private static FidoReturnValues ProtectWiseHash(FidoReturnValues lFidoReturnValues) { //if ProtectWise has hashes send to threat feeds if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { if ((lFidoReturnValues.ProtectWise != null) && (lFidoReturnValues.ProtectWise.MD5 != null) && (lFidoReturnValues.ProtectWise.MD5.Any())) { if (lFidoReturnValues.ProtectWise.VirusTotal == null) { lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues(); } Console.WriteLine(@"Sending ProtectWise hashes to VirusTotal."); var MD5Hash = new List <string> { lFidoReturnValues.ProtectWise.MD5 }; lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(MD5Hash); } } if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { Console.WriteLine(@"Sending ProtectWise hashes to ThreatGRID."); lFidoReturnValues = SendProtectWiseToThreatGRID(lFidoReturnValues); } return(lFidoReturnValues); }
public static void SendEmail(string sErrorSubject, string sErrorMessage) { var isGoingToRun = Object_Fido_Configs.GetAsBool("fido.email.runerroremail", false); var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null); var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null); var isTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true); if (!isGoingToRun) { return; } if (isTest) { sErrorSubject = "Test: " + sErrorSubject; } Logging_Fido.RunLogging(sErrorMessage); var Rmail = new Emailfields { To = sErrorEmail, CC = "", From = sFidoEmail, Subject = sErrorSubject, Body = sErrorMessage, EmailAttach = null, GaugeAttatch = null }; Email_Send.Send(Rmail); Console.WriteLine(sErrorMessage); Thread.Sleep(1000); }
private static Dictionary <string, string> CarbonBlackBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements) { try { if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { replacements = CarbonBlackVTReplacements(lFidoReturnValues, replacements); } if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { replacements = CarbonBlackGeoReplacements(lFidoReturnValues, replacements); } if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { replacements = CarbonBlackThreatGRIDReplacements(lFidoReturnValues, replacements); } return(replacements); } catch (Exception e) { throw e; } }
private static FidoReturnValues FireEyeHash(FidoReturnValues lFidoReturnValues) { //if FireEye has hashes send to threat feeds if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any())) { if (lFidoReturnValues.FireEye.VirusTotal == null) { lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues(); } Console.WriteLine(@"Sending FireEye hashes to VirusTotal."); lFidoReturnValues.FireEye.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.FireEye.MD5Hash); } } //todo: decide if FireEye should go to ThreatGRID //if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) //{ // Console.WriteLine(@"Sending FireEye hashes to ThreatGRID."); // lFidoReturnValues = SendFireEyeToThreatGRID(lFidoReturnValues); //} return(lFidoReturnValues); }
private void PrepareFidoReturnValues(FidoReturnValues lFidoReturnValues) { lFidoReturnValues = SummaryEmail(lFidoReturnValues); lFidoReturnValues.Recommendation = ReturnRecommendation(lFidoReturnValues); lFidoReturnValues.SummaryEmail = ReplacingValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues); lFidoReturnValues.SummaryEmail = ReplacingBadGuyValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues); lFidoReturnValues.IsTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true); }
private static FidoReturnValues SendProtectWiseToVirusTotal(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { return(lFidoReturnValues); } var sIPToCheck = new List <string>(); if (lFidoReturnValues.ProtectWise.VirusTotal == null) { lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues(); } //send ProtectWise return to VT URL API if (lFidoReturnValues.ProtectWise.IncidentDetails.Data != null) { if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null) { Console.WriteLine(@"Sending ProtectWise URLs to VirusTotal."); var URL = new List <string> { lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url }; var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL); if (vtURLReturn != null) { lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn; } } else if (lFidoReturnValues.ProtectWise.URL != null) { Console.WriteLine(@"Sending ProtectWise destination IP to VirusTotal."); var URL = new List <string> { lFidoReturnValues.ProtectWise.URL }; var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL); if (vtURLReturn != null) { lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn; } } } if (lFidoReturnValues.ProtectWise.DstIP != null) { sIPToCheck.Add(lFidoReturnValues.ProtectWise.DstIP); } sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList(); //send ProtectWise return to VT IP API if (sIPToCheck.Any()) { Console.WriteLine(@"Getting detailed IP information from VirusTotal."); lFidoReturnValues.ProtectWise.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck); //todo: move the url to the database lFidoReturnValues.ProtectWise.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.ProtectWise.DstIP + "/information/"; } return(lFidoReturnValues); }
private static FidoReturnValues SendCyphortToThreatGRID(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { return(lFidoReturnValues); } Int16 iDays = -7; lFidoReturnValues.Cyphort.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays); while (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) < 50) { if (iDays < -364) { break; } iDays = (Int16)(iDays * 2); lFidoReturnValues.Cyphort.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays); } Console.WriteLine(@"Successfully found ThreatGRID IP data (" + lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount + @" records)... storing in Fido."); if (Convert.ToDouble(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) == 0) { return(lFidoReturnValues); } //todo: make the below integer values configurable by storing them in the DB var vTGItemCount = 0; if (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) < 25) { vTGItemCount = Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount); } if (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) >= 25) { vTGItemCount = 25; } for (var i = 0; i < vTGItemCount; i++) { if (i >= 50) { continue; } if (lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo == null) { lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo = new List <Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info>(); } lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Add(Feeds_ThreatGRID.ThreatInfo(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.Items[i].HashID)); } return(lFidoReturnValues); }
private Dictionary <string, string> GetSysLogParams() { var result = new Dictionary <string, string>(); result.add("server", Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost")); result.add("port", Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514)); result.add("facility", Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1")); result.add("sender", Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido")); result.add("layout", Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)")); result.add("isParamTest", Object_Fido_Configs.GetAsBool("fido.application.teststartup", true)); result.add("detectors", Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(',')); return(result); }
public static FidoReturnValues ThreatGRIDIPInfo(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.alienvault", false)) { return(lFidoReturnValues); } if (!String.IsNullOrEmpty(lFidoReturnValues.DstIP)) { if (lFidoReturnValues.FireEye != null) { if (lFidoReturnValues.FireEye.ThreatGRID == null) { lFidoReturnValues.FireEye.ThreatGRID = new ThreatGridReturnValues(); } lFidoReturnValues.FireEye.ThreatGRID.IPInfo = Feeds_ThreatGRID.HlInfo(lFidoReturnValues.DstIP); } if (lFidoReturnValues.Cyphort != null) { if (lFidoReturnValues.Cyphort.ThreatGRID == null) { lFidoReturnValues.Cyphort.ThreatGRID = new ThreatGridReturnValues(); } lFidoReturnValues.Cyphort.ThreatGRID.IPInfo = Feeds_ThreatGRID.HlInfo(lFidoReturnValues.DstIP); } if (lFidoReturnValues.ProtectWise != null) { if (lFidoReturnValues.ProtectWise.ThreatGRID == null) { lFidoReturnValues.ProtectWise.ThreatGRID = new ThreatGridReturnValues(); } lFidoReturnValues.ProtectWise.ThreatGRID.IPInfo = Feeds_ThreatGRID.HlInfo(lFidoReturnValues.DstIP); } if (lFidoReturnValues.PaloAlto != null) { if (lFidoReturnValues.PaloAlto.ThreatGRID == null) { lFidoReturnValues.PaloAlto.ThreatGRID = new ThreatGridReturnValues(); } lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo = Feeds_ThreatGRID.HlInfo(lFidoReturnValues.DstIP); } } return(lFidoReturnValues); }
