private FidoReturnValues SetIFidoReturnValues(FidoReturnValues lFidoReturnValues, string[][] array, string message) { if (array[i][4].Contains(":")) { continue; } lFidoReturnValues.SrcIP = array[i][4]; lFidoReturnValues.MalwareType = array[i][19] + message; lFidoReturnValues.DstIP = array[i][16]; lFidoReturnValues.Cyphort.DstIP = array[i][16]; lFidoReturnValues.TimeOccurred = Convert.ToDateTime(array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(array[i][2]).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.Cyphort.EventID = array[i][1]; lFidoReturnValues.AlertID = lFidoReturnValues.Cyphort.EventID; lFidoReturnValues.Cyphort.URL = new List <string> { array[i][12] }; lFidoReturnValues.Url = new List <string> { array[i][12] }; lFidoReturnValues.Cyphort.Domain = new List <string> { array[i][11] }; lFidoReturnValues.Cyphort.MD5Hash = new List <string> { array[i][7] }; lFidoReturnValues.Hash = new List <string> { array[i][7] }; lFidoReturnValues.CurrentDetector = "cyphortv2"; return(lFidoReturnValues); }
private static FidoReturnValues ProtectWiseHash(FidoReturnValues lFidoReturnValues) { //if ProtectWise has hashes send to threat feeds if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { if ((lFidoReturnValues.ProtectWise != null) && (lFidoReturnValues.ProtectWise.MD5 != null) && (lFidoReturnValues.ProtectWise.MD5.Any())) { if (lFidoReturnValues.ProtectWise.VirusTotal == null) { lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues(); } Console.WriteLine(@"Sending ProtectWise hashes to VirusTotal."); var MD5Hash = new List <string> { lFidoReturnValues.ProtectWise.MD5 }; lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(MD5Hash); } } if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { Console.WriteLine(@"Sending ProtectWise hashes to ThreatGRID."); lFidoReturnValues = SendProtectWiseToThreatGRID(lFidoReturnValues); } return(lFidoReturnValues); }
private static void UpdateUserToDB(FidoReturnValues lFidoReturnValues, string row) { var db = new SqLiteDB(); var data = new Dictionary <String, String> { { "username", lFidoReturnValues.Username.ToLower() }, { "fullname", lFidoReturnValues.UserInfo.Username.ToLower() }, { "email", lFidoReturnValues.UserInfo.UserEmail.ToLower() }, { "title", lFidoReturnValues.UserInfo.Title.ToLower() }, { "dept", lFidoReturnValues.UserInfo.Department.ToLower() }, { "emp_type", lFidoReturnValues.UserInfo.EmployeeType.ToLower() }, { "emp_phone", lFidoReturnValues.UserInfo.MobileNumber }, { "cube", lFidoReturnValues.UserInfo.CubeLocation.ToLower() }, { "city_state", lFidoReturnValues.UserInfo.City.ToLower() + "\\" + lFidoReturnValues.UserInfo.State.ToLower() }, { "manager", lFidoReturnValues.UserInfo.ManagerName.ToLower() }, { "manager_title", lFidoReturnValues.UserInfo.ManagerTitle.ToLower() }, { "manager_email", lFidoReturnValues.UserInfo.ManagerMail.ToLower() }, { "manager_phone", lFidoReturnValues.UserInfo.MobileNumber }, { "user_score", lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture) } }; try { db.Update("event_user", data, "primkey = " + row); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in update user area of fidodb:" + e); } }
private static Dictionary <string, string> MPSBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements) { //todo: need to filter this section based on detector (ie., not just lfidoreturnvalues.cyphort.virustotal, ldfidoreturnvalues.fireeye.virustotal, etc) if (lFidoReturnValues.CurrentDetector == "mps") { if (lFidoReturnValues.BadDetectedComms > 0) { replacements.Add("%cncip%", "<a href='" + lFidoReturnValues.FireEye.VirusTotal.IPUrl + "'>" + lFidoReturnValues.BadDetectedComms + " Detected!</a>"); } else { replacements.Add("%cncip%", "<a href='" + lFidoReturnValues.FireEye.VirusTotal.IPUrl + "'>None Detected</a>"); } if (lFidoReturnValues.BadDetectedDownloads > 0) { replacements.Add("%totaldetectedip%", "<a href='" + lFidoReturnValues.FireEye.VirusTotal.IPUrl + "'>" + lFidoReturnValues.BadDetectedDownloads + " Detected!</a>"); } else { replacements.Add("%totaldetectedip%", "<a href='" + lFidoReturnValues.FireEye.VirusTotal.IPUrl + "'>None Detected</a>"); } if (lFidoReturnValues.BadDetectedUrls > 0) { replacements.Add("%totaldetectedurl%", "<a href='" + lFidoReturnValues.FireEye.VirusTotal.IPUrl + "'>" + lFidoReturnValues.BadDetectedUrls + " Detected!</a>"); } else { replacements.Add("%totaldetectedurl%", "<a href='" + lFidoReturnValues.FireEye.VirusTotal.IPUrl + "'>None Detected</a>"); } } return(replacements); }
