired = Object_Fido_Configs.GetAsBool("fido.posture.asset.paired", false);
                lFidoReturnValues = Matrix_Scoring.GetAssetScore(lFidoReturnValues, isPaired);

                #endregion

                #region MachinePosture
                Console.WriteLine(@"Scoring machine posture evaluation.");
                //Patch evaluation
                lFidoReturnValues = Matrix_Scoring.GetPatchScore(lFidoReturnValues);

                //AV evaluation
                lFidoReturnValues = Matrix_Scoring.GetAVScore(lFidoReturnValues);

                #endregion

                #region UserPosture
                Console.WriteLine(@"Starting user posture evaluation.");
                if (lFidoReturnValues.UserInfo != null)
                {
                    lFidoReturnValues = Matrix_Scoring.GetUserScore(lFidoReturnValues);
                }

                #endregion
            }

            #region HistoricalInfo
            Console.WriteLine(@"Starting historical artifact evaluation.");
            lFidoReturnValues = Matrix_Historical_Helper.HistoricalEvent(lFidoReturnValues);

            lFidoReturnValues = Matrix_Scoring.GetHistoricalHashCount(lFidoReturnValues);
            lFidoReturnValues = Matrix_Scoring.GetHistoricalURLCount(lFidoReturnValues);
            lFidoReturnValues = Matrix_Scoring.GetHistoricalIPCount(lFidoReturnValues);
            #endregion

            #region PreviousAlerts
            Console.WriteLine(@"Checking to see if this machine has previous alerted.");
            lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, true);
            #endregion

            //todo: put configuration in DB for whether to include user/machine score in division of their score.
            //lFidoReturnValues.TotalScore = lFidoReturnValues.TotalScore / 10;
            //lFidoReturnValues.UserScore = lFidoReturnValues.UserScore / 10;
            //lFidoReturnValues.MachineScore = lFidoReturnValues.MachineScore / 10;
            lFidoReturnValues.ThreatScore = lFidoReturnValues.ThreatScore / 10;

            lFidoReturnValues = Matrix_Scoring.SetScoreValues(lFidoReturnValues);

            Console.WriteLine(@"Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture));
            Console.WriteLine(@"Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture));
            Console.WriteLine(@"Machine Score for event = " + lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture));
            Console.WriteLine(@"User Score for event = " + lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture));

            return(lFidoReturnValues);
        }
Exemplo n.º 17
0
        private static FidoReturnValues SendCyphortToVirusTotal(FidoReturnValues lFidoReturnValues)
        {
            if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
            {
                return(lFidoReturnValues);
            }

            //convert return from Cyphort to list
            var sURLToCheck = new List <string>();

            if ((lFidoReturnValues.Cyphort.URL.Any()) && (lFidoReturnValues.Cyphort.URL.Count > 0))
            {
                for (var i = 0; i < lFidoReturnValues.Cyphort.URL.Count(); i++)
                {
                    if (string.IsNullOrEmpty(lFidoReturnValues.Cyphort.URL[i]))
                    {
                        continue;
                    }
                    if (lFidoReturnValues.Cyphort.URL[i].Contains(".exe"))
                    {
                        continue;
                    }
                    //if (!lFidoReturnValues.Cyphort.URL[i].Contains(".com"))
                    //{
                    //  lFidoReturnValues.Cyphort.URL[i] = lFidoReturnValues.Cyphort.URL[i] + @".com";
                    //}
                    sURLToCheck.Add(lFidoReturnValues.Cyphort.URL[i]);
                }
            }

            if ((lFidoReturnValues.Cyphort.Domain != null) && (lFidoReturnValues.Cyphort.Domain.Count > 0))
            {
                sURLToCheck.AddRange(lFidoReturnValues.Cyphort.Domain);
            }

            if (lFidoReturnValues.Cyphort.DstIP != null)
            {
                sURLToCheck.Add(lFidoReturnValues.Cyphort.DstIP);
            }

            sURLToCheck = sURLToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();