public static void SendEmail(string sErrorSubject, string sErrorMessage) { var isGoingToRun = Object_Fido_Configs.GetAsBool("fido.email.runerroremail", false); var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null); var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null); var isTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true); if (!isGoingToRun) { return; } if (isTest) { sErrorSubject = "Test: " + sErrorSubject; } Logging_Fido.RunLogging(sErrorMessage); Email_Send.Send(sErrorEmail, sFidoEmail, sFidoEmail, sErrorSubject, sErrorMessage, null, null); Console.WriteLine(sErrorMessage); Thread.Sleep(1000); }
private static FidoReturnValues SendPaloAltoToAlienVault(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.alienvault", false)) { return(lFidoReturnValues); } //initialize AlienVault area if null if (lFidoReturnValues.PaloAlto.AlienVault == null) { lFidoReturnValues.PaloAlto.AlienVault = new AlienVaultReturnValues(); } //next send PAN return to AlienVault if ((lFidoReturnValues.PaloAlto != null) && (lFidoReturnValues.PaloAlto.DstIp != null)) { Console.WriteLine(@"Getting IP informaiton from AlienVault."); lFidoReturnValues.PaloAlto.AlienVault = Feeds_AlientVault.AlienVaultIP(lFidoReturnValues.PaloAlto.DstIp); } return(lFidoReturnValues); }
private static FidoReturnValues SendPaloAltoToVirusTotal(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { return(lFidoReturnValues); } var sIPToCheck = new List <string> { lFidoReturnValues.PaloAlto.DstIp }; //send ProtectWise return to VT IP API if (lFidoReturnValues.PaloAlto.DstIp.Any()) { if (lFidoReturnValues.PaloAlto.VirusTotal == null) { lFidoReturnValues.PaloAlto.VirusTotal = new VirusTotalReturnValues(); } Console.WriteLine(@"Getting detailed IP information from VirusTotal."); try { var IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck); if (IPReturn != null) { lFidoReturnValues.PaloAlto.VirusTotal.IPReturn = IPReturn; } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in retrieving VT IP information:" + e); } //todo: move the url to the database lFidoReturnValues.PaloAlto.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.PaloAlto.DstIp + "/information/"; } return(lFidoReturnValues); }
private static FidoReturnValues CyphortHash(FidoReturnValues lFidoReturnValues) { //if Cyphort has hashes send to threat feeds if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { if ((lFidoReturnValues.Cyphort != null) && (lFidoReturnValues.Cyphort.MD5Hash != null) && (lFidoReturnValues.Cyphort.MD5Hash.Any())) { if (lFidoReturnValues.Cyphort.VirusTotal == null) { lFidoReturnValues.Cyphort.VirusTotal = new VirusTotalReturnValues(); } Console.WriteLine(@"Sending Cyphort hashes to VirusTotal."); lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.Cyphort.MD5Hash); } } if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { Console.WriteLine(@"Sending Cyphort hashes to ThreatGRID."); lFidoReturnValues = SendCyphortToThreatGRID(lFidoReturnValues); } return(lFidoReturnValues); }
private static FidoReturnValues SendPaloAltoToThreatGRID(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false)) { return(lFidoReturnValues); } Int16 iDays = -7; lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays); while (Convert.ToInt16(lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.CurrentItemCount) < 50) { if (iDays < -364) { break; } iDays = (Int16)(iDays * 2); lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays); } Console.WriteLine(@"Successfully found ThreatGRID IP data (" + lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.CurrentItemCount + @" records)... storing in Fido."); for (var i = 0; i < Convert.ToInt16(lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.CurrentItemCount); i++) { if (i >= 50) { continue; } if (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo == null) { lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo = new List <Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info>(); } lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Add(Feeds_ThreatGRID.ThreatInfo(lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items[i].HashID)); } return(lFidoReturnValues); }