private static void GetCyphortIncident(FidoReturnValues lFidoReturnValues) { Console.WriteLine(@"Pulling Cyphort incident details."); //currently needed to bypass site without a valid cert. //todo: make ssl bypass configurable ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); }; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv3"); var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey; request = request.Replace("%incidentid%", lFidoReturnValues.Cyphort.IncidentID); var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Method = "GET"; try { using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse) { if (cyphortResponse != null && cyphortResponse.StatusCode == HttpStatusCode.OK) { lFidoReturnValues = getResponseStream(cyphortResponse.GetResponseStream(), lFidoReturnValues); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector getting json:" + e); } }
private static void GetCyphortIncident(FidoReturnValues lFidoReturnValues) { Console.WriteLine(@"Pulling Cyphort incident details."); //currently needed to bypass site without a valid cert. //todo: make ssl bypass configurable ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); }; var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs("cyphortv3"); var request = parseConfigs.Server + parseConfigs.Query2 + parseConfigs.APIKey; request = request.Replace("%incidentid%", lFidoReturnValues.Cyphort.IncidentID); var alertRequest = (HttpWebRequest)WebRequest.Create(request); alertRequest.Method = "GET"; try { using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse) { if (cyphortResponse == null || cyphortResponse.StatusCode != HttpStatusCode.OK) { return; } using (var respStream = cyphortResponse.GetResponseStream()) { if (respStream == null) { return; } var cyphortReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = cyphortReader.ReadToEnd(); var cyphortReturn = JsonConvert.DeserializeObject <Object_Cyphort_Class.CyphortIncident>(stringreturn); if (cyphortReturn.Incident == null) { return; } lFidoReturnValues.Cyphort.IncidentDetails = new Object_Cyphort_Class.CyphortIncident(); lFidoReturnValues.Cyphort.IncidentDetails = cyphortReturn; ChangeDNSName(lFidoReturnValues); if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_download == "1") { lFidoReturnValues = FormatDownloadReturnValues(lFidoReturnValues); } if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_infection == "1") { lFidoReturnValues = FormatInfectionReturnValues(lFidoReturnValues); } DoesNotChangeAnyThing(lFidoReturnValues); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector getting json:" + e); } }
private static void ChangeDNSName(FidoReturnValues lFidoReturnValues) { if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_name != null) { lFidoReturnValues.DNSName = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_name.Replace(".", "(.)"); } }
private static void HandleCyphortIncident(FidoReturnValues lFidoReturnValues, Stream respStream) { var cyphortReader = new StreamReader(respStream, Encoding.UTF8); var stringreturn = cyphortReader.ReadToEnd(); var cyphortReturn = JsonConvert.DeserializeObject <Object_Cyphort_Class.CyphortIncident>(stringreturn); if (cyphortReturn.Incident == null) { return; } lFidoReturnValues.Cyphort.IncidentDetails = new Object_Cyphort_Class.CyphortIncident(); lFidoReturnValues.Cyphort.IncidentDetails = cyphortReturn; if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_name != null) { lFidoReturnValues.DNSName = lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_name.Replace(".", "(.)"); } if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_download == "1" || lFidoReturnValues.Cyphort.IncidentDetails.Incident.Has_infection == "1") { lFidoReturnValues = FormatDownloadReturnValues(lFidoReturnValues); } }
private static FidoReturnValues FireEyeHash(FidoReturnValues lFidoReturnValues) { //if FireEye has hashes send to threat feeds if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any())) { if (lFidoReturnValues.FireEye.VirusTotal == null) { lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues(); } Console.WriteLine(@"Sending FireEye hashes to VirusTotal."); lFidoReturnValues.FireEye.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.FireEye.MD5Hash); } } //todo: decide if FireEye should go to ThreatGRID //if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) //{ // Console.WriteLine(@"Sending FireEye hashes to ThreatGRID."); // lFidoReturnValues = SendFireEyeToThreatGRID(lFidoReturnValues); //} return(lFidoReturnValues); }
