public static Dictionary <string, string> StartReplacements(FidoReturnValues lFidoReturnValues, string[] detectors, ReplaceParameters replaceParameters)
{
try
{
//todo: put the following switch into its own function
foreach (var detector in detectors)
{
switch (detector)
{
case "cyphortv2":
if (lFidoReturnValues.Cyphort != null)
{
replaceParameters.Replacements = Notification_Cyphort_Helper.CyphortBadGuyReturn(lFidoReturnValues, replaceParameters);
replaceParameters.Replacements = VTReplacements(lFidoReturnValues, replaceParameters);
}
break;
case "cyphortv3":
if (lFidoReturnValues.Cyphort != null)
{
replaceParameters.Replacements = Notification_Cyphort_Helper.CyphortBadGuyReturn(lFidoReturnValues, replaceParameters);
replaceParameters.Replacements = VTReplacements(lFidoReturnValues, replaceParameters);
}
break;
case "protectwisev1-event":
if (lFidoReturnValues.ProtectWise != null)
{
replaceParameters.Replacements = Notfication_ProtectWise_Helper.ProtectWiseBadGuyReturn(lFidoReturnValues, replaceParameters);
replaceParameters.Replacements = VTReplacements(lFidoReturnValues, replaceParameters);
}
break;
case "carbonblackv1":
if (lFidoReturnValues.CB.Alert != null)
{
replaceParameters.Replacements = Notification_CarbonBlack_Helper.CarbonBlackBadGuyReturn(lFidoReturnValues, replaceParameters);
replaceParameters.Replacements = VTReplacements(lFidoReturnValues, replaceParameters);
}
break;
case "panv1":
if (lFidoReturnValues.PaloAlto != null)
{
replaceParameters.Replacements = Notification_PaloAlto_Helper.PaloAltoBadGuyReturn(lFidoReturnValues, replaceParameters);
replaceParameters.Replacements = VTReplacements(lFidoReturnValues, replaceParameters);
}
break;
case "mps":
//Check Virustotal for values
if (lFidoReturnValues.FireEye != null)
{
replaceParameters.Replacements = MPSBadGuyReturn(lFidoReturnValues, replaceParameters);
replaceParameters.Replacements = VTReplacements(lFidoReturnValues, replaceParameters);
}
break;
case "antivirus":
break;
case "ids":
break;
case "bit9":
if (lFidoReturnValues.Bit9 != null)
{
if (lFidoReturnValues.Bit9.VTReport == null)
{
continue;
}
if (lFidoReturnValues.Bit9.VTReport[0].Positives > 0)
{
lFidoReturnValues.BadHashs += 1;
lBadMD5Hashes.Add(lFidoReturnValues.Bit9.VTReport[0].Permalink);
}
else
{
lGoodMD5Hashes.Add(lFidoReturnValues.Bit9.VTReport[0].Permalink);
}
//Check Bit9 for values
replaceParameters.Replacements.Add("%bit9threat%", lFidoReturnValues.Bit9.FileThreat);
replaceParameters.Replacements.Add("%bit9trust%", lFidoReturnValues.Bit9.FileTrust);
}
break;
}
}
return(replaceParameters.Replacements);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Notification Help:" + e);
}
return(replaceParameters.Replacements);
}
public static Dictionary <string, string> CarbonBlackBadGuyReturn(FidoReturnValues lFidoReturnValues, ReplaceParameters replaceParameters)
{
if (lFidoReturnValues.CB.Alert.VirusTotal != null)
{
if (lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn != null)
{
for (var i = 0; i < lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn.Count(); i++)
{
if (lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn[i].Positives > 0)
{
lFidoReturnValues.BadHashs += 1;
replaceParameters.BadMD5Hashes.Add(lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn[i].Permalink);
}
else
{
replaceParameters.GoodMD5Hashes.Add(lFidoReturnValues.CB.Alert.VirusTotal.MD5HashReturn[i].Permalink);
}
}
}
if (lFidoReturnValues.CB.Alert.VirusTotal.URLReturn != null)
{
for (var i = 0; i < lFidoReturnValues.CB.Alert.VirusTotal.URLReturn.Count(); i++)
{
if (lFidoReturnValues.CB.Alert.VirusTotal.URLReturn[i].Positives > 0)
{
lFidoReturnValues.BadUrLs += 1;
replaceParameters.BadURLs.Add(lFidoReturnValues.CB.Alert.VirusTotal.URLReturn[i].Permalink);
}
else
{
replaceParameters.GoodURLs.Add(lFidoReturnValues.CB.Alert.VirusTotal.URLReturn[i].Permalink);
}
}
}
if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn != null)
{
if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedCommunicatingSamples != null)
{
for (var i = 0;
i < lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedCommunicatingSamples.Count();
i++)
{
if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedCommunicatingSamples[i].Positives > 0)
{
lFidoReturnValues.BadDetectedComms += 1;
}
}
}
if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedDownloadedSamples != null)
{
for (var i = 0;
i < lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedDownloadedSamples.Count();
i++)
{
if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedDownloadedSamples[i].Positives > 0)
{
lFidoReturnValues.BadDetectedDownloads += 1;
}
}
}
if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedUrls != null)
{
for (var i = 0; i < lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedUrls.Count(); i++)
{
if (lFidoReturnValues.CB.Alert.VirusTotal.IPReturn[0].DetectedUrls[i].Positives > 0)
{
lFidoReturnValues.BadDetectedUrls += 1;
}
}
}
}
}
//Check AlienVault for values
var replacements = replaceParameters.Replacements
if (lFidoReturnValues.CB.Alert.AlienVault != null)
{
replacements.Add("%alienrisk%", lFidoReturnValues.CB.Alert.AlienVault.Risk.ToString(CultureInfo.InvariantCulture));
replacements.Add("%alienreliable%", lFidoReturnValues.CB.Alert.AlienVault.Reliability.ToString(CultureInfo.InvariantCulture));