//The load will grab configurations for what FIDO is monitoring, //then go to each configured external system to parse any alerts. //Finally, FIDO is configured to pause per iteration on a //configurable timed basis. private void Fido_Load(object sender, EventArgs aug) { //Disabled the current time during current iteration. timer1.Enabled = false; Hide(); if (!ConfigurationOK()) { Application.Exit(); } SetupSyslog(); //Beginning of primary area which starts parsing of alerts. var isParamTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true); var sDetectors = Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(','); try { Console.WriteLine(isParamTest ? @"Running test configs." : @"Running production configs."); foreach (var detect in sDetectors) { var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs(detect); //Get the detector, ie, email, log, web service, etc. var sDetectorType = parseConfigs.DetectorType; switch (sDetectorType) { case "api": Console.WriteLine(@"Loading webservice receiver."); Recieve_API.DirectToEngine(sDetectorType, detect); break; case "log": Console.WriteLine(@"Loaded log receiver."); var sDefaultServer = parseConfigs.Server; var sDefaultFile = parseConfigs.File; var sVendor = parseConfigs.Vendor; Receive_Logging.DirectToEngine(detect, sVendor, sDefaultServer, sDefaultFile, isParamTest); break; case "sql": Console.WriteLine(@"Loaded sql receiver."); Receive_SQL.DirectToEngine(sDetectorType, detect); break; case "email": Console.WriteLine(@"Loaded email receiver."); var sEmailVendor = Object_Fido_Configs.GetAsString("fido.email.vendor", "imap"); var sDetectorsEmail = parseConfigs.EmailFrom; var sDetectorsFolder = parseConfigs.Folder; Receive_Email.ReadEmail(sEmailVendor, sDetectorsFolder, null, sDetectorsEmail, isParamTest); break; } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in fidomain area:" + e); } //Sleep for X # of seconds per iteration specified in Fido configuration Application.DoEvents(); var iSleep = Object_Fido_Configs.GetAsInt("fido.application.sleepiteration", 5); Console.WriteLine(@"Fido processing complete... sleeping for " + (iSleep / 1000).ToString(CultureInfo.InvariantCulture) + @" seconds."); Thread.Sleep(iSleep); timer1.Enabled = true; }
public static FidoReturnValues RunMatrix(FidoReturnValues lFidoReturnValues) { //Iterate through each detector and the corresponding threat feed looking for values to score #region ThreatScore Console.WriteLine(@"Starting threat feed evaluation."); lFidoReturnValues = Matrix_Scoring.GetDetectorsScore(lFidoReturnValues); #endregion var isRunAssett = Object_Fido_Configs.GetAsBool("fido.director.assetscore", false); if (isRunAssett) { #region AssetValue Console.WriteLine(@"Starting assest evaluation."); //asset evaluation var isPaired = Object_Fido_Configs.GetAsBool("fido.posture.asset.paired", false); lFidoReturnValues = Matrix_Scoring.GetAssetScore(lFidoReturnValues, isPaired); #endregion #region MachinePosture Console.WriteLine(@"Scoring machine posture evaluation."); //Patch evaluation lFidoReturnValues = Matrix_Scoring.GetPatchScore(lFidoReturnValues); //AV evaluation lFidoReturnValues = Matrix_Scoring.GetAVScore(lFidoReturnValues); #endregion #region UserPosture Console.WriteLine(@"Starting user posture evaluation."); if (lFidoReturnValues.UserInfo != null) { lFidoReturnValues = Matrix_Scoring.GetUserScore(lFidoReturnValues); } #endregion } #region HistoricalInfo Console.WriteLine(@"Starting historical artifact evaluation."); lFidoReturnValues = Matrix_Historical_Helper.HistoricalEvent(lFidoReturnValues); lFidoReturnValues = Matrix_Scoring.GetHistoricalHashCount(lFidoReturnValues); lFidoReturnValues = Matrix_Scoring.GetHistoricalURLCount(lFidoReturnValues); lFidoReturnValues = Matrix_Scoring.GetHistoricalIPCount(lFidoReturnValues); #endregion #region PreviousAlerts Console.WriteLine(@"Checking to see if this machine has previous alerted."); lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, true); #endregion //todo: put configuration in DB for whether to include user/machine score in division of their score. //lFidoReturnValues.TotalScore = lFidoReturnValues.TotalScore / 10; //lFidoReturnValues.UserScore = lFidoReturnValues.UserScore / 10; //lFidoReturnValues.MachineScore = lFidoReturnValues.MachineScore / 10; lFidoReturnValues.ThreatScore = lFidoReturnValues.ThreatScore / 10; lFidoReturnValues = Matrix_Scoring.SetScoreValues(lFidoReturnValues); Console.WriteLine(@"Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"Machine Score for event = " + lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture)); Console.WriteLine(@"User Score for event = " + lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture)); return(lFidoReturnValues); }
private static FidoReturnValues SendCyphortToVirusTotal(FidoReturnValues lFidoReturnValues) { if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false)) { return(lFidoReturnValues); } //convert return from Cyphort to list var sURLToCheck = new List <string>(); if ((lFidoReturnValues.Cyphort.URL.Any()) && (lFidoReturnValues.Cyphort.URL.Count > 0)) { for (var i = 0; i < lFidoReturnValues.Cyphort.URL.Count(); i++) { if (string.IsNullOrEmpty(lFidoReturnValues.Cyphort.URL[i])) { continue; } if (lFidoReturnValues.Cyphort.URL[i].Contains(".exe")) { continue; } //if (!lFidoReturnValues.Cyphort.URL[i].Contains(".com")) //{ // lFidoReturnValues.Cyphort.URL[i] = lFidoReturnValues.Cyphort.URL[i] + @".com"; //} sURLToCheck.Add(lFidoReturnValues.Cyphort.URL[i]); } } if ((lFidoReturnValues.Cyphort.Domain != null) && (lFidoReturnValues.Cyphort.Domain.Count > 0)) { sURLToCheck.AddRange(lFidoReturnValues.Cyphort.Domain); } if (lFidoReturnValues.Cyphort.DstIP != null) { sURLToCheck.Add(lFidoReturnValues.Cyphort.DstIP); } sURLToCheck = sURLToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList(); //send Cyphort return to VT URL API if (sURLToCheck.Any()) { Console.WriteLine(@"Sending Cyport URLs to VirusTotal."); lFidoReturnValues.Cyphort.VirusTotal.URLReturn = Feeds_VirusTotal.VirusTotalUrl(sURLToCheck); } var sIPToCheck = new List <string>(); if (lFidoReturnValues.Cyphort.DstIP != null) { sIPToCheck.Add(lFidoReturnValues.Cyphort.DstIP); } sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList(); //send Cyphort return to VT IP API if (sIPToCheck.Any()) { Console.WriteLine(@"Getting detailed IP information from VirusTotal."); lFidoReturnValues.Cyphort.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck); //todo: move the url to the database lFidoReturnValues.Cyphort.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.Cyphort.DstIP + "/information/"; } return(lFidoReturnValues); }
//module to compose notifications public static void Notify(FidoReturnValues lFidoReturnValues) { try { var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null); var sPrimaryEmail = Object_Fido_Configs.GetAsString("fido.email.primaryemail", null); var sSecondaryEmail = Object_Fido_Configs.GetAsString("fido.email.secondaryemail", null); var sNonAlertEmail = Object_Fido_Configs.GetAsString("fido.email.nonalertemail", null); var lAttachment = new List <string> { Application.StartupPath + "\\media\\gauge\\total" + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) + ".png", Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture) + ".png", Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture) + ".png", Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture) + ".png" }; string sSubject; if (lFidoReturnValues.IsPreviousAlert) { sSubject = @"Previously Alerted! Fido Alert: " + lFidoReturnValues.MalwareType + ". "; } else { sSubject = @"Fido Alert: " + lFidoReturnValues.MalwareType + ". "; } if (lFidoReturnValues.IsHostKnown) { sSubject += "Hostname = " + lFidoReturnValues.Hostname; } else { sSubject += "Hostname = Unknown (" + lFidoReturnValues.SrcIP + ")"; } lFidoReturnValues = SummaryEmail(lFidoReturnValues); lFidoReturnValues.Recommendation = ReturnRecommendation(lFidoReturnValues); lFidoReturnValues.SummaryEmail = ReplacingValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues); lFidoReturnValues.SummaryEmail = ReplacingBadGuyValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues); if (!lFidoReturnValues.IsTargetOS) { sSubject = "Fido InfoSec only Alert : Target OS does not match."; } else if (!lFidoReturnValues.IsSendAlert) { sSubject = "Fido InfoSec only alert. " + lFidoReturnValues.MalwareType + ". Hostname = " + lFidoReturnValues.Hostname + " (" + lFidoReturnValues.SrcIP + ")"; } lFidoReturnValues.IsTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true); if (lFidoReturnValues.IsTest) { sSubject = @"TEST: " + sSubject; } if (lFidoReturnValues.IsSendAlert) { Email_Send.Send(sPrimaryEmail, sSecondaryEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null); } else { Email_Send.Send(sNonAlertEmail, sNonAlertEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null); } } catch (Exception e) { Console.WriteLine(@"Error creating FIDO email. " + e); Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to threat feeds:" + e); } }
public static void Direct(FidoReturnValues lFidoReturnValues) { var sSrcIP = lFidoReturnValues.SrcIP; var sHostname = lFidoReturnValues.Hostname; try { //check detector values versus whitelist and exclude if true var isFound = new The_Director_Whitelist().CheckFidoWhitelist(lFidoReturnValues.DstIP, lFidoReturnValues.Hash, lFidoReturnValues.DNSName, lFidoReturnValues.Url); if (isFound) { return; } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director processing whitelist:" + e); } try { //if HostDetection is turned on, then gather information directly from host if (Object_Fido_Configs.GetAsBool("fido.director.hostdetection", true)) { lFidoReturnValues = The_Director_HostDetection.HostDetection(lFidoReturnValues, sHostname, sSrcIP); } //Write results out to console if (!string.IsNullOrEmpty(sHostname)) { Console.WriteLine(@"Detected hostname=" + sHostname + @", gathering detailed inventory."); } else { Console.WriteLine(@"Unable to detect hostname, gathering detailed inventory for " + sSrcIP + @"."); } //go to our sysmgmt data sources to get detailed inventory information if (Object_Fido_Configs.GetAsBool("fido.director.runinventory", false)) { lFidoReturnValues = The_Director_HostDetection.SQLFidoReturnValues(lFidoReturnValues, sSrcIP, sHostname); } //determine if hostname from host discover matches inventory data if (string.IsNullOrEmpty(lFidoReturnValues.Hostname)) { Console.WriteLine(@"Hostname still unknown. Proceeding to evaluate threat."); lFidoReturnValues.IsHostKnown = false; lFidoReturnValues.Hostname = "unknown"; } else if (lFidoReturnValues.Hostname.ToLower() == "unknown") { //todo: need to write code to take existing data //hold it for %configurable% minutes and then //send it out 'unmanaged' if hostinfo continues to come //back empty } else { if (Object_Fido_Configs.GetAsBool("fido.director.userdetect", false)) { lFidoReturnValues = The_Director_HostDetection.GetUserInfo(lFidoReturnValues); } } if (lFidoReturnValues.Username != null) { var runUserDetect = Object_Fido_Configs.GetAsBool("fido.director.userdetect", false); if (runUserDetect) { lFidoReturnValues = The_Director_HostDetection.GetUserInfo(lFidoReturnValues); } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director gathering host information:" + e); } try { //Gather more information about destination IP address lFidoReturnValues = The_Director_ThreatFeeds_URL.ThreatGRIDIPInfo(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director gathering host IP/GEO information:" + e); } try { //todo: this area is half-baked... why is bit9 return not being assigned to lFidoReturnValues? //If detector == AV then check if AV information has a