/* * private void Helper_GetVulnerabilities(XmlDocument s, string ipadress) * { * List<VulnerabilityFound> list_VulnerabilityFound; * list_VulnerabilityFound = new List<VulnerabilityFound>(); * * XmlNodeList nvtsNodes; * nvtsNodes = s.SelectNodes("/openvas-report/nvts/nvt"); * * Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("There are {0} nvts nodes to process", nvtsNodes.Count)); * * foreach (XmlNode nvtNode in nvtsNodes) * { * string nvtId; * nvtId = nvtNode.Attributes["oid"].InnerText; * * Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("Handling nvtid {0}", nvtId)); * * string summary = nvtNode.SelectSingleNode("summary").InnerText; * string risk = nvtNode.SelectSingleNode("risk").InnerText; * string cve_Value = nvtNode.SelectSingleNode("cve_id").InnerText; * * Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Summary = [{0}]", summary)); * Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Risk = [{0}]", risk)); * Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" CVE = [{0}]", cve_Value)); * * VulnerabilityFound vulnerabilityFound; * vulnerabilityFound = new VulnerabilityFound(); * vulnerabilityFound.InnerXml = nvtNode.InnerXml; * vulnerabilityFound.Description = summary; * vulnerabilityFound.Severity = risk; * if (cve_Value.Trim().ToUpper() != "NOCVE") * { * string[] list_Cve_Value; * list_Cve_Value = cve_Value.Split(new char[] { ',' }); * * foreach (string cve in list_Cve_Value) * { * VulnerabilityFound.Item cve_Item; * cve_Item = new VulnerabilityFound.Item(); * cve_Item.ID = "cve"; * cve_Item.Value = cve; * * vulnerabilityFound.ListItem.Add(cve_Item); * } * } * * string protocol = portNode.Attributes["protocol"].Value; * * int port = -1; * if (portNode.Attributes["portid"] != null) * port = Convert.ToInt32(portNode.Attributes["portid"].Value); * * Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("Processing port {0} protocol {1}", port, protocol)); * * VulnerabilityEndPoint vulnerabilityEndPoint; * vulnerabilityEndPoint = new VulnerabilityEndPoint(); * vulnerabilityEndPoint.IpAdress = m_target; * vulnerabilityEndPoint.Protocol = protocol; * vulnerabilityEndPoint.Port = port; * * foreach (XmlNode informationNode in portNode.SelectNodes("information")) * { * string nvtId = informationNode.SelectSingleNode("id").InnerText; * * * * VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "OpenVas", m_model); * } * } * } */ private List <VulnerabilityFound.Item> splitCVE(string s) { List <VulnerabilityFound.Item> r = new List <VulnerabilityFound.Item>(); string[] tab = s.Split(new char[] { ' ', '\n', '\r', 't' }); foreach (string n in tab) { VulnerabilityFound.Item item; item = new VulnerabilityFound.Item(); item.ID = "cve"; item.Value = n; r.Add(item); } return(r); }
private List <VulnerabilityFound.Item> Helper_GetCVE(XmlNode reportItem) { List <VulnerabilityFound.Item> l = new List <VulnerabilityFound.Item>(); foreach (XmlNode child in reportItem.ChildNodes) { if (child.Name.ToUpper() == "cve".ToUpper()) { VulnerabilityFound.Item item = new VulnerabilityFound.Item(); item.Value = child.InnerText; item.ID = "cve"; l.Add(item); } } return(l); }
private List<VulnerabilityFound.Item> Helper_GetCVE(XmlNode node) { List<VulnerabilityFound.Item> l; l = new List<VulnerabilityFound.Item>(); try { XmlNodeList nodes = node.ChildNodes; foreach (XmlNode n in nodes) { if (n.Attributes["type"] != null) { VulnerabilityFound.Item item = new VulnerabilityFound.Item(); item.ID = n.Attributes["type"].InnerText; item.Value = n.InnerText; l.Add(item); } } } catch (Exception ex) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Error in Helper_GetCVE : Exception = {0}", ex.Message)); } return l; }
private void Helper_GetVulnerabilities(XmlDocument s, string ipadress) { List <VulnerabilityFound> list_VulnerabilityFound; list_VulnerabilityFound = new List <VulnerabilityFound>(); XmlNodeList portNodes; portNodes = s.SelectNodes("/openvas-report/results/result/ports/port"); //Hardcoded Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("There are {0} port nodes to process", portNodes.Count)); foreach (XmlNode portNode in portNodes) { string protocol = portNode.Attributes["protocol"].Value.ToUpper(); int port = -1; if (portNode.Attributes["portid"] != null) { port = Convert.ToInt32(portNode.Attributes["portid"].Value); } Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format("Processing port {0} protocol {1}", port, protocol)); VulnerabilityEndPoint vulnerabilityEndPoint; vulnerabilityEndPoint = new VulnerabilityEndPoint(); vulnerabilityEndPoint.IpAdress = m_target; vulnerabilityEndPoint.Protocol = protocol; vulnerabilityEndPoint.Port = port; XmlNode ServiceNode = portNode.SelectSingleNode("service"); vulnerabilityEndPoint.Service = ServiceNode.Attributes["name"].Value.ToUpper(); foreach (XmlNode informationNode in portNode.SelectNodes("information")) { string severity = informationNode.SelectSingleNode("severity").InnerText; //<severity>Log Message</severity> : Information => should be ignored //<severity>Security Note</severity> //<severity>Security Warning</severity> string nvtId = informationNode.SelectSingleNode("id").InnerText; Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Handling nvtid {0}", nvtId)); XmlNode nvtNode; nvtNode = s.SelectSingleNode("/openvas-report/nvts/nvt[@oid='" + nvtId + "']"); string title = nvtNode.SelectSingleNode("name").InnerText; string summary = nvtNode.SelectSingleNode("summary").InnerText; string risk = nvtNode.SelectSingleNode("risk").InnerText; string cve_Value = nvtNode.SelectSingleNode("cve_id").InnerText; string bid_Value = nvtNode.SelectSingleNode("bugtraq_id").InnerText; Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Title = [{0}]", title)); Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Summary = [{0}]", summary)); Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" Risk = [{0}]", risk)); Utils.Helper_Trace("XORCISM PROVIDER OPENVAS", string.Format(" CVE = [{0}]", cve_Value)); VulnerabilityFound vulnerabilityFound; vulnerabilityFound = new VulnerabilityFound(); vulnerabilityFound.InnerXml = nvtNode.InnerXml; vulnerabilityFound.Title = title; vulnerabilityFound.Description = summary; vulnerabilityFound.DetailedInformation = informationNode.SelectSingleNode("data").InnerText; vulnerabilityFound.Consequence = informationNode.SelectSingleNode("data").InnerText; //TODO: regex parse OWASP:OWASP-CM-006 //vulnerabilityFound.Severity = risk; //Risk Could be: //None, Unknown, Informational, Low, Medium, High switch (risk) { case "None": vulnerabilityFound.Severity = "1"; break; case "Unknown": vulnerabilityFound.Severity = "1"; break; case "Informational": vulnerabilityFound.Severity = "2"; break; case "Low": vulnerabilityFound.Severity = "3"; break; case "Medium": vulnerabilityFound.Severity = "4"; break; case "High": vulnerabilityFound.Severity = "5"; break; } if (cve_Value.Trim().ToUpper() != "NOCVE") { string[] list_Cve_Value; list_Cve_Value = cve_Value.Split(new char[] { ',' }); foreach (string cve in list_Cve_Value) { VulnerabilityFound.Item cve_Item; cve_Item = new VulnerabilityFound.Item(); cve_Item.ID = "cve"; cve_Item.Value = cve; vulnerabilityFound.ListItem.Add(cve_Item); } } if (bid_Value.Trim().ToUpper() != "NOBID") { string[] list_bid_Value; list_bid_Value = bid_Value.Split(new char[] { ',' }); foreach (string bid in list_bid_Value) { VulnerabilityFound.Reference bid_Reference; bid_Reference = new VulnerabilityFound.Reference(); bid_Reference.Source = "BID"; bid_Reference.Title = bid; bid_Reference.Url = "http://www.securityfocus.com/bid/" + bid; vulnerabilityFound.ListReference.Add(bid_Reference); } } VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "OpenVas", m_model); } } }
public void parse() { Assembly a; a = Assembly.GetExecutingAssembly(); Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Assembly location = " + a.Location); // ============================================ // Parse the XML Document and populate the database // ============================================ // Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "data = " + m_data); XmlDocument doc = new XmlDocument(); doc.LoadXml(m_data); XORCISMEntities model; model = new XORCISMEntities(); string query = "/ScanGroup/Scan"; //Hardcoded XmlNode report; report = doc.SelectSingleNode(query); string ipAddress = string.Empty; ipAddress = HelperGetChildInnerText(report, "StartURL"); //Hardcoded if (ipAddress.Substring(ipAddress.Length - 1, 1) == "/") { ipAddress = ipAddress.Substring(0, ipAddress.Length - 1); } Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Handling host with IP {0}", ipAddress)); // =============================================== // If necessary, creates an asset in the database // =============================================== //TODO var myass = from ass in model.ASSET where ass.ipaddressIPv4 == ipAddress //&& ass.AccountID == m_AccountID select ass; ASSET asset = myass.FirstOrDefault(); if (asset == null) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Creates a new entry in table ASSET for this IP"); asset = new ASSET(); //asset.AccountID = m_AccountID; asset.AssetName = ipAddress; asset.AssetDescription = ipAddress; asset.ipaddressIPv4 = ipAddress; asset.Enabled = true; //asset.JobID = m_JobId; model.ASSET.Add(asset); model.SaveChanges(); } else { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "This IP already corresponds to an existing asset"); } Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Creating ASSETINSESSION reference"); ASSETSESSION assinsess = new ASSETSESSION(); assinsess.AssetID = asset.AssetID; assinsess.SessionID = model.JOB.Single(x => x.JobID == m_JobId).SessionID; model.ASSETSESSION.Add(assinsess); model.SaveChanges(); Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "Update JOB with ASSETINSESSIONID"); JOB daJob = model.JOB.Single(x => x.JobID == m_JobId); daJob.AssetSessionID = assinsess.AssetSessionID; model.SaveChanges(); Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", "VULNERABILITIES FOUND"); query = "/ScanGroup/Scan/ReportItems"; report = doc.SelectSingleNode(query); foreach (XmlNode n in report.ChildNodes) { if (n.Name.ToUpper() == "ReportItem".ToUpper() && n.ChildNodes != null && n.ChildNodes.Count > 0) { //TODOs HARDCODED VulnerabilityEndPoint vulnerabilityEndPoint = new VulnerabilityEndPoint(); vulnerabilityEndPoint.IpAdress = ipAddress; vulnerabilityEndPoint.Protocol = "TCP"; // "http"; //https ... A VOIR vulnerabilityEndPoint.Port = 80; //443 ... A VOIR VulnerabilityFound vulnerabilityFound = new VulnerabilityFound(); //vulnerabilityFound.ListItem = Helper_GetCVE(n); vulnerabilityFound.InnerXml = n.OuterXml; //To eliminate VULNERABILITY (Value) duplicates: /* * string pattern = @"ReportItem id=""\d\d?\d?"""; * string s = Regex.Replace(n.OuterXml, pattern, "ReportItem id=\"0\""); * vulnerabilityFound.InnerXml = s; */ string url = HelperGetChildInnerText(n, "Affects"); //Server vulnerabilityFound.Url = url; if (url.ToLower().Contains("https://")) { vulnerabilityEndPoint.Port = 443; } Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Url: {0}", url)); vulnerabilityFound.Type = HelperGetChildInnerText(n, "Type"); if (HelperGetChildInnerText(n, "IsFalsePositive") == "False") { vulnerabilityFound.IsFalsePositive = false; } else { vulnerabilityFound.IsFalsePositive = true; } vulnerabilityFound.Title = HelperGetChildInnerText(n, "Name"); //ModuleName //Affects vulnerabilityFound.Description = HelperGetChildInnerText(n, "Description"); //Extract the CVEs List <VulnerabilityFound.Item> ListCVEs = new List <VulnerabilityFound.Item>(); //MatchCollection matches = Regex.Matches(HelperGetChildInnerText(n, "Description"), "CVE-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]"); MatchCollection matches = Regex.Matches(HelperGetChildInnerText(n, "Description"), @"CVE-(19|20)\d\d-(0\d{3}|[1-9]\d{3,})"); //myRegexCVE //https://cve.mitre.org/cve/identifiers/tech-guidance.html foreach (Match match in matches) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("CVE: {0}", match.Groups[1].Value)); VulnerabilityFound.Item item; item = new VulnerabilityFound.Item(); item.ID = "cve"; item.Value = match.Groups[1].Value; ListCVEs.Add(item); } string mySeverity = HelperGetChildInnerText(n, "Severity"); switch (mySeverity) { //HARDCODED case "high": mySeverity = "High"; break; case "medium": mySeverity = "Medium"; break; case "low": mySeverity = "Low"; break; //case "info" } vulnerabilityFound.Severity = mySeverity; Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("Severity: {0}", mySeverity)); string DetailsAnalysis = HelperGetChildInnerText(n, "Details"); if (DetailsAnalysis.Contains("URL encoded GET")) { vulnerabilityFound.VulnerableParameterType = "GET"; //should be Querystring for Netsparker var regex = new Regex(@"URL encoded GET input <b><font color=""dark"">(.*?)</font></b>"); var match = regex.Match(DetailsAnalysis); if (match.Success) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameter: {0}", match.Groups[1].Value)); vulnerabilityFound.VulnerableParameter = match.Groups[1].Value; regex = new Regex(@"was set to <b><font color=""dark"">(.*?)</font></b>"); match = regex.Match(DetailsAnalysis); if (match.Success) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameterValue: {0}", match.Groups[1].Value)); vulnerabilityFound.VulnerableParameterValue = match.Groups[1].Value; } } } if (DetailsAnalysis.Contains("URL encoded POST")) { vulnerabilityFound.VulnerableParameterType = "POST"; //should be Post for Netsparker var regex = new Regex(@"URL encoded POST input <b><font color=""dark"">(.*?)</font></b>"); var match = regex.Match(DetailsAnalysis); if (match.Success) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameter: {0}", match.Groups[1].Value)); vulnerabilityFound.VulnerableParameter = match.Groups[1].Value; regex = new Regex(@"was set to <b><font color=""dark"">(.*?)</font></b>"); match = regex.Match(DetailsAnalysis); if (match.Success) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("VulnerableParameterValue: {0}", match.Groups[1].Value)); vulnerabilityFound.VulnerableParameterValue = match.Groups[1].Value; } } } //vulnerabilityFound.VulnerableParameterType = HelperGetChildInnerText(n, "vulnerableparametertype"); //vulnerabilityFound.VulnerableParameter = HelperGetChildInnerText(n, "vulnerableparameter"); //in <Details>: //URL encoded GET input <b><font color="dark">id</font></b> was set to <b><font color="dark">4-2+2*3-6</font></b> //URL encoded GET input <b><font color="dark">id</font></b> was set to <b><font color="dark">1'</font></b><br/>Error message found: <pre wrap="virtual"><font color="blue">supplied argument is not a valid MySQL result</font></pre> //URL encoded POST input <b><font color="dark">name</font></b> was set to <b><font color="dark">'"()&%1<ScRiPt >prompt(983150)</ScRiPt></font></b> //vulnerabilityFound.VulnerableParameterValue = HelperGetChildInnerText(n, "vulnerableparametervalue"); List <VulnerabilityFound.Reference> ListReferences = new List <VulnerabilityFound.Reference>(); foreach (XmlNode nchild in n.ChildNodes) { if (nchild.Name.ToUpper() == "TechnicalDetails".ToUpper() && nchild.ChildNodes != null && nchild.ChildNodes.Count > 0) { //rawrequest vulnerabilityFound.rawrequest = HelperGetChildInnerText(nchild, "Request"); //rawresponse vulnerabilityFound.rawresponse = HelperGetChildInnerText(nchild, "Response"); } if (nchild.Name.ToUpper() == "References".ToUpper() && nchild.ChildNodes != null && nchild.ChildNodes.Count > 0) { foreach (XmlNode reference in nchild) { /* * REFERENCE myReference = new REFERENCE(); * myReference.Source = HelperGetChildInnerText(reference, "Database"); * myReference.Url = HelperGetChildInnerText(reference, "URL"); * * model.AddToREFERENCE(myReference); */ VulnerabilityFound.Reference refvuln = new VulnerabilityFound.Reference(); refvuln.Title = HelperGetChildInnerText(reference, "Database"); string refurl = HelperGetChildInnerText(reference, "URL").ToLower(); refvuln.Url = refurl; refvuln.Source = HelperGetChildInnerText(reference, "Database"); //Try to harmonise the Source with the other imports (ie: exploits) //HARDCODED //TODO: Use a Common Function if (refurl.Contains("/bugtraq/")) { refvuln.Source = "BUGTRAQ"; } if (refurl.Contains("marc.theaimsgroup.com/?l=bugtraq")) { refvuln.Source = "BUGTRAQ"; } if (refurl.Contains("securityfocus.com/bid")) { refvuln.Source = "BID"; } if (refurl.Contains("osvdb.org/")) { refvuln.Source = "OSVDB"; } if (refurl.Contains("xforce.iss.net/")) { refvuln.Source = "XF"; } if (refurl.Contains("www.iss.net/")) { refvuln.Source = "XF"; } if (refurl.Contains("www.ciac.org/")) { refvuln.Source = "CIAC"; } if (refurl.Contains("ciac.llnl.gov/")) { refvuln.Source = "CIAC"; } if (refurl.Contains("www.cert.org/")) { refvuln.Source = "CERT"; } if (refurl.Contains("sunsolve.sun.org/")) { refvuln.Source = "SUN"; } if (refurl.Contains("sunsolve.sun.com/")) { refvuln.Source = "SUN"; } if (refurl.Contains("patches.sgi.com/")) { refvuln.Source = "SGI"; } if (refurl.Contains("microsoft.com/default.aspx?scid=kb")) { refvuln.Source = "MSKB"; } if (refurl.Contains("ftp.sco.com/")) { refvuln.Source = "SCO"; } if (refurl.Contains("www.trustix.org/")) { refvuln.Source = "TRUSTIX"; } if (refurl.Contains("ftp.freebsd.org/")) { refvuln.Source = "FREEBSD"; } if (refurl.Contains("www.secunia.com/")) { refvuln.Source = "SECUNIA"; } if (refurl.Contains("www.vupen.com/")) { refvuln.Source = "VUPEN"; } if (refurl.Contains("www.securitytracker.com/")) { refvuln.Source = "SECTRACK"; } if (refurl.Contains("www.redhat.com/")) { refvuln.Source = "REDHAT"; } if (refurl.Contains("www.exploit-db.com/")) { refvuln.Source = "EXPLOIT-DB"; } if (refurl.Contains("www.milw0rm.com/")) { refvuln.Source = "MILW0RM"; } if (refurl.Contains("www.microsoft.com/")) { refvuln.Source = "MS"; } if (refurl.Contains("seclists.org/fulldisclosure")) { refvuln.Source = "FULLDISC"; } ListReferences.Add(refvuln); } } } vulnerabilityFound.ListReference = ListReferences; vulnerabilityFound.ListItem = ListCVEs; vulnerabilityFound.Result = HelperGetChildInnerText(n, "Details"); vulnerabilityFound.Consequence = HelperGetChildInnerText(n, "Impact"); vulnerabilityFound.Solution = HelperGetChildInnerText(n, "Recommendation"); //DetailedInformation vulnerabilityFound.DetailedInformation = HelperGetChildInnerText(n, "DetailedInformation"); //TODO bool PatchUpgrade = false; string MSPatch = ""; int etat = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_JobId, "acunetix", model); if (etat == -1) { Utils.Helper_Trace("XORCISM PROVIDER ACUNETIX", string.Format("CANNOT IMPORT THIS ASSET !!!! ")); } } } }
public void parse() { Assembly a; a = Assembly.GetExecutingAssembly(); Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Assembly location = " + a.Location); XmlDocument doc = new XmlDocument(); #region HackCenzic /* string filename; filename = @"C:\Cenzic_webscan.xml"; //Hardcoded doc.Load(filename); Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("HackFile should be located at : " + filename)); */ #endregion // ============================================ // Parse the XML Document and populate the database // ============================================ string protocol = string.Empty; //int port = -1; string service = string.Empty; //bool PatchUpgrade = false; //string title; //string MSPatch = ""; //string Solution; m_data = m_data.Replace("Configurable format #", "Configurable"); //Hardcoded Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("m_data = {0}", m_data)); try { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Loading the XML document"); doc.LoadXml(m_data); } catch (Exception ex) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Exception = {0} / {1}", ex.Message, ex.InnerException == null ? "" : ex.InnerException.Message)); } XORCISMEntities model; model = new XORCISMEntities(); string query = "/AssessmentRunData/SmartAttacks/SmartAttacksData"; //Hardcoded XmlNodeList report; report = null; try { report = doc.SelectNodes(query); } catch (Exception ex) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Error SelectNodes({0}) : Exception = {1}", query, ex.Message)); return; } //We should retrieve the target for an import string m_target = string.Empty; string patterntoken = "<Url>(.*?)</Url>"; MatchCollection matchesurl = Regex.Matches(m_data, patterntoken); foreach (Match match in matchesurl) { m_target = match.Value.Replace("<Url>", "").Replace("</Url>", ""); //Console.WriteLine(mytoken); Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "target: " + m_target); } int myPort = 80; if (m_target.Contains("https://")) { myPort = 443; } //Check if we have a custom port, ex: http://10.20.30.40:8080/test string strTargetTest = m_target; strTargetTest = strTargetTest.Replace("http://", ""); strTargetTest = strTargetTest.Replace("https://", ""); try { if (strTargetTest.Contains(":")) { char[] splitter = { ':' }; string[] strSplit = strTargetTest.Split(splitter); strTargetTest = strSplit[1]; if (strTargetTest.Contains("/")) { strSplit = strTargetTest.Split(new Char[] { '/' }); strTargetTest = strSplit[0]; } try { myPort = Convert.ToInt32(strTargetTest); } catch (FormatException e) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", strTargetTest + " is not a sequence of digits."); } Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Custom Port:{0}", strTargetTest)); } else { if (strTargetTest.Contains("/")) { string[] strSplit = strTargetTest.Split(new Char[] { '/' }); strTargetTest = strSplit[0]; if (m_target.Contains("https://")) { m_target = "https://" + strTargetTest; } if (m_target.Contains("http://")) { m_target = "http://" + strTargetTest; } } } } catch (Exception ex) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Error in strTargetTest : Exception = {0}", ex.Message)); } Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "the m_target=" + m_target); // =============================================== // If necessary, creates an asset in the database // =============================================== //TODO var myass = from ass in model.ASSET where ass.ipaddressIPv4 == m_target //&& ass.AccountID == m_AccountID select ass; ASSET asset = myass.FirstOrDefault(); if (asset == null) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Creates a new entry in table ASSET for this IP"); asset = new ASSET(); //asset.AccountID = m_AccountID; asset.AssetName = m_target; asset.AssetDescription = m_target; asset.ipaddressIPv4 = m_target; asset.Enabled = true; //asset.JobID = m_jobId; model.ASSET.Add(asset); model.SaveChanges(); } else { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "This IP already corresponds to an existing asset"); } int m_assetId = asset.AssetID; int m_sessionId = (int)model.JOB.Single(x => x.JobID == m_jobId).SessionID; Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Creating ASSETINSESSION reference"); ASSETSESSION assinsess = new ASSETSESSION(); assinsess.AssetID = asset.AssetID; assinsess.SessionID = m_sessionId; // model.JOB.Single(x => x.JobID == m_jobId).SessionID; model.ASSETSESSION.Add(assinsess); model.SaveChanges(); Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Update JOB with ASSETINSESSIONID"); JOB daJob = model.JOB.Single(x => x.JobID == m_jobId); daJob.AssetSessionID = assinsess.AssetSessionID; model.SaveChanges(); VulnerabilityEndPoint vulnerabilityEndPoint = new VulnerabilityEndPoint(); vulnerabilityEndPoint.IpAdress = m_target; vulnerabilityEndPoint.Protocol = "TCP"; // "http"; vulnerabilityEndPoint.Port = myPort; vulnerabilityEndPoint.Service = "WWW"; int myEndpointID = 0; var testEndpoint = from e in model.ENDPOINT where e.AssetID == m_assetId && e.SessionID == m_sessionId select e; if (testEndpoint.Count() == 0) { ENDPOINT newEndpoint = new ENDPOINT(); newEndpoint.AssetID = m_assetId; newEndpoint.SessionID = m_sessionId; newEndpoint.ProtocolName = "TCP"; // "http"; newEndpoint.PortNumber = myPort; newEndpoint.Service = "WWW"; model.ENDPOINT.Add(newEndpoint); model.SaveChanges(); myEndpointID = newEndpoint.EndPointID; } else { myEndpointID = testEndpoint.FirstOrDefault().EndPointID; } Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("myEndpointID:{0}", myEndpointID)); Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Found {0} SmartAttacks to parse", report.Count)); foreach (XmlNode reportHost in report) { // ================================== // Handle every SmartAttacksData tag // ================================== string myInnerXml = string.Empty; string myTitle = string.Empty; string myDescription = string.Empty; string myConsequence = string.Empty; string myResult = string.Empty; string mySolution = string.Empty; string myCVE = string.Empty; MatchCollection myCVEs; string myPCI = string.Empty; string myMessage = string.Empty; foreach (XmlNode n in reportHost.ChildNodes) { //SmartAttackInfo //ReportItems XmlNodeList Childs = n.ChildNodes; Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Coucou 1")); try { if (n.Name == "SmartAttackInfo") { myInnerXml = n.OuterXml; myTitle = HelperGetChildInnerText(n, "SmartAttackName"); Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Found SmartAttackName:{0}", myTitle)); Regex myRegex = new Regex("PCI [0-9].[0-9].[0-9]"); myPCI = myRegex.Match(myTitle).ToString(); if (myPCI != "") { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "PCI=" + myPCI); } //Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("myInnerXml:{0}", myInnerXml)); //Hardcoded myDescription = HelperGetChildInnerText(n, "Description"); myConsequence = HelperGetChildInnerText(n, "HowItWorks"); myResult = HelperGetChildInnerText(n, "Impact"); mySolution = HelperGetChildInnerText(n, "Remediation"); } } catch (Exception ex) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Error in SmartAttackInfo : Exception = {0}", ex.Message)); } if (n.Name == "ReportItems") { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Coucou 2")); foreach (XmlNode x in n.ChildNodes) { //HARDCODED //ReportItem foreach (XmlNode ReportItem in x.ChildNodes) { myMessage = ""; if (ReportItem.Name == "ReportItemType") { //Pass if (ReportItem.InnerText == "Information") { try { //TODO /* Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Information")); INFORMATION newInformation = new INFORMATION(); //newInformation.InnerXml newInformation.Title = myTitle; newInformation.Description = myDescription; newInformation.Consequence = myConsequence; newInformation.Result = myResult; newInformation.Solution = mySolution; newInformation.Severity = HelperGetChildInnerText(x, "Severity"); newInformation.HarmScore = int.Parse(HelperGetChildInnerText(x, "HarmScore")); myMessage = HelperGetChildInnerText(x, "Message"); newInformation.Message = myMessage; //TODO A FAIRE //Matching avec les références //http://www.securityfocus.com/bid/43140/info //http://www.securityfocus.com/bid/43140/solution newInformation.Url = HelperGetChildInnerText(x, "Url"); newInformation.rawrequest = HelperGetChildInnerText(x, "HttpRequest"); newInformation.rawresponse = HelperGetChildInnerText(x, "HttpResponse"); if (myPCI != "") { newInformation.PCI_FLAG = true; } newInformation.JobID = m_jobId; newInformation.EndPointID = myEndpointID; model.AddToINFORMATION(newInformation); model.SaveChanges(); */ } catch (Exception ex) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Error in Information : Exception = {0}. {1}", ex.Message, ex.InnerException)); } } if (ReportItem.InnerText == "Warning") { try { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Warning")); VulnerabilityFound vulnerabilityFound = new VulnerabilityFound(); vulnerabilityFound.InnerXml = myInnerXml; vulnerabilityFound.Title = myTitle; Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Adding SmartAttackName:{0}", myTitle)); vulnerabilityFound.Description = myDescription; vulnerabilityFound.Consequence = myConsequence; vulnerabilityFound.Result = myResult; vulnerabilityFound.Solution = mySolution; if (myPCI != "") { vulnerabilityFound.PCI_FLAG = true; } //ReportItemCreateDate vulnerabilityFound.Severity = HelperGetChildInnerText(x, "Severity"); //Low, Medium, High //Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("WARNING Severity:{0}", HelperGetChildInnerText(x, "Severity"))); vulnerabilityFound.HarmScore = int.Parse(HelperGetChildInnerText(x, "HarmScore")); //Count myMessage=HelperGetChildInnerText(x, "Message"); //vulnerabilityFound.Message = myMessage; //not exact because same VULNERABILITY will have various Messages vulnerabilityFound.rawresponse = myMessage; //Regex objNaturalPattern = new Regex("CVE-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]"); Regex myRegexCVE = new Regex(@"CVE-(19|20)\d\d-(0\d{3}|[1-9]\d{3,})"); //TODO: Update this? //https://cve.mitre.org/cve/identifiers/tech-guidance.html /* myCVE = objNaturalPattern.Match(myMessage).ToString(); if (myCVE != "") { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "CVE=" + myCVE); } */ List<VulnerabilityFound.Item> l; l = new List<VulnerabilityFound.Item>(); myCVEs = myRegexCVE.Matches(myMessage); foreach (Match match in myCVEs) { foreach (Capture capture in match.Captures) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Index={0}, CVE={1}", capture.Index, capture.Value)); VulnerabilityFound.Item item; item = new VulnerabilityFound.Item(); item.Value = capture.Value; item.ID = "cve"; l.Add(item); } } vulnerabilityFound.ListItem = l; vulnerabilityFound.Url = HelperGetChildInnerText(x, "Url"); Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Url={0}", HelperGetChildInnerText(x, "Url"))); vulnerabilityFound.rawrequest = HelperGetChildInnerText(x, "HttpRequest"); //vulnerabilityFound.rawresponse = HelperGetChildInnerText(x, "HttpResponse"); //StructuredData //*** Compliances? voir en bas //http://www.cenzic.com/downloads/Cenzic_CWE.pdf int VulnID = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "cenzic", model); } catch (Exception ex) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("JobID:" + m_jobId + " Error in Warning : Exception = {0}. {1}", ex.Message, ex.InnerException)); } } if (ReportItem.InnerText == "Vulnerable") { try { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Vulnerable")); VulnerabilityFound vulnerabilityFound = new VulnerabilityFound(); vulnerabilityFound.InnerXml = myInnerXml; vulnerabilityFound.Title = myTitle; Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Adding SmartAttackName:{0}", myTitle)); vulnerabilityFound.Description = myDescription; vulnerabilityFound.Consequence = myConsequence; vulnerabilityFound.Result = myResult; vulnerabilityFound.Solution = mySolution; //ReportItemCreateDate vulnerabilityFound.Severity = HelperGetChildInnerText(x, "Severity"); //Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("VULNERABLE Severity:{0}", HelperGetChildInnerText(x, "Severity"))); vulnerabilityFound.HarmScore = int.Parse(HelperGetChildInnerText(x, "HarmScore")); //Count myMessage = HelperGetChildInnerText(x, "Message"); //vulnerabilityFound.Message = myMessage; vulnerabilityFound.rawresponse = myMessage; //Regex objNaturalPattern = new Regex("CVE-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]"); Regex myRegexCVE = new Regex(@"CVE-(19|20)\d\d-(0\d{3}|[1-9]\d{3,})"); //https://cve.mitre.org/cve/identifiers/tech-guidance.html /* myCVE = objNaturalPattern.Match(myMessage).ToString(); if (myCVE != "") { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "CVE=" + myCVE); } */ List<VulnerabilityFound.Item> l; l = new List<VulnerabilityFound.Item>(); myCVEs = myRegexCVE.Matches(myMessage); foreach (Match match in myCVEs) { foreach (Capture capture in match.Captures) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Index={0}, CVE={1}", capture.Index, capture.Value)); VulnerabilityFound.Item item; item = new VulnerabilityFound.Item(); item.Value = capture.Value; item.ID = "cve"; l.Add(item); } } vulnerabilityFound.ListItem = l; vulnerabilityFound.Url = HelperGetChildInnerText(x, "Url"); Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Url={0}", HelperGetChildInnerText(x, "Url"))); vulnerabilityFound.rawrequest = HelperGetChildInnerText(x, "HttpRequest"); //vulnerabilityFound.rawresponse = HelperGetChildInnerText(x, "HttpResponse"); //StructuredData if (myPCI != "") { //TODO /* vulnerabilityFound.PCI_FLAG = true; int VulnID = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "cenzic", model); List<int> myIds = new List<int>(); var id = from o in model.COMPLIANCECATEG where o.Title == myTitle && o.COMPLIANCE.Title == "PCIDSS" select o.ComplianceCategID; int Id = id.FirstOrDefault(); myIds.Add(Id); List<int> Compliances = new List<int>(); Compliances = myIds; Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Vulnerability persisted , VulnID = {0} & Compliance count = {1}", VulnID, Compliances.Count)); var V = from tmpVuln in model.VULNERABILITYFOUND where tmpVuln.VulnerabilityFoundID == VulnID select tmpVuln; VULNERABILITYFOUND VF = V.FirstOrDefault(); foreach (int i in Compliances) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Categorie Compliance => ", i)); var C = from Comp in model.COMPLIANCECATEG where Comp.ComplianceCategID == i select Comp; COMPLIANCECATEG myCompliance = new COMPLIANCECATEG(); myCompliance = C.FirstOrDefault(); VF.COMPLIANCECATEG.Add(myCompliance); model.SaveChanges(); Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", "Mapping Compliance-Vulnerability Added"); } */ } else { int VulnID = VulnerabilityPersistor.Persist(vulnerabilityFound, vulnerabilityEndPoint, m_jobId, "cenzic", model); } } catch (Exception ex) { Utils.Helper_Trace("XORCISM PROVIDER Cenzic Import", string.Format("Error in Vulnerable : Exception = {0}. {1}", ex.Message, ex.InnerException)); } } } } } } } } }