replacements.Add("%alienactivity%", lFidoReturnValues.CB.Alert.AlienVault.Activity ?? string.Empty);
}
else
{
replacements.Add("%alienrisk%", "Not Found");
replacements.Add("%alienreliable%", "Not Found");
replacements.Add("%alienactivity%", string.Empty);
}
//Check Bit9 for values
replacements.Add("%bit9threat%", "Not Configured");
replacements.Add("%bit9trust%", "Not Configured");
replacements = CarbonBlackBadGuyReplacements(lFidoReturnValues, replacements);
return(replacements);
}
public static Dictionary <string, string> PaloAltoBadGuyReturn(FidoReturnValues lFidoReturnValues, ReplaceParameters replaceParameters)
{
if (lFidoReturnValues.PaloAlto.VirusTotal != null)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn != null)
{
for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn.Count(); i++)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn[i].Positives > 0)
{
lFidoReturnValues.BadHashs += 1;
replaceParameters.BadMD5Hashes.Add(lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn[i].Permalink);
}
else
{
replaceParameters.GoodMD5Hashes.Add(lFidoReturnValues.PaloAlto.VirusTotal.MD5HashReturn[i].Permalink);
}
}
}
if (lFidoReturnValues.PaloAlto.VirusTotal.URLReturn != null)
{
for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.URLReturn.Count(); i++)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.URLReturn[i].Positives > 0)
{
lFidoReturnValues.BadUrLs += 1;
replaceParameters.BadURLs.Add(lFidoReturnValues.PaloAlto.VirusTotal.URLReturn[i].Permalink);
}
else
{
replaceParameters.GoodURLs.Add(lFidoReturnValues.PaloAlto.VirusTotal.URLReturn[i].Permalink);
}
}
}
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn != null)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedCommunicatingSamples != null)
{
for (var i = 0;
i < lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedCommunicatingSamples.Count();
i++)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedCommunicatingSamples[i].Positives > 0)
{
lFidoReturnValues.BadDetectedComms += 1;
}
}
}
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedDownloadedSamples != null)
{
for (var i = 0;
i < lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedDownloadedSamples.Count();
i++)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedDownloadedSamples[i].Positives > 0)
{
lFidoReturnValues.BadDetectedDownloads += 1;
}
}
}
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedUrls != null)
{
for (var i = 0; i < lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedUrls.Count(); i++)
{
if (lFidoReturnValues.PaloAlto.VirusTotal.IPReturn[0].DetectedUrls[i].Positives > 0)
{
lFidoReturnValues.BadDetectedUrls += 1;
}
}
}
}
}
//Check Bit9 for values
var replacements = replaceParameters.Replacements
replacements.Add("%bit9threat%", "Not Configured");
replacements.Add("%bit9trust%", "Not Configured");
replacements = PaloAltoBadGuyReplacements(lFidoReturnValues, replacements);
return(replacements);
}
public static Dictionary <string, string> CyphortBadGuyReturn(FidoReturnValues lFidoReturnValues, ReplaceParameters replaceParameters)
{
if (lFidoReturnValues.Cyphort.VirusTotal != null)
{
if (lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn != null)
{
for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn.Count(); i++)
{
if (lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn[i].Positives > 0)
{
lFidoReturnValues.BadHashs += 1;
replaceParameters.lBadMD5Hashes.Add(lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn[i].Permalink);
}
else
{
replaceParameters.lGoodMD5Hashes.Add(lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn[i].Permalink);
}
}
}
if (lFidoReturnValues.Cyphort.VirusTotal.URLReturn != null)
{
for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.URLReturn.Count(); i++)
{
if (lFidoReturnValues.Cyphort.VirusTotal.URLReturn[i].Positives > 0)
{
lFidoReturnValues.BadUrLs += 1;
replaceParameters.lBadURLs.Add(lFidoReturnValues.Cyphort.VirusTotal.URLReturn[i].Permalink);
}
else
{
replaceParameters.lGoodURLs.Add(lFidoReturnValues.Cyphort.VirusTotal.URLReturn[i].Permalink);
}
}
}
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn != null)
{
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedCommunicatingSamples != null)
{
for (var i = 0;
i < lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedCommunicatingSamples.Count();
i++)
{
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedCommunicatingSamples[i].Positives > 0)
{
lFidoReturnValues.BadDetectedComms += 1;
}
}
}
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedDownloadedSamples != null)
{
for (var i = 0;
i < lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedDownloadedSamples.Count();
i++)
{
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedDownloadedSamples[i].Positives > 0)
{
lFidoReturnValues.BadDetectedDownloads += 1;
}
}
}
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedUrls != null)
{
for (var i = 0; i < lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedUrls.Count(); i++)
{
if (lFidoReturnValues.Cyphort.VirusTotal.IPReturn[0].DetectedUrls[i].Positives > 0)
{
lFidoReturnValues.BadDetectedUrls += 1;
}
}
}
}
}
var replacements = CyphortBadGuyReplacements(lFidoReturnValues, replaceParameters.Replacements);
return(replacements);
}