private static Dictionary <string, string> CyphortGEOReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements) { if (lFidoReturnValues.Cyphort.ThreatGRID.IPInfo != null) { if (lFidoReturnValues.Cyphort.ThreatGRID.IPInfo.Data_Array.ASN_Array.ASN == null) { replacements.Add("%asninfo%", string.Empty); replacements.Add("%city%", string.Empty); replacements.Add("%region%", string.Empty); replacements.Add("%country%", string.Empty); } else { replacements.Add("%asninfo%", lFidoReturnValues.Cyphort.ThreatGRID.IPInfo.Data_Array.ASN_Array.ASN + ":" + lFidoReturnValues.Cyphort.ThreatGRID.IPInfo.Data_Array.ASN_Array.Org); replacements.Add("%city%", lFidoReturnValues.Cyphort.ThreatGRID.IPInfo.Data_Array.Location_Array.City); replacements.Add("%region%", lFidoReturnValues.Cyphort.ThreatGRID.IPInfo.Data_Array.Location_Array.Region); replacements.Add("%country%", lFidoReturnValues.Cyphort.ThreatGRID.IPInfo.Data_Array.Location_Array.Country); } } else if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_country_code != null) { replacements.Add("%city%", string.Empty); replacements.Add("%region%", lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_country_code); if (lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_country_name != null) { replacements.Add("%country%", lFidoReturnValues.Cyphort.IncidentDetails.Incident.Source_country_name); } } return(replacements); }
private static void AntiVirusToBit9(FidoReturnValues lFidoReturnValues) { var lBit9ReturnValues = new Bit9ReturnValues(); var sFileInfo = lFidoReturnValues.Antivirus.FilePath.Split('\\'); if ((sFileInfo != null) && (sFileInfo.Length != 0)) { Console.WriteLine(@"Antivirus detector found! Cross-referencing with Bit9."); lBit9ReturnValues.FileName = sFileInfo[sFileInfo.Length - 1]; lFidoReturnValues.Antivirus.FileName = lBit9ReturnValues.FileName; for (var i = 0; i < sFileInfo.Length - 1; i++) { if (i == sFileInfo.Length - 2) { lBit9ReturnValues.FilePath += sFileInfo[i]; } else { if (!sFileInfo[i].Contains("'")) { lBit9ReturnValues.FilePath += sFileInfo[i] + "\\"; } else { break; } } } lBit9ReturnValues.HostName = lFidoReturnValues.Hostname; var lBit9Info = Detect_Bit9.GetFileInfo(null, lBit9ReturnValues); } }
private static void AddRecommentdation(FidoReturnValues lFidoReturnValues, List <string> recommendation) { switch (lFidoReturnValues.Antivirus.Status.ToLower()) { case "cleanable": recommendation.Add("Action required"); recommendation.Add("Antivirus was unable to remove the threat, but this malware is cleanable."); break; case "cleanup failed": recommendation.Add("Action required"); recommendation.Add( "Antivirus attempted to cleanup malware, but failed. Make sure system is offline and attempt cleanup again."); break; case "restart required": recommendation.Add("Action required"); recommendation.Add( "Antivirus attempted to cleanup malware, but requires a reboot to complete remediation."); break; case "not cleanable": recommendation.Add("Re-image"); recommendation.Add( "Antivirus is not capable of removing this malware and the system will need to be rebuilt."); break; } }
public static FidoReturnValues HostDetection(FidoReturnValues lFidoReturnValues, string sHostname, string sSrcIP) { Console.WriteLine(@"Attempting host detection for " + sSrcIP + @"."); //attempt to directly communicate with the device //assume Windows first, then Mac second lFidoReturnValues.RemoteRegHostname = RemoteRegHost(sSrcIP); if (lFidoReturnValues.RemoteRegHostname == null || lFidoReturnValues.RemoteRegHostname == "Not able to connect") { lFidoReturnValues.SSHHostname = SshHost(sSrcIP); if (!String.IsNullOrEmpty(lFidoReturnValues.SSHHostname)) { sHostname = lFidoReturnValues.SSHHostname; } } else { if (!String.IsNullOrEmpty(lFidoReturnValues.RemoteRegHostname)) { sHostname = lFidoReturnValues.RemoteRegHostname; lFidoReturnValues.Hostname = sHostname; } } //if remote registry and ssh fail then NMAP the host if ((sHostname == null) && (sHostname == String.Empty)) { Console.WriteLine(@"Cannot detect hostname, attempting to NMAP " + sSrcIP + @"."); //todo: not currently doing anything wint nmap other //assigning it to a variable. lFidoReturnValues.NmapHostname = NmapHost(sSrcIP); } return(lFidoReturnValues); }
