示例#1
0
        static void Main(string[] args)
        {
            String detectorId = "cdc02b15f9f520a8882c959g3e95c24b";

            FindingCriteria criteria = new FindingCriteria();

            Condition condition = new Condition();

            condition.Eq.Add("Recon:EC2/PortProbeUnprotectedPort");
            condition.Eq.Add("Recon:EC2/Portscan");

            criteria.Criterion.Add("type", condition);

            using (var gdClient = new AmazonGuardDutyClient(RegionEndpoint.USWest2))
            {
                var request = new ListFindingsRequest
                {
                    DetectorId      = detectorId,
                    FindingCriteria = criteria,
                };

                Task <ListFindingsResponse> response = gdClient.ListFindingsAsync(request);
                response.Wait();

                foreach (String findingId in response.Result.FindingIds)
                {
                    Console.WriteLine(findingId.ToString());
                }
            }
        }
示例#2
0
        static int Main(string[] args)
        {
            foreach (var line in titleBanner)
            {
                Console.WriteLine(line);
            }

            if (args == null || args.Length == 0)
            {
                // Help screen
                foreach (var line in helpScreen)
                {
                    Console.WriteLine(line);
                }
                System.Environment.Exit(-1);
            }

            Options options = null;

            Parser.Default.ParseArguments <Options>(args)
            .WithParsed(o => options = o)
            .WithNotParsed(errors =>
            {
                foreach (var error in errors)
                {
                    Console.WriteLine(error);
                }
                System.Environment.Exit(-2);
            });

            // Setup AWS credentials
            var chain = new CredentialProfileStoreChain();

            AWSCredentials awsCredentials;
            RegionEndpoint awsRegion;

            if (!string.IsNullOrWhiteSpace(options.Profile))
            {
                if (!chain.TryGetAWSCredentials(options.Profile, out awsCredentials))
                {
                    Console.WriteLine($"Unable to retrieve credentials for profile {options.Profile}");
                    System.Environment.Exit(-3);
                    return(-3);
                }

                CredentialProfile credentialProfile;
                if (!chain.TryGetProfile(options.Profile, out credentialProfile))
                {
                    Console.WriteLine($"Unable to retrieve credential profile for {options.Profile}");
                    System.Environment.Exit(-4);
                    return(-4);
                }

                awsRegion = credentialProfile.Region ?? RegionEndpoint.GetBySystemName(options.Region);
            }
            else
            {
                if (string.IsNullOrWhiteSpace(options.AccessKeyId))
                {
                    Console.Error.WriteLine("No profile was specified, but an access key ID was not provided either.");
                    System.Environment.Exit(-5);
                    return(-5);
                }

                if (string.IsNullOrWhiteSpace(options.AccessKeySecret))
                {
                    Console.Error.WriteLine("No profile was specified, but an access key secret was not provided either.");
                    System.Environment.Exit(-6);
                    return(-6);
                }

                awsCredentials = new BasicAWSCredentials(options.AccessKeyId, options.AccessKeySecret);
                awsRegion      = RegionEndpoint.GetBySystemName(options.Region);
            }

            var cts = new CancellationTokenSource();

            var getFindingsTask = Task.Run(new Func <Task <Tuple <object, Exception> > >(async() =>
            {
                var client = new AmazonGuardDutyClient(awsCredentials, awsRegion);

                var detectorRequest  = new ListDetectorsRequest();
                var detectorResponse = await client.ListDetectorsAsync(detectorRequest, cts.Token);

                dynamic bundle      = new ExpandoObject();
                bundle.type         = "bundle";
                bundle.id           = $"guardduty-stix-{DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffZ", System.Globalization.CultureInfo.InvariantCulture)}";
                bundle.spec_version = "2.0";

                var objects = new List <object>();

                foreach (var detectorId in detectorResponse.DetectorIds)
                {
                    var listFindingsRequest = new ListFindingsRequest()
                    {
                        DetectorId = detectorId,

                        /*FindingCriteria = new FindingCriteria
                         * {
                         *  Criterion = { { "service.archived", new Condition { Eq = { "FALSE" } } } }
                         * }*/
                    };

                    try
                    {
                        // Get list of findings
                        var listFindingsResponse = await client.ListFindingsAsync(listFindingsRequest, cts.Token);

                        // For the list, get the details
                        var getFindingsRequest = new GetFindingsRequest()
                        {
                            DetectorId = detectorId,
                            FindingIds = listFindingsResponse.FindingIds
                        };
                        var getFindingsResponse = await client.GetFindingsAsync(getFindingsRequest, cts.Token);

                        foreach (var finding in getFindingsResponse.Findings)
                        {
                            var sdo = await ConvertFindingToStixAsync(finding);
                            objects.Add(sdo);
                        }
                    }
                    catch (Exception e)
                    {
                        await Console.Error.WriteLineAsync(e.ToString());
                        return(new Tuple <object, Exception>(null, e));
                    }
                }

                bundle.objects = objects;
                return(new Tuple <object, Exception>(bundle, null));
            }));

            if (!Task.WaitAll(new[] { getFindingsTask }, 60000, cts.Token))
            {
                Console.Error.WriteLine("Failed to complete within 60 seconds, aborted.");
                System.Environment.Exit(-7);
                return(-7);
            }

            var result = getFindingsTask.Result;

            if (result.Item2 != null)
            {
                Console.Error.WriteLine($"Unable to parse output: {result.Item2.ToString()}");
                System.Environment.Exit(-8);
                return(-8);
            }

            if (string.IsNullOrWhiteSpace(options.OutputFile))
            {
                Console.Out.WriteLine(Newtonsoft.Json.JsonConvert.SerializeObject(result.Item1));
            }
            else
            {
                try
                {
                    using (var fs = new FileStream(options.OutputFile, FileMode.Create, FileAccess.Write))
                        using (var sw = new StreamWriter(fs))
                        {
                            sw.Write(Newtonsoft.Json.JsonConvert.SerializeObject(result.Item1));
                        }

                    Console.Out.WriteLine($"Output saved to file {options.OutputFile}");
                }
                catch (Exception e)
                {
                    Console.Error.WriteLine($"Unable to write file: {e.ToString()}");
                    System.Environment.Exit(-9);
                    return(-9);
                }
            }

            return(0);
        }