private static FidoReturnValues SendProtectWiseToVirusTotal(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { return(lFidoReturnValues); } var sIPToCheck = new List <string>(); if (lFidoReturnValues.ProtectWise.VirusTotal == null) { lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues(); } //send ProtectWise return to VT URL API if (lFidoReturnValues.ProtectWise.IncidentDetails.Data != null) { if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null) { Console.WriteLine(@"Sending ProtectWise URLs to VirusTotal."); var URL = new List <string> { lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url }; var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL); if (vtURLReturn != null) { lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn; } } else if (lFidoReturnValues.ProtectWise.URL != null) { Console.WriteLine(@"Sending ProtectWise destination IP to VirusTotal."); var URL = new List <string> { lFidoReturnValues.ProtectWise.URL }; var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL); if (vtURLReturn != null) { lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn; } } } if (lFidoReturnValues.ProtectWise.DstIP != null) { sIPToCheck.Add(lFidoReturnValues.ProtectWise.DstIP); } sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList(); //send ProtectWise return to VT IP API if (sIPToCheck.Any()) { Console.WriteLine(@"Getting detailed IP information from VirusTotal."); lFidoReturnValues.ProtectWise.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck); //todo: move the url to the database lFidoReturnValues.ProtectWise.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.ProtectWise.DstIP + "/information/"; } return(lFidoReturnValues); }
private static FidoReturnValues SendPaloAltoToVirusTotal(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { return(lFidoReturnValues); } var sIPToCheck = new List <string> { lFidoReturnValues.PaloAlto.DstIp }; //send ProtectWise return to VT IP API if (lFidoReturnValues.PaloAlto.DstIp.Any()) { if (lFidoReturnValues.PaloAlto.VirusTotal == null) { lFidoReturnValues.PaloAlto.VirusTotal = new VirusTotalReturnValues(); } Console.WriteLine(@"Getting detailed IP information from VirusTotal."); try { var IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck); if (IPReturn != null) { lFidoReturnValues.PaloAlto.VirusTotal.IPReturn = IPReturn; } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in retrieving VT IP information:" + e); } //todo: move the url to the database lFidoReturnValues.PaloAlto.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.PaloAlto.DstIp + "/information/"; } return(lFidoReturnValues); }
private static FidoReturnValues FireEyeURL(FidoReturnValues lFidoReturnValues) { if ((lFidoReturnValues.FireEye != null) && ((lFidoReturnValues.FireEye.URL.Count != 0) || (lFidoReturnValues.FireEye.ChannelHost.Count != 0))) { //initialize VT area if null if (lFidoReturnValues.FireEye.VirusTotal == null) { lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues(); } //convert return from FireEye to list var sURLToCheck = new List <string>(); //if ((lFidoReturnValues.FireEye.URL != null) && (lFidoReturnValues.FireEye.URL.Count > 0)) //{ // sURLToCheck.AddRange(lFidoReturnValues.FireEye.URL); //} if ((lFidoReturnValues.FireEye.ChannelHost != null) && (lFidoReturnValues.FireEye.ChannelHost.Count > 0)) { sURLToCheck.AddRange(lFidoReturnValues.FireEye.ChannelHost); } //if (lFidoReturnValues.FireEye.DstIP != null) //{ // sURLToCheck.Add(lFidoReturnValues.FireEye.DstIP); //} sURLToCheck = sURLToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList(); //send FireEye return to VT if ((sURLToCheck != null) && sURLToCheck.Any()) { Console.WriteLine(@"Sending FireEye URLs to VirusTotal."); lFidoReturnValues.FireEye.VirusTotal.URLReturn = Feeds_VirusTotal.VirusTotalUrl(sURLToCheck); } var sIPToCheck = new List <string>(); if (lFidoReturnValues.FireEye.DstIP != null) { sIPToCheck.Add(lFidoReturnValues.FireEye.DstIP); } sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList(); //send IP information to VT IP API if (sIPToCheck != null) { Console.WriteLine(@"Getting detailed IP information from VirusTotal."); lFidoReturnValues.FireEye.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck); lFidoReturnValues.FireEye.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.FireEye.DstIP + "/information/"; } //initialize AlienVault area if null if (lFidoReturnValues.FireEye.AlienVault == null) { lFidoReturnValues.FireEye.AlienVault = new AlienVaultReturnValues(); } //next send FireEye return to AlienVault if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.DstIP != null)) { Console.WriteLine(@"Getting IP information from AlienVault"); lFidoReturnValues.FireEye.AlienVault = Feeds_AlientVault.AlienVaultIP(lFidoReturnValues.DstIP); } } return(lFidoReturnValues); }
private static FidoReturnValues SendCyphortToVirusTotal(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { return(lFidoReturnValues); } //convert return from Cyphort to list var sURLToCheck = new List <string>(); if ((lFidoReturnValues.Cyphort.URL.Any()) && (lFidoReturnValues.Cyphort.URL.Count > 0)) { for (var i = 0; i < lFidoReturnValues.Cyphort.URL.Count(); i++) { if (string.IsNullOrEmpty(lFidoReturnValues.Cyphort.URL[i])) { continue; } if (lFidoReturnValues.Cyphort.URL[i].Contains(".exe")) { continue; } //if (!lFidoReturnValues.Cyphort.URL[i].Contains(".com")) //{ // lFidoReturnValues.Cyphort.URL[i] = lFidoReturnValues.Cyphort.URL[i] + @".com"; //} sURLToCheck.Add(lFidoReturnValues.Cyphort.URL[i]); } } if ((lFidoReturnValues.Cyphort.Domain != null) && (lFidoReturnValues.Cyphort.Domain.Count > 0)) { sURLToCheck.AddRange(lFidoReturnValues.Cyphort.Domain); } if (lFidoReturnValues.Cyphort.DstIP != null) { sURLToCheck.Add(lFidoReturnValues.Cyphort.DstIP); } sURLToCheck = sURLToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList(); //send Cyphort return to VT URL API if (sURLToCheck.Any()) { Console.WriteLine(@"Sending Cyport URLs to VirusTotal."); lFidoReturnValues.Cyphort.VirusTotal.URLReturn = Feeds_VirusTotal.VirusTotalUrl(sURLToCheck); } var sIPToCheck = new List <string>(); if (lFidoReturnValues.Cyphort.DstIP != null) { sIPToCheck.Add(lFidoReturnValues.Cyphort.DstIP); } sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList(); //send Cyphort return to VT IP API if (sIPToCheck.Any()) { Console.WriteLine(@"Getting detailed IP information from VirusTotal."); lFidoReturnValues.Cyphort.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck); //todo: move the url to the database lFidoReturnValues.Cyphort.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.Cyphort.DstIP + "/information/"; } return(lFidoReturnValues); }