private static void GetCyphortIncident(FidoReturnValues lFidoReturnValues) { Console.WriteLine(@"Pulling Cyphort incident details."); var alertRequest = CreateHttpWebRequest(lFidoReturnValues); try { using (var cyphortResponse = alertRequest.GetResponse() as HttpWebResponse) { if (cyphortResponse == null || cyphortResponse.StatusCode != HttpStatusCode.OK) { return; } using (var respStream = cyphortResponse.GetResponseStream()) { if (respStream == null) { return; } HandleCyphortIncident(lFidoReturnValues, respStream); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector getting json:" + e); } }
private static Dictionary <string, string> PaloAltoGeoReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements) { if (lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo != null) { if (lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.ASN_Array.ASN == null) { replacements.Add("%asninfo%", "No ASN Found"); } else { replacements.Add("%asninfo%", lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.ASN_Array.ASN + ":" + lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.ASN_Array.Org); } if (lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array != null) { if (lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array.City != null) { replacements.Add("%city%", lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array.City); } if (lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array.Country != null) { replacements.Add("%country%", lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array.Country); } if (lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array.Region != null) { replacements.Add("%region%", lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo.Data_Array.Location_Array.Region); } } } return(replacements); }
private static Dictionary <string, string> CarbonBlackBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements) { try { if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { replacements = CarbonBlackVTReplacements(lFidoReturnValues, replacements); } if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { replacements = CarbonBlackGeoReplacements(lFidoReturnValues, replacements); } if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { replacements = CarbonBlackThreatGRIDReplacements(lFidoReturnValues, replacements); } return(replacements); } catch (Exception e) { throw e; } }
public static FidoReturnValues SQLFidoReturnValues(FidoReturnValues lFidoReturnValues, string sSrcIP, string sHostname) { //go to our sysmgmt data sources in the XML to get SQL queries and strings var sSQLSource = SQL_Queries.GetSqlSources(); var sLandeskSrcIP = String.Empty; foreach (var source in sSQLSource) { // ReSharper disable once RedundantAssignment var lQuery = new List <string>(); var lHostInfo = new List <string>(); string sNewSource = null; var sSplitSource = source.Split('-'); sNewSource = sSplitSource.Length > 1 ? sSplitSource[0] : source; switch (sNewSource) { case "landesk": sLandeskSrcIP = SourceLandesk(ref lFidoReturnValues, sSrcIP, sHostname, sNewSource, sLandeskSrcIP, source, lHostInfo); continue; case "jamf": //if nmap or ssh is null use IP SetHostInfo(sHostname, sSrcIP, source, lHostInfo); //if return has values assign to lFidoReturnValues if (lHostInfo[0] != "unknown") { if ((lFidoReturnValues.Landesk != null) && !String.IsNullOrEmpty(lFidoReturnValues.Landesk.Hostname)) { var LandeskDateTime = Convert.ToDateTime(lFidoReturnValues.Landesk.LastUpdate); var JamfDateTime = FromEpochTime(lHostInfo[3]); if (LandeskDateTime.ToUniversalTime() > JamfDateTime) { continue; } } lFidoReturnValues.Hostname = lHostInfo[1]; lFidoReturnValues.Username = lHostInfo[11]; if (lFidoReturnValues.Jamf == null) { lFidoReturnValues.Jamf = new JamfReturnValues(); } lFidoReturnValues.Jamf = Jamf2FidoValues.Convert(lFidoReturnValues, lHostInfo); } continue; default: continue; } } return(lFidoReturnValues); }
