Exemplos de Object_ProtectWise_Threat_ConfigClass em C# (CSharp)

Exemplo n.º 1

Arquivo: Detect_Protectwise_v1.cs Projeto: caar2000/Fido

    private static void ParseProtectWiseEvent(Object_ProtectWise_Threat_ConfigClass.ProtectWise_Events protectWiseReturn)
    {
      protectWiseReturn.Events = protectWiseReturn.Events.Reverse().ToArray();
      foreach (var pevent in protectWiseReturn.Events)
      {
        Console.WriteLine(@"Gathering ProtectWise observations for event: " + pevent.Message + @".");
        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
        var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("protectwisev1-event");
        var request = parseConfigs.Server + parseConfigs.Query2 + pevent.Id;
        var alertRequest = (HttpWebRequest) WebRequest.Create(request);
        alertRequest.Headers[@"X-Access-Token"] = parseConfigs.APIKey;
        alertRequest.Method = "GET";
        try
        {
          using (var protectwiseResponse = alertRequest.GetResponse() as HttpWebResponse)
          {
            if (protectwiseResponse != null && protectwiseResponse.StatusCode == HttpStatusCode.OK)
            {
              using (var respStream = protectwiseResponse.GetResponseStream())
              {
                if (respStream == null) return;
                var protectwiseReader = new StreamReader(respStream, Encoding.UTF8);
                var stringreturn = protectwiseReader.ReadToEnd();
                var protectwiseReturn = JsonConvert.DeserializeObject<Object_ProtectWise_Threat_ConfigClass.ProtectWise_Search_Event>(stringreturn);
                if (protectwiseReturn != null)
                {
                  ParseProtectWiseObservation(protectwiseReturn, pevent.Message);
                }

                var responseStream = protectwiseResponse.GetResponseStream();
                if (responseStream != null) responseStream.Dispose();
                protectwiseResponse.Close();
              }
            }
          }
        }
        catch (Exception e)
        {
          Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 Detector when getting json:" + e);
        }
      }
    }

Exemplo n.º 2

Arquivo: Detect_Protectwise_v1.cs Projeto: caar2000/Fido

    private static void ParseProtectWiseObservation(Object_ProtectWise_Threat_ConfigClass.ProtectWise_Search_Event protectwiseReturn, string malwareType)
    {
      try
      {
        //protectwiseReturn.Observations = protectwiseReturn.Observations.Reverse().ToArray();
        for (var i = 0; i < protectwiseReturn.Observations.Count(); i++)
        {
          if (protectwiseReturn.Observations[i].Flow.IP.DstIP == "0.0.0.0") continue;
          Console.WriteLine(@"Processing ProtectWise observation " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + protectwiseReturn.Observations.Count().ToString(CultureInfo.InvariantCulture) + @".");

          //initialize generic variables for Cyphort values
          var lFidoReturnValues = new FidoReturnValues();
          if (lFidoReturnValues.PreviousAlerts == null)
          {
            lFidoReturnValues.PreviousAlerts = new EventAlerts();
          }
          
          if (lFidoReturnValues.ProtectWise == null)
          {
            lFidoReturnValues.ProtectWise = new ProtectWiseReturnValues();
          }
          lFidoReturnValues.ProtectWise.EventDetails = protectwiseReturn;

          lFidoReturnValues.MalwareType = protectwiseReturn.Observations[i].Category + " : " + protectwiseReturn.Observations[i].ThreatSubCategory + " (" + protectwiseReturn.Observations[i].KillChainStage + ")";

          //Assign generic event deatils for use in TheDirector
          lFidoReturnValues.CurrentDetector = "protectwisev1";
          lFidoReturnValues.MalwareType = malwareType;
          if (!string.IsNullOrEmpty(lFidoReturnValues.ProtectWise.EventDetails.Id))
          {
            if (protectwiseReturn.Observations[i].Flow.IP.SrcIP == "0.0.0.0" || protectwiseReturn.Observations[i].Flow.IP.DstIP == "0.0.0.0") continue;
            lFidoReturnValues.ProtectWise.IncidentDetails = new Object_ProtectWise_Threat_ConfigClass.ProtectWise_Observation();
            if (protectwiseReturn.Netflow[i].GEO != null)
            {
              lFidoReturnValues.ProtectWise.GEO = new Object_ProtectWise_Threat_ConfigClass.ProtectWise_GEO();
              lFidoReturnValues.ProtectWise.GEO = protectwiseReturn.Netflow[i].GEO;
            }
            lFidoReturnValues.ProtectWise.IncidentDetails = protectwiseReturn.Observations[i];
            if (protectwiseReturn.Observations[i].Flow.IP.DstIP.StartsWith("10."))
            {
              lFidoReturnValues.SrcIP = protectwiseReturn.Observations[i].Flow.IP.DstIP;
              lFidoReturnValues.ProtectWise.DstIP = protectwiseReturn.Observations[i].Flow.IP.SrcIP;
              lFidoReturnValues.DstIP = protectwiseReturn.Observations[i].Flow.IP.SrcIP;
              lFidoReturnValues.ProtectWise.URL = protectwiseReturn.Observations[i].Flow.IP.SrcIP;
            }
            else
            {
              lFidoReturnValues.DstIP = protectwiseReturn.Observations[i].Flow.IP.DstIP;
              lFidoReturnValues.ProtectWise.DstIP = protectwiseReturn.Observations[i].Flow.IP.DstIP;
              lFidoReturnValues.SrcIP = protectwiseReturn.Observations[i].Flow.IP.SrcIP;
              lFidoReturnValues.ProtectWise.URL = protectwiseReturn.Observations[i].Flow.IP.DstIP;
            }
            
            lFidoReturnValues.ProtectWise.EventID = protectwiseReturn.Observations[i].EventID;
            lFidoReturnValues.AlertID = protectwiseReturn.Observations[i].EventID;
            lFidoReturnValues.TimeOccurred = FromEpochTime(protectwiseReturn.Observations[i].EventTime).ToString();
            lFidoReturnValues.ProtectWise.EventTime = FromEpochTime(protectwiseReturn.Observations[i].EventTime).ToString();
            if (protectwiseReturn.Observations[i].Data.URL_Reputation != null)
            {
              var getDomain = protectwiseReturn.Observations[i].Data.URL_Reputation.Url.Split('/');
              lFidoReturnValues.DNSName = getDomain[0].Replace(".", "(.)");
            }

            //Check to see if ID has been processed before
            var isRunDirector = false;
            lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
            if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
            {
              isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.ProtectWise.EventID, lFidoReturnValues.ProtectWise.EventTime);
            }
            if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) return;

            if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.Ip_Reputation != null)
            {
              lFidoReturnValues = FormatIPReturnValues(lFidoReturnValues);
            }

            if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null)
            {
              lFidoReturnValues = FormatURLReturnValues(lFidoReturnValues);
            }

            if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.File_Reputation != null)
            {
            }

            if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.DNS_Reputation != null)
            {
            }

            if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.IdsEvent != null)
            {
              lFidoReturnValues = FormatIdsReturnValues(lFidoReturnValues);
            }

          }
        }
      }
      catch (Exception e)
      {
        Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in ProtectWise v1 Detector parse:" + e);
      }
    }