            //send Cyphort return to VT URL API
            if (sURLToCheck.Any())
            {
                Console.WriteLine(@"Sending Cyport URLs to VirusTotal.");
                lFidoReturnValues.Cyphort.VirusTotal.URLReturn = Feeds_VirusTotal.VirusTotalUrl(sURLToCheck);
            }

            var sIPToCheck = new List <string>();

            if (lFidoReturnValues.Cyphort.DstIP != null)
            {
                sIPToCheck.Add(lFidoReturnValues.Cyphort.DstIP);
            }

            sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();

            //send Cyphort return to VT IP API
            if (sIPToCheck.Any())
            {
                Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
                lFidoReturnValues.Cyphort.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
                //todo: move the url to the database
                lFidoReturnValues.Cyphort.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.Cyphort.DstIP + "/information/";
            }
            return(lFidoReturnValues);
        }
Exemplo n.º 18
0
        //module to compose notifications
        public static void Notify(FidoReturnValues lFidoReturnValues)
        {
            try
            {
                var sFidoEmail      = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
                var sPrimaryEmail   = Object_Fido_Configs.GetAsString("fido.email.primaryemail", null);
                var sSecondaryEmail = Object_Fido_Configs.GetAsString("fido.email.secondaryemail", null);
                var sNonAlertEmail  = Object_Fido_Configs.GetAsString("fido.email.nonalertemail", null);
                var lAttachment     = new List <string>
                {
                    Application.StartupPath + "\\media\\gauge\\total" + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) + ".png",
                    Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture) + ".png",
                    Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture) + ".png",
                    Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture) + ".png"
                };


                string sSubject;
                if (lFidoReturnValues.IsPreviousAlert)
                {
                    sSubject = @"Previously Alerted! Fido Alert: " + lFidoReturnValues.MalwareType + ". ";
                }
                else
                {
                    sSubject = @"Fido Alert: " + lFidoReturnValues.MalwareType + ". ";
                }

                if (lFidoReturnValues.IsHostKnown)
                {
                    sSubject += "Hostname = " + lFidoReturnValues.Hostname;
                }
                else
                {
                    sSubject += "Hostname = Unknown (" + lFidoReturnValues.SrcIP + ")";
                }

                lFidoReturnValues = SummaryEmail(lFidoReturnValues);
                lFidoReturnValues.Recommendation = ReturnRecommendation(lFidoReturnValues);
                lFidoReturnValues.SummaryEmail   = ReplacingValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
                lFidoReturnValues.SummaryEmail   = ReplacingBadGuyValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);

                if (!lFidoReturnValues.IsTargetOS)
                {
                    sSubject = "Fido InfoSec only Alert : Target OS does not match.";
                }
                else if (!lFidoReturnValues.IsSendAlert)
                {
                    sSubject = "Fido InfoSec only alert. " + lFidoReturnValues.MalwareType + ". Hostname = " + lFidoReturnValues.Hostname + " (" + lFidoReturnValues.SrcIP + ")";
                }

                lFidoReturnValues.IsTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
                if (lFidoReturnValues.IsTest)
                {
                    sSubject = @"TEST: " + sSubject;
                }

                if (lFidoReturnValues.IsSendAlert)
                {
                    Email_Send.Send(sPrimaryEmail, sSecondaryEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null);
                }
                else
                {
                    Email_Send.Send(sNonAlertEmail, sNonAlertEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null);
                }
            }
            catch (Exception e)
            {
                Console.WriteLine(@"Error creating FIDO email. " + e);
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to threat feeds:" + e);
            }
        }
Exemplo n.º 19
0
        public static void Direct(FidoReturnValues lFidoReturnValues)
        {
            var sSrcIP    = lFidoReturnValues.SrcIP;
            var sHostname = lFidoReturnValues.Hostname;

            try
            {
                //check detector values versus whitelist and exclude if true
                var isFound = new The_Director_Whitelist().CheckFidoWhitelist(lFidoReturnValues.DstIP, lFidoReturnValues.Hash, lFidoReturnValues.DNSName, lFidoReturnValues.Url);
                if (isFound)
                {
                    return;
                }
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director processing whitelist:" + e);
            }

            try
            {
                //if HostDetection is turned on, then gather information directly from host
                if (Object_Fido_Configs.GetAsBool("fido.director.hostdetection", true))
                {
                    lFidoReturnValues = The_Director_HostDetection.HostDetection(lFidoReturnValues, sHostname, sSrcIP);
                }