//This function is designed get the incidents from an event, then determine if the //incidents have already been processed. If they have not, they will be handed off //to the GetCyphortIncident function to gather necessary information before being //sent to TheDirector. private static void ParseCyphort(Object_Cyphort_Class.CyphortEvent cyphortReturn) { try { if (cyphortReturn.Event_Array.Any()) { cyphortReturn.Event_Array = cyphortReturn.Event_Array.Reverse().ToArray(); for (var i = 0; i < cyphortReturn.Event_Array.Count(); i++) { Console.WriteLine(@"Processing Cyphort event " + (i + 1).ToString(CultureInfo.InvariantCulture) + @" of " + cyphortReturn.Event_Array.Count().ToString(CultureInfo.InvariantCulture) + @"."); //We don't currently process IPv6, so if detected exit and process next alert if ((cyphortReturn.Event_Array[i].Endpoint_ip != null) && (cyphortReturn.Event_Array[i].Endpoint_ip.Contains(":"))) { continue; } //initialize generic variables for Cyphort values var lFidoReturnValues = new FidoReturnValues(); if (lFidoReturnValues.PreviousAlerts == null) { lFidoReturnValues.PreviousAlerts = new EventAlerts(); } if (lFidoReturnValues.Cyphort == null) { lFidoReturnValues.Cyphort = new CyphortReturnValues(); } //Convert Cyphort classifications to more readable values if (cyphortReturn.Event_Array[i].Event_type == "http") { lFidoReturnValues.MalwareType = "Malware downloaded: " + cyphortReturn.Event_Array[i].Event_name + " Type: " + cyphortReturn.Event_Array[i].Event_category; } else if (cyphortReturn.Event_Array[i].Event_type == "cnc") { lFidoReturnValues.MalwareType = "CNC Detected: " + cyphortReturn.Event_Array[i].Event_name; } //Assign generic event deatils for use in TheDirector lFidoReturnValues.CurrentDetector = "cyphortv3"; lFidoReturnValues.Cyphort.IncidentID = cyphortReturn.Event_Array[i].Incident_id; lFidoReturnValues.SrcIP = cyphortReturn.Event_Array[i].Endpoint_ip; lFidoReturnValues.Cyphort.EventTime = Convert.ToDateTime(cyphortReturn.Event_Array[i].Last_activity_time).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.TimeOccurred = Convert.ToDateTime(cyphortReturn.Event_Array[i].Last_activity_time).ToUniversalTime().ToString(CultureInfo.InvariantCulture); lFidoReturnValues.DstIP = cyphortReturn.Event_Array[i].Source_ip; lFidoReturnValues.Cyphort.DstIP = cyphortReturn.Event_Array[i].Source_ip; //Send information gathered thus far to function to gather incident details //and further parsing to determine if sending to TheDirector is needed. GetCyphortIncident(lFidoReturnValues); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Cyphortv3 Detector parse:" + e); } }
//This function will attempt to assign alerts to the AntivirusReturnValues object //before returning it to the FidoReturnValues object. public static FidoReturnValues SophoslFidoValues(List <string> lHostInfo) { var lFidoReturnValues = new FidoReturnValues(); var lSophosReturnValues = new AntivirusReturnValues(); for (var x = 0; x < lHostInfo.Count; x++) { switch (x) { case 0: lSophosReturnValues.ReceivedTime = lHostInfo[0]; break; case 1: lSophosReturnValues.EventTime = lHostInfo[1]; lFidoReturnValues.TimeOccurred = lHostInfo[1]; break; case 2: lSophosReturnValues.ActionTaken = lHostInfo[2]; break; case 3: lSophosReturnValues.Username = lHostInfo[3]; lFidoReturnValues.Username = getUsername(lHostInfo[3].Split('\\')); break; case 4: lSophosReturnValues.Status = lHostInfo[4]; break; case 5: lSophosReturnValues.ThreatType = lHostInfo[5]; break; case 6: lSophosReturnValues.ThreatName = lHostInfo[6]; lFidoReturnValues.MalwareType = lHostInfo[6]; break; case 7: lSophosReturnValues.FilePath = lHostInfo[7]; break; case 8: lSophosReturnValues.HostName = lHostInfo[8]; lFidoReturnValues.Hostname = lHostInfo[8]; break; case 9: lFidoReturnValues.SrcIP = lHostInfo[9]; break; } } lFidoReturnValues.Antivirus = lSophosReturnValues; return(lFidoReturnValues); }
private void PrepareFidoReturnValues(FidoReturnValues lFidoReturnValues) { lFidoReturnValues = SummaryEmail(lFidoReturnValues); lFidoReturnValues.Recommendation = ReturnRecommendation(lFidoReturnValues); lFidoReturnValues.SummaryEmail = ReplacingValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues); lFidoReturnValues.SummaryEmail = ReplacingBadGuyValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues); lFidoReturnValues.IsTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true); }
