private static FidoReturnValues ProtectWiseHash(FidoReturnValues lFidoReturnValues)
{
//if ProtectWise has hashes send to threat feeds
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
if ((lFidoReturnValues.ProtectWise != null) && (lFidoReturnValues.ProtectWise.MD5 != null) && (lFidoReturnValues.ProtectWise.MD5.Any()))
{
if (lFidoReturnValues.ProtectWise.VirusTotal == null)
{
lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Sending ProtectWise hashes to VirusTotal.");
var MD5Hash = new List <string> {
lFidoReturnValues.ProtectWise.MD5
};
lFidoReturnValues.ProtectWise.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(MD5Hash);
}
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
Console.WriteLine(@"Sending ProtectWise hashes to ThreatGRID.");
lFidoReturnValues = SendProtectWiseToThreatGRID(lFidoReturnValues);
}
return(lFidoReturnValues);
}
public static void SendEmail(string sErrorSubject, string sErrorMessage)
{
var isGoingToRun = Object_Fido_Configs.GetAsBool("fido.email.runerroremail", false);
var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var isTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
if (!isGoingToRun)
{
return;
}
if (isTest)
{
sErrorSubject = "Test: " + sErrorSubject;
}
Logging_Fido.RunLogging(sErrorMessage);
var Rmail = new Emailfields
{
To = sErrorEmail,
CC = "",
From = sFidoEmail,
Subject = sErrorSubject,
Body = sErrorMessage,
EmailAttach = null,
GaugeAttatch = null
};
Email_Send.Send(Rmail);
Console.WriteLine(sErrorMessage);
Thread.Sleep(1000);
}
private static Dictionary <string, string> CarbonBlackBadGuyReplacements(FidoReturnValues lFidoReturnValues, Dictionary <string, string> replacements)
{
try
{
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
replacements = CarbonBlackVTReplacements(lFidoReturnValues, replacements);
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
replacements = CarbonBlackGeoReplacements(lFidoReturnValues, replacements);
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
replacements = CarbonBlackThreatGRIDReplacements(lFidoReturnValues, replacements);
}
return(replacements);
}
catch (Exception e)
{
throw e;
}
}
private static FidoReturnValues FireEyeHash(FidoReturnValues lFidoReturnValues)
{
//if FireEye has hashes send to threat feeds
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any()))
{
if (lFidoReturnValues.FireEye.VirusTotal == null)
{
lFidoReturnValues.FireEye.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Sending FireEye hashes to VirusTotal.");
lFidoReturnValues.FireEye.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.FireEye.MD5Hash);
}
}
//todo: decide if FireEye should go to ThreatGRID
//if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
//{
// Console.WriteLine(@"Sending FireEye hashes to ThreatGRID.");
// lFidoReturnValues = SendFireEyeToThreatGRID(lFidoReturnValues);
//}
return(lFidoReturnValues);
}
private void PrepareFidoReturnValues(FidoReturnValues lFidoReturnValues)
{
lFidoReturnValues = SummaryEmail(lFidoReturnValues);
lFidoReturnValues.Recommendation = ReturnRecommendation(lFidoReturnValues);
lFidoReturnValues.SummaryEmail = ReplacingValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
lFidoReturnValues.SummaryEmail = ReplacingBadGuyValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
lFidoReturnValues.IsTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
}
private static FidoReturnValues SendProtectWiseToVirusTotal(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
return(lFidoReturnValues);
}
var sIPToCheck = new List <string>();
if (lFidoReturnValues.ProtectWise.VirusTotal == null)
{
lFidoReturnValues.ProtectWise.VirusTotal = new VirusTotalReturnValues();
}
//send ProtectWise return to VT URL API
if (lFidoReturnValues.ProtectWise.IncidentDetails.Data != null)
{
if (lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation != null)
{
Console.WriteLine(@"Sending ProtectWise URLs to VirusTotal.");
var URL = new List <string> {
lFidoReturnValues.ProtectWise.IncidentDetails.Data.URL_Reputation.Url
};
var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL);
if (vtURLReturn != null)
{
lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn;
}
}
else if (lFidoReturnValues.ProtectWise.URL != null)
{
Console.WriteLine(@"Sending ProtectWise destination IP to VirusTotal.");
var URL = new List <string> {
lFidoReturnValues.ProtectWise.URL
};
var vtURLReturn = Feeds_VirusTotal.VirusTotalUrl(URL);
if (vtURLReturn != null)
{
lFidoReturnValues.ProtectWise.VirusTotal.URLReturn = vtURLReturn;
}
}
}
if (lFidoReturnValues.ProtectWise.DstIP != null)
{
sIPToCheck.Add(lFidoReturnValues.ProtectWise.DstIP);
}
sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();
//send ProtectWise return to VT IP API
if (sIPToCheck.Any())
{
Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
lFidoReturnValues.ProtectWise.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
//todo: move the url to the database
lFidoReturnValues.ProtectWise.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.ProtectWise.DstIP + "/information/";
}
return(lFidoReturnValues);
}
private static FidoReturnValues SendCyphortToThreatGRID(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
return(lFidoReturnValues);
}
Int16 iDays = -7;
lFidoReturnValues.Cyphort.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays);
while (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) < 50)
{
if (iDays < -364)
{
break;
}
iDays = (Int16)(iDays * 2);
lFidoReturnValues.Cyphort.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays);
}
Console.WriteLine(@"Successfully found ThreatGRID IP data (" + lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount + @" records)... storing in Fido.");
if (Convert.ToDouble(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) == 0)
{
return(lFidoReturnValues);
}
//todo: make the below integer values configurable by storing them in the DB
var vTGItemCount = 0;
if (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) < 25)
{
vTGItemCount = Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount);
}
if (Convert.ToInt16(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.CurrentItemCount) >= 25)
{
vTGItemCount = 25;
}
for (var i = 0; i < vTGItemCount; i++)
{
if (i >= 50)
{
continue;
}
if (lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo == null)
{
lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo = new List <Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info>();
}
lFidoReturnValues.Cyphort.ThreatGRID.IPThreatInfo.Add(Feeds_ThreatGRID.ThreatInfo(lFidoReturnValues.Cyphort.ThreatGRID.IPSearch.Data.Items[i].HashID));
}
return(lFidoReturnValues);
}
private Dictionary <string, string> GetSysLogParams()
{
var result = new Dictionary <string, string>();
result.add("server", Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost"));
result.add("port", Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514));
result.add("facility", Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1"));
result.add("sender", Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido"));
result.add("layout", Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)"));
result.add("isParamTest", Object_Fido_Configs.GetAsBool("fido.application.teststartup", true));
result.add("detectors", Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(','));
return(result);
}
public static FidoReturnValues ThreatGRIDIPInfo(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.alienvault", false))
{
return(lFidoReturnValues);
}
if (!String.IsNullOrEmpty(lFidoReturnValues.DstIP))
{
if (lFidoReturnValues.FireEye != null)
{
if (lFidoReturnValues.FireEye.ThreatGRID == null)
{
lFidoReturnValues.FireEye.ThreatGRID = new ThreatGridReturnValues();
}
lFidoReturnValues.FireEye.ThreatGRID.IPInfo = Feeds_ThreatGRID.HlInfo(lFidoReturnValues.DstIP);
}
if (lFidoReturnValues.Cyphort != null)
{
if (lFidoReturnValues.Cyphort.ThreatGRID == null)
{
lFidoReturnValues.Cyphort.ThreatGRID = new ThreatGridReturnValues();
}
lFidoReturnValues.Cyphort.ThreatGRID.IPInfo = Feeds_ThreatGRID.HlInfo(lFidoReturnValues.DstIP);
}
if (lFidoReturnValues.ProtectWise != null)
{
if (lFidoReturnValues.ProtectWise.ThreatGRID == null)
{
lFidoReturnValues.ProtectWise.ThreatGRID = new ThreatGridReturnValues();
}
lFidoReturnValues.ProtectWise.ThreatGRID.IPInfo = Feeds_ThreatGRID.HlInfo(lFidoReturnValues.DstIP);
}
if (lFidoReturnValues.PaloAlto != null)
{
if (lFidoReturnValues.PaloAlto.ThreatGRID == null)
{
lFidoReturnValues.PaloAlto.ThreatGRID = new ThreatGridReturnValues();
}
lFidoReturnValues.PaloAlto.ThreatGRID.IPInfo = Feeds_ThreatGRID.HlInfo(lFidoReturnValues.DstIP);
}
}
return(lFidoReturnValues);
}
public static void SendEmail(string sErrorSubject, string sErrorMessage)
{
var isGoingToRun = Object_Fido_Configs.GetAsBool("fido.email.runerroremail", false);
var sErrorEmail = Object_Fido_Configs.GetAsString("fido.email.erroremail", null);
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var isTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
if (!isGoingToRun)
{
return;
}
if (isTest)
{
sErrorSubject = "Test: " + sErrorSubject;
}
Logging_Fido.RunLogging(sErrorMessage);
Email_Send.Send(sErrorEmail, sFidoEmail, sFidoEmail, sErrorSubject, sErrorMessage, null, null);
Console.WriteLine(sErrorMessage);
Thread.Sleep(1000);
}
private static FidoReturnValues SendPaloAltoToAlienVault(