filepath/name //then parse and send to bit9 to get additional info if ((lFidoReturnValues.Antivirus != null) && (The_Director_HostDetection.IsBit9Installed())) { AntiVirusToBit9(lFidoReturnValues); } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending AV info to Bit9:" + e); } try { //this area will take detector hashes and reference them against Bit9 //to see if Bit9 has seen the hash, where and if it was executed if (The_Director_HostDetection.IsBit9Installed()) { Console.WriteLine(@"Bit9 detected... cross-referencing hashes."); //if FireEye has hashes send to Bit9 if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any())) { if (lFidoReturnValues.Bit9 == null) { lFidoReturnValues.Bit9 = new Bit9ReturnValues(); } lFidoReturnValues.Bit9.Bit9Hashes = Detect_Bit9.GetFileInfo(lFidoReturnValues.FireEye.MD5Hash, null).ToArray(); //lFidoReturnValues = FireEyeHashToBit9(lFidoReturnValues); } //if FireEyeMPS has hashes send to Bit9 //if PaloAlto has hashes send to Bit9 //if Cyphort has hashes send to Bit9 //if Protectwise has hashes send to Bit9 } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to Bit9:" + e); } try { //this area will send hash data to threatfeeds to get additional information //to be used in scoring for the attack lFidoReturnValues = The_Director_ThreatFeeds_Hash.DetectorsToThreatFeeds(lFidoReturnValues); //this area will send URL data to threatfeeds to get additional information //to be used in scoring for the attack lFidoReturnValues = The_Director_ThreatFeeds_URL.DetectorsToThreatFeeds(lFidoReturnValues); } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to threat feeds:" + e); } //Send accumulated information to the Matrix for scoring Console.WriteLine(@"Running scoring matrix."); lFidoReturnValues = Matrix.RunMatrix(lFidoReturnValues); Console.WriteLine(@"Exiting scoring matrix."); var actions = new List <string>(); //handoff to enforcement // // //todo: more whack if (!lFidoReturnValues.IsSendAlert) { actions.Add("Created Ticket"); actions.Add("Not Needed"); } else { actions.Add("Created Ticket"); actions.Add("Success"); } //Thebelow highlighted out as the Service-Now module is too proprietary //in its current form to be included with OSS. What will happen in a future //version is a module to handle the different ticketing solutions, //Service-Now, Zendesk, ServiceDesk, etc., so that tickets can be //created based on user configuration. //ServiceNowUpdate.InsertResponse(lFidoReturnValues); lFidoReturnValues.Actions = actions; //send information for notifications Console.WriteLine(@"Sending notification."); Notification.Notification.Notify(lFidoReturnValues); //Send configurable information for output to syslog //SysLogger.SendEventToSyslog(lFidoReturnValues); //todo: WTF is this? It's whack, thats what... actions.Add("Update FIDO DB"); actions.Add("Success"); //update FIDO DB with event information Console.WriteLine(@"Updating FidoDB."); Fido_UpdateDB.InsertEventToDB(lFidoReturnValues); }
private static List<UrlReport> ParseUrl(IEnumerable<string> sURL) { //The below is a placeholder for when this will be encrypted. //var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null); var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null); var vtLogin = new VirusTotal(sVTKey); var isRateLimited = Object_Fido_Configs.GetAsBool("fido.securityfeed.virustotal.ratelimited", false); List<UrlReport> sVirusTotalUrl = null; var sVTURLreturn = new List<UrlReport>(); var newurl = string.Empty; var url = sURL as IList<string> ?? sURL.ToList(); var fidoDB = new SqLiteDB(); var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal")); try { if (sURL != null) { for (var i = 0; i < url.Count(); i++) { if (!url[i].Contains("http://")) { newurl = "http://" + url[i]; } else { newurl = url[i]; } if (!isPaidFeed) Thread.Sleep(15000); var sVTURLtemp = new List<UrlReport> { vtLogin.GetUrlReport(newurl) }; if (!isPaidFeed) Thread.Sleep(20000); var icount = 1; if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object") { Console.WriteLine(sVTURLtemp[0].VerboseMsg); Console.WriteLine(newurl); sVTURLreturn.Add(sVTURLtemp[0]); continue; } while (sVTURLtemp[0].VerboseMsg == "The requested resource is not among the finished, queued or pending scans" && icount <= 3) { Console.WriteLine(sVTURLtemp[0].VerboseMsg); Console.WriteLine(newurl); sVTURLtemp.RemoveAt(0); vtLogin.ScanUrl(newurl); //todo: move sleep integer to db Thread.Sleep(120000); icount++; sVTURLtemp.Add(vtLogin.GetUrlReport(newurl)); if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object") { Console.WriteLine(sVTURLtemp[0].VerboseMsg); Console.WriteLine(newurl); sVTURLreturn.Add(sVTURLtemp[0]); } } //if (icount == 1) //{ // sVTURLreturn.Add(sVTURLtemp[0]); //} } if (sVTURLreturn.Any()) { sVirusTotalUrl = sVTURLreturn; return sVirusTotalUrl; } } } catch (Exception e) { if (e.Message == "You have reached the 5 requests pr. min. limit of VirusTotal") { if (!isPaidFeed) Thread.Sleep(60000); sVirusTotalUrl = ParseUrl(url); return sVirusTotalUrl; } Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT URL area:" + e); } return sVirusTotalUrl; }
//The load will grab configurations for what FIDO is monitoring, //then go to each configured external system to parse any alerts. //Finally, FIDO is configured to pause per iteration on a //configurable timed basis. private void Fido_Load(object sender, EventArgs aug) { //Disabled the current time during current iteration. timer1.Enabled = false; Hide(); //Check to see if Fido configurations exists and if not //fail with prompt that configurations are not found. Console.Clear(); var sAppStartupPath = Application.StartupPath + @"\data\fido.db"; if (!File.Exists(sAppStartupPath)) { Console.WriteLine(@"Failed to load FIDO DB."); Application.Exit(); } else { Console.WriteLine(@"Loaded FIDO DB successfully."); } //Load fido configs from database Object_Fido_Configs.LoadConfigFromDb("config"); //Setup syslog var server1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost"); var port1 = Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514); var facility1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1"); var sender1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido"); var layout1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)"); //SysLogger.Setup(server1, port1, facility1, sender1, layout1); //Beginning of primary area which starts parsing of alerts. var isParamTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true); var sDetectors = Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(','); try { Console.WriteLine(isParamTest ? @"Running test configs." : @"Running production configs."); foreach (var detect in sDetectors) { var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs(detect); //Get the detector, ie, email, log, web service, etc. var sDetectorType = parseConfigs.DetectorType; switch (sDetectorType) { case "api": Console.WriteLine(@"Loading webservice receiver."); Recieve_API.DirectToEngine(sDetectorType, detect); break; case "log": Console.WriteLine(@"Loaded log receiver."); var sDefaultServer = parseConfigs.Server; var sDefaultFile = parseConfigs.File; var sVendor = parseConfigs.Vendor; Receive_Logging.DirectToEngine(detect, sVendor, sDefaultServer, sDefaultFile, isParamTest); break; case "sql": Console.WriteLine(@"Loaded sql receiver."); Receive_SQL.DirectToEngine(sDetectorType, detect); break; case "email": Console.WriteLine(@"Loaded email receiver."); var sEmailVendor = Object_Fido_Configs.GetAsString("fido.email.vendor", "imap"); var sDetectorsEmail = parseConfigs.EmailFrom; var sDetectorsFolder = parseConfigs.Folder; Receive_Email.ReadEmail(sEmailVendor, sDetectorsFolder, null, sDetectorsEmail, isParamTest); break; } } } catch (Exception e) { Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in fidomain area:" + e); } //Sleep for X # of seconds per iteration specified in Fido configuration Application.DoEvents(); var iSleep = Object_Fido_Configs.GetAsInt("fido.application.sleepiteration", 5); Console.WriteLine(@"Fido processing complete... sleeping for " + (iSleep / 1000).ToString(CultureInfo.InvariantCulture) + @" seconds."); Thread.Sleep(iSleep); timer1.Enabled = true; }