private static Dictionary <string, string> PaloAltoThreatGRIDReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements) { if (lFidoReturnValues.PaloAlto.ThreatGRID.ThreatScore > 0) { replacements.Add("%threatgridscore%", lFidoReturnValues.PaloAlto.ThreatGRID.ThreatScore.ToString(CultureInfo.InvariantCulture)); } else { replacements.Add("%threatgridscore%", "0"); } if (lFidoReturnValues.PaloAlto.ThreatGRID.ThreatSeverity > 0) { if ((lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo != null) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count > 0) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items.Any())) { replacements.Add("%threatgridseverity%", "<a href='%url_location%'>" + lFidoReturnValues.PaloAlto.ThreatGRID.ThreatSeverity.ToString(CultureInfo.InvariantCulture) + "</a>"); } else { replacements.Add("%threatgridseverity%", lFidoReturnValues.PaloAlto.ThreatGRID.ThreatSeverity.ToString(CultureInfo.InvariantCulture)); } } else { replacements.Add("%threatgridseverity%", "0"); } if (lFidoReturnValues.PaloAlto.ThreatGRID.ThreatConfidence > 0) { if ((lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo != null) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count > 0) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items.Any())) { replacements.Add("%threatgridconfidence%", "<a href='%url_location%'>" + lFidoReturnValues.PaloAlto.ThreatGRID.ThreatConfidence.ToString(CultureInfo.InvariantCulture) + "</a>"); } else { replacements.Add("%threatgridconfidence%", lFidoReturnValues.PaloAlto.ThreatGRID.ThreatConfidence.ToString(CultureInfo.InvariantCulture)); } } else { replacements.Add("%threatgridconfidence%", "0"); } if (lFidoReturnValues.PaloAlto.ThreatGRID.ThreatIndicators > 0) { if ((lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo != null) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Count > 0) && (lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items.Any())) { replacements.Add("%threatgridindicators%", "<a href='%url_location%'>" + lFidoReturnValues.PaloAlto.ThreatGRID.ThreatIndicators.ToString(CultureInfo.InvariantCulture) + "</a>"); } else { replacements.Add("%threatgridindicators%", lFidoReturnValues.PaloAlto.ThreatGRID.ThreatIndicators.ToString(CultureInfo.InvariantCulture)); } } else { replacements.Add("%threatgridindicators%", "0"); } return(replacements); }
private static FidoReturnValues SendProtectWiseToVirusTotal(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { return(lFidoReturnValues); } var sIPToCheck = new List <string>(); if (lFidoReturnValues.ProtectWise.VirusTotal == null) { lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues(); } //send ProtectWise return to VT URL API if (lFidoReturnValues.ProtectWise.IncidentDetails.Data != null) { if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null) { Console.WriteLine(@"Sending ProtectWise URLs to VirusTotal."); var URL = new List <string> { lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url }; var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL); if (vtURLReturn != null) { lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn; } } else if (lFidoReturnValues.ProtectWise.URL != null) { Console.WriteLine(@"Sending ProtectWise destination IP to VirusTotal."); var URL = new List <string> { lFidoReturnValues.ProtectWise.URL }; var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL); if (vtURLReturn != null) { lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn; } } } if (lFidoReturnValues.ProtectWise.DstIP != null) { sIPToCheck.Add(lFidoReturnValues.ProtectWise.DstIP); } sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList(); //send ProtectWise return to VT IP API if (sIPToCheck.Any()) { Console.WriteLine(@"Getting detailed IP information from VirusTotal."); lFidoReturnValues.ProtectWise.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck); //todo: move the url to the database lFidoReturnValues.ProtectWise.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.ProtectWise.DstIP + "/information/"; } return(lFidoReturnValues); }
private static void UpdateDetailedThreatToDB(FidoReturnValues lFidoReturnValues, string row) { //todo: figure out best way to insert detailed reports to prevent having to query web services again //var threatURL = lFidoReturnValues.FireEye.URL.Aggregate(string.Empty, (current, url) => current + (url + ",")); //threatURL = lFidoReturnValues.FireEye.ChannelHost.Aggregate(threatURL, (current, link) => current + (link + ",")); //data.Add("threat_url", threatURL); //var threatMD5 = lFidoReturnValues.FireEye.MD5Hash.Aggregate(string.Empty, (current, md5) => current + (md5 + ",")); //data.Add("threat_hash", threatMD5); }