                //Write results out to console
                if (!string.IsNullOrEmpty(sHostname))
                {
                    Console.WriteLine(@"Detected hostname=" + sHostname + @", gathering detailed inventory.");
                }
                else
                {
                    Console.WriteLine(@"Unable to detect hostname, gathering detailed inventory for " + sSrcIP + @".");
                }

                //go to our sysmgmt data sources to get detailed inventory information
                if (Object_Fido_Configs.GetAsBool("fido.director.runinventory", false))
                {
                    lFidoReturnValues = The_Director_HostDetection.SQLFidoReturnValues(lFidoReturnValues, sSrcIP, sHostname);
                }

                //determine if hostname from host discover matches inventory data
                if (string.IsNullOrEmpty(lFidoReturnValues.Hostname))
                {
                    Console.WriteLine(@"Hostname still unknown. Proceeding to evaluate threat.");
                    lFidoReturnValues.IsHostKnown = false;
                    lFidoReturnValues.Hostname    = "unknown";
                }
                else if (lFidoReturnValues.Hostname.ToLower() == "unknown")
                {
                    //todo: need to write code to take existing data
                    //hold it for %configurable% minutes and then
                    //send it out 'unmanaged' if hostinfo continues to come
                    //back empty
                }
                else
                {
                    if (Object_Fido_Configs.GetAsBool("fido.director.userdetect", false))
                    {
                        lFidoReturnValues = The_Director_HostDetection.GetUserInfo(lFidoReturnValues);
                    }
                }

                if (lFidoReturnValues.Username != null)
                {
                    var runUserDetect = Object_Fido_Configs.GetAsBool("fido.director.userdetect", false);
                    if (runUserDetect)
                    {
                        lFidoReturnValues = The_Director_HostDetection.GetUserInfo(lFidoReturnValues);
                    }
                }
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director gathering host information:" + e);
            }

            try
            {
                //Gather more information about destination IP address
                lFidoReturnValues = The_Director_ThreatFeeds_URL.ThreatGRIDIPInfo(lFidoReturnValues);
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director gathering host IP/GEO information:" + e);
            }

            try
            {
                //todo: this area is half-baked... why is bit9 return not being assigned to lFidoReturnValues?
                //If detector == AV then check if AV information has a filepath/name
                //then parse and send to bit9 to get additional info
                if ((lFidoReturnValues.Antivirus != null) && (The_Director_HostDetection.IsBit9Installed()))
                {
                    AntiVirusToBit9(lFidoReturnValues);
                }
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending AV info to Bit9:" + e);
            }

            try
            {
                //this area will take detector hashes and reference them against Bit9
                //to see if Bit9 has seen the hash, where and if it was executed
                if (The_Director_HostDetection.IsBit9Installed())
                {
                    Console.WriteLine(@"Bit9 detected... cross-referencing hashes.");
                    //if FireEye has hashes send to Bit9
                    if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any()))
                    {
                        if (lFidoReturnValues.Bit9 == null)
                        {
                            lFidoReturnValues.Bit9 = new Bit9ReturnValues();
                        }
                        lFidoReturnValues.Bit9.Bit9Hashes = Detect_Bit9.GetFileInfo(lFidoReturnValues.FireEye.MD5Hash, null).ToArray();
                        //lFidoReturnValues = FireEyeHashToBit9(lFidoReturnValues);
                    }

                    //if FireEyeMPS has hashes send to Bit9

                    //if PaloAlto has hashes send to Bit9

                    //if Cyphort has hashes send to Bit9

                    //if Protectwise has hashes send to Bit9
                }
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to Bit9:" + e);
            }

            try
            {
                //this area will send hash data to threatfeeds to get additional information
                //to be used in scoring for the attack

                lFidoReturnValues = The_Director_ThreatFeeds_Hash.DetectorsToThreatFeeds(lFidoReturnValues);

                //this area will send URL data to threatfeeds to get additional information
                //to be used in scoring for the attack
                lFidoReturnValues = The_Director_ThreatFeeds_URL.DetectorsToThreatFeeds(lFidoReturnValues);
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to threat feeds:" + e);
            }

            //Send accumulated information to the Matrix for scoring
            Console.WriteLine(@"Running scoring matrix.");
            lFidoReturnValues = Matrix.RunMatrix(lFidoReturnValues);
            Console.WriteLine(@"Exiting scoring matrix.");

            var actions = new List <string>();

            //handoff to  enforcement
            //
            //

            //todo: more whack
            if (!lFidoReturnValues.IsSendAlert)
            {
                actions.Add("Created Ticket");
                actions.Add("Not Needed");
            }
            else
            {
                actions.Add("Created Ticket");
                actions.Add("Success");
            }
            //Thebelow highlighted out as the Service-Now module is too proprietary
            //in its current form to be included with OSS. What will happen in a future
            //version is a module to handle the different ticketing solutions,
            //Service-Now, Zendesk, ServiceDesk, etc., so that tickets can be
            //created based on user configuration.
            //ServiceNowUpdate.InsertResponse(lFidoReturnValues);

            lFidoReturnValues.Actions = actions;
            //send information for notifications
            Console.WriteLine(@"Sending notification.");
            Notification.Notification.Notify(lFidoReturnValues);


            //Send configurable information for output to syslog
            //SysLogger.SendEventToSyslog(lFidoReturnValues);

            //todo: WTF is this? It's whack, thats what...
            actions.Add("Update FIDO DB");
            actions.Add("Success");

            //update FIDO DB with event information
            Console.WriteLine(@"Updating FidoDB.");
            Fido_UpdateDB.InsertEventToDB(lFidoReturnValues);
        }
Exemplo n.º 20
0
    private static List<UrlReport> ParseUrl(IEnumerable<string> sURL)
    {

      //The below is a placeholder for when this will be encrypted.
      //var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null);
      var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null);
      var vtLogin = new VirusTotal(sVTKey);
      var isRateLimited = Object_Fido_Configs.GetAsBool("fido.securityfeed.virustotal.ratelimited", false);
      List<UrlReport> sVirusTotalUrl = null;
      var sVTURLreturn = new List<UrlReport>();
      var newurl = string.Empty;
      var url = sURL as IList<string> ?? sURL.ToList();
      var fidoDB = new SqLiteDB();
      var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal"));

      try
      {
        if (sURL != null)
        {
          for (var i = 0; i < url.Count(); i++)
          {

            if (!url[i].Contains("http://"))
            {
              newurl = "http://" + url[i];
            }
            else
            {
              newurl = url[i];
            }

            if (!isPaidFeed) Thread.Sleep(15000); 
            var sVTURLtemp = new List<UrlReport> { vtLogin.GetUrlReport(newurl) };
            if (!isPaidFeed) Thread.Sleep(20000); 
            var icount = 1;
            if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object")
            {
              Console.WriteLine(sVTURLtemp[0].VerboseMsg);
              Console.WriteLine(newurl);
              sVTURLreturn.Add(sVTURLtemp[0]);
              continue;
            }
            while (sVTURLtemp[0].VerboseMsg == "The requested resource is not among the finished, queued or pending scans" && icount <= 3)
            {
              Console.WriteLine(sVTURLtemp[0].VerboseMsg);
              Console.WriteLine(newurl);
              sVTURLtemp.RemoveAt(0);
              vtLogin.ScanUrl(newurl);
              //todo: move sleep integer to db
              Thread.Sleep(120000);
              icount++;
              sVTURLtemp.Add(vtLogin.GetUrlReport(newurl));
              if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object")
              {
                Console.WriteLine(sVTURLtemp[0].VerboseMsg);
                Console.WriteLine(newurl);
                sVTURLreturn.Add(sVTURLtemp[0]);
              }
            }
            //if (icount == 1)
            //{
            //  sVTURLreturn.Add(sVTURLtemp[0]);
            //}
          }
          if (sVTURLreturn.Any())
          {
            sVirusTotalUrl = sVTURLreturn;
            return sVirusTotalUrl;
          }
        }
      }
      catch (Exception e)
      {
        if (e.Message == "You have reached the 5 requests pr. min. limit of VirusTotal")
        {
          if (!isPaidFeed) Thread.Sleep(60000);
          sVirusTotalUrl = ParseUrl(url);
          return sVirusTotalUrl;
        }

        Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT URL area:" + e);
      }
      return sVirusTotalUrl;
    }
Exemplo n.º 21
0
        //The load will grab configurations for what FIDO is monitoring,
        //then go to each configured external system to parse any alerts.
        //Finally, FIDO is configured to pause per iteration on a
        //configurable timed basis.
        private void Fido_Load(object sender, EventArgs aug)
        {
            //Disabled the current time during current iteration.
            timer1.Enabled = false;
            Hide();

            //Check to see if Fido configurations exists and if not
            //fail with prompt that configurations are not found.
            Console.Clear();
            var sAppStartupPath = Application.StartupPath + @"\data\fido.db";

            if (!File.Exists(sAppStartupPath))
            {
                Console.WriteLine(@"Failed to load FIDO DB.");
                Application.Exit();
            }
            else
            {
                Console.WriteLine(@"Loaded FIDO DB successfully.");
            }

            //Load fido configs from database
            Object_Fido_Configs.LoadConfigFromDb("config");

            //Setup syslog
            var server1   = Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost");
            var port1     = Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514);
            var facility1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1");
            var sender1   = Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido");
            var layout1   = Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)");
            //SysLogger.Setup(server1, port1, facility1, sender1, layout1);

            //Beginning of primary area which starts parsing of alerts.
            var isParamTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
            var sDetectors  = Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(',');

            try
            {
                Console.WriteLine(isParamTest ? @"Running test configs." : @"Running production configs.");

                foreach (var detect in sDetectors)
                {
                    var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs(detect);
                    //Get the detector, ie, email, log, web service, etc.
                    var sDetectorType = parseConfigs.DetectorType;
                    switch (sDetectorType)
                    {
                    case "api":
                        Console.WriteLine(@"Loading webservice receiver.");
                        Recieve_API.DirectToEngine(sDetectorType, detect);
                        break;

                    case "log":
                        Console.WriteLine(@"Loaded log receiver.");
                        var sDefaultServer = parseConfigs.Server;
                        var sDefaultFile   = parseConfigs.File;
                        var sVendor        = parseConfigs.Vendor;
                        Receive_Logging.DirectToEngine(detect, sVendor, sDefaultServer, sDefaultFile, isParamTest);
                        break;

                    case "sql":
                        Console.WriteLine(@"Loaded sql receiver.");
                        Receive_SQL.DirectToEngine(sDetectorType, detect);
                        break;

                    case "email":
                        Console.WriteLine(@"Loaded email receiver.");
                        var sEmailVendor     = Object_Fido_Configs.GetAsString("fido.email.vendor", "imap");
                        var sDetectorsEmail  = parseConfigs.EmailFrom;
                        var sDetectorsFolder = parseConfigs.Folder;
                        Receive_Email.ReadEmail(sEmailVendor, sDetectorsFolder, null, sDetectorsEmail, isParamTest);
                        break;
                    }
                }
            }
            catch (Exception e)
            {
                Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in fidomain area:" + e);
            }

            //Sleep for X # of seconds per iteration specified in Fido configuration
            Application.DoEvents();
            var iSleep = Object_Fido_Configs.GetAsInt("fido.application.sleepiteration", 5);

            Console.WriteLine(@"Fido processing complete... sleeping for " + (iSleep / 1000).ToString(CultureInfo.InvariantCulture) + @" seconds.");
            Thread.Sleep(iSleep);
            timer1.Enabled = true;
        }