private static DataTable GetPreviousAlerts(string query)
{
var fidoSQlite = new SqLiteDB();
var fidoData = new DataTable();
try
{
fidoData = fidoSQlite.GetDataTable(query);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e);
}
return fidoData;
}
private static void ParseCarbonBlackAlert(Object_CarbonBlack_Alert_Class.CarbonBlack cbReturn)
{
var cbHost = string.Empty;
var cbHostInt = 0;
foreach (var cbEvent in cbReturn.Results)
{
Console.WriteLine(@"Formatting CarbonBlack event for: " + cbEvent.Hostname + @".");
try
{
//initialize generic variables for CB values
var lFidoReturnValues = new FidoReturnValues();
if (lFidoReturnValues.PreviousAlerts == null)
{
lFidoReturnValues.PreviousAlerts = new EventAlerts();
}
if (lFidoReturnValues.CB == null)
{
lFidoReturnValues.CB = new CarbonBlackReturnValues { Alert = new CarbonBlackAlert() };
}
lFidoReturnValues.CurrentDetector = "carbonblackv1";
lFidoReturnValues.CB.Alert.WatchListName = cbEvent.WatchlistName;
lFidoReturnValues.CB.Alert.AlertType = cbEvent.AlertType;
if (lFidoReturnValues.CB.Alert.WatchListName.Contains("binary") || lFidoReturnValues.CB.Alert.AlertType.Contains("binary"))
{
lFidoReturnValues.isBinary = true;
}
var dTable = new SqLiteDB();
var cbData = dTable.GetDataTable(@"Select * from configs_dictionary_carbonblack");
var cbDict = GetDict(cbData);
foreach (var label in cbDict)
{
if (cbEvent.WatchlistName == label.Key)
{
lFidoReturnValues.MalwareType = label.Value;
break;
}
}
if (lFidoReturnValues.MalwareType == null) lFidoReturnValues.MalwareType = "Malicious file detected.";
lFidoReturnValues.CB.Alert.EventID = cbEvent.UniqueID;
lFidoReturnValues.AlertID = cbEvent.UniqueID;
lFidoReturnValues.CB.Alert.EventTime = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cbEvent.CreatedTime).ToUniversalTime().ToString(CultureInfo.InvariantCulture);
lFidoReturnValues.Hostname = cbEvent.Hostname;
//todo: this was supposed to limit the total # of alerts sent from a single host,
//however, it is poo and needs to be redone.
if (lFidoReturnValues.Hostname != cbHost)
{
cbHost = lFidoReturnValues.Hostname;
}
else
{
cbHostInt++;
}
if (cbHostInt >= 25)
{
CloseCarbonBlackAlert(lFidoReturnValues);
}
lFidoReturnValues.Username = cbEvent.Username;
lFidoReturnValues.Hash = new List<string> {cbEvent.MD5};
lFidoReturnValues.CB.Alert.MD5Hash = cbEvent.MD5;
lFidoReturnValues.CB.Inventory = SysMgmt_CarbonBlack.GetCarbonBlackHost(lFidoReturnValues, true);
if (string.IsNullOrEmpty(cbEvent.ProcessPath))
{
if (string.IsNullOrEmpty(cbEvent.ProcessPath)) lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ObservedFilename[0];
}
else
{
lFidoReturnValues.CB.Alert.ProcessPath = cbEvent.ProcessPath;
}
if ((cbEvent.ObservedHosts.HostCount != 0) && (cbEvent.ObservedHosts.HostCount != null))
{
lFidoReturnValues.CB.Alert.HostCount = cbEvent.ObservedHosts.HostCount.ToString(CultureInfo.InvariantCulture);
}
else
{
lFidoReturnValues.CB.Alert.HostCount = "0";
}
if ((cbEvent.NetconnCount != 0) && (cbEvent.NetconnCount != null))
{
lFidoReturnValues.CB.Alert.NetConn = cbEvent.NetconnCount.ToString(CultureInfo.InvariantCulture);
}
else
{
lFidoReturnValues.CB.Alert.NetConn = "0";
}
if (lFidoReturnValues.CB.Inventory != null)
{
var sFilter = new[] {"|", ","};
var sIP = lFidoReturnValues.CB.Inventory.NetworkAdapters.Split(sFilter,StringSplitOptions.RemoveEmptyEntries);
lFidoReturnValues.SrcIP = sIP[0];
}
var isRunDirector = false;
//Check to see if ID has been processed before
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false);
if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0)
{
isRunDirector = PreviousAlert(lFidoReturnValues, lFidoReturnValues.AlertID, lFidoReturnValues.TimeOccurred);
}
if (isRunDirector || lFidoReturnValues.MalwareType.Contains("EICAR")) continue;
//todo: build better filetype versus targetted OS, then remove this.
lFidoReturnValues.IsTargetOS = true;
TheDirector.Direct(lFidoReturnValues);
//CloseCarbonBlackAlert(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Carbon Black v1 Detector when formatting json:" + e);
}
}
}
private static ParseCBConfigs ParseDetectorConfigs(string detect)
{
//todo: move this to the database, assign a variable to 'detect' and replace being using in GEtFidoConfigs
var query = @"SELECT * from configs_sysmgmt_carbonblack WHERE api_call = '" + detect + @"'";
var fidoSQlite = new SqLiteDB();
var fidoData = new DataTable();
var cbReturn = new ParseCBConfigs();
try
{
fidoData = fidoSQlite.GetDataTable(query);
cbReturn = CBConfigs(fidoData);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Unable to format datatable return." + e);
}
return cbReturn;
}
internal static void LoadConfigFromDb(string table)
{
var fidoSQLite = new SqLiteDB();
_dict = fidoSQLite.GetDataTable("select key, value from " + table).AsEnumerable().ToDictionary<DataRow, string, string>(row => row.Field<string>(0), row => row.Field<string>(1));
}