public static JamfReturnValues Convert(FidoReturnValues lFidoReturnValues, List <string> lHostInfo) { var lJamfReturnValues = new JamfReturnValues { ComputerID = lHostInfo[0] ?? string.Empty, Hostname = lHostInfo[1] ?? string.Empty, ReportID = lHostInfo[2] ?? string.Empty, Username = lHostInfo[11], OSName = "OSX " + lHostInfo[9], LastUpdate = FromEpochTime(lHostInfo[3]).ToString() }; return(lJamfReturnValues); }
public static FidoReturnValues DetectorsToThreatFeeds(FidoReturnValues lFidoReturnValues) { lFidoReturnValues = FireEyeURL(lFidoReturnValues); lFidoReturnValues = CyphortURL(lFidoReturnValues); lFidoReturnValues = ProtectWiseURL(lFidoReturnValues); lFidoReturnValues = PaloAltoURL(lFidoReturnValues); return(lFidoReturnValues); }
public static void InsertEventToDB(FidoReturnValues lFidoReturnValues) { var iKeepAlive = Object_Fido_Configs.GetAsInt("fido.application.unnownkeepalive", 0); var db = new SqLiteDB(); var data = new Dictionary <String, String> { { "timer", iKeepAlive.ToString(CultureInfo.InvariantCulture) }, { "ip_address", lFidoReturnValues.SrcIP }, { "hostname", lFidoReturnValues.Hostname.ToLower() }, { "timestamp", Convert.ToDateTime(lFidoReturnValues.TimeOccurred).ToString(CultureInfo.InvariantCulture) }, { "previous_score", lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) }, { "alert_id", lFidoReturnValues.AlertID } }; try { //insert event to primary alert table db.Insert("event_alerts", data); const string eventAlerts = @"select count() from event_alerts"; var newRow = db.ExecuteScalar(eventAlerts); //if there is threat data then insert otherwise //todo: figure out a better way to find out if a detector is empty if (lFidoReturnValues.Bit9 != null | lFidoReturnValues.Antivirus != null | lFidoReturnValues.FireEye != null | lFidoReturnValues.Cyphort != null | lFidoReturnValues.ProtectWise != null | lFidoReturnValues.PaloAlto != null) { UpdateThreatToDB(lFidoReturnValues, newRow); } //if there is machine data then insert otherwise if ((lFidoReturnValues.Landesk != null) | (lFidoReturnValues.Jamf != null)) { UpdateMachineToDB(lFidoReturnValues, newRow); } //if there is user data then insert otherwise if (lFidoReturnValues.UserInfo != null) { UpdateUserToDB(lFidoReturnValues, newRow); } //if there is detailed threat data insert //if there is histiorical url data insert UpdateHistoricalURLInfo(lFidoReturnValues); UpdateHistoricalHashInfo(lFidoReturnValues); UpdateHistoricalIPInfo(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in insert of event alert to fidodb:" + e); } }
private static bool SetUpPreviousAlerts(FidoReturnValues lFidoReturnValues, bool isRunDirector) { lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, false); if (lFidoReturnValues.PreviousAlerts.Alerts != null && lFidoReturnValues.PreviousAlerts.Alerts.Rows.Count > 0) { isRunDirector = PreviousAlert(lFidoReturnValues); } return(isRunDirector); }
private static List <string> GetAttachmentList(FidoReturnValues lFidoReturnValues) { return(new List <string> { Application.StartupPath + "\\media\\gauge\\total" + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) + ".png", Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture) + ".png", Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture) + ".png", Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture) + ".png" }); }
private static Dictionary <string, string> ProtectWiseBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements) { replacements = ProtectWiseVTReplacements(lFidoReturnValues, replacements); replacements = ProtectWiseGeoReplacements(lFidoReturnValues, replacements); replacements = ProtectWiseThreatGRIDReplacements(lFidoReturnValues, replacements); return(replacements); }
private static Dictionary <string, string> PaloAltoBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements) { replacements = PaloAltoVTReplacements(lFidoReturnValues, replacements); replacements = PaloAltoGeoReplacements(lFidoReturnValues, replacements); replacements = PaloAltoThreatGRIDReplacements(lFidoReturnValues, replacements); return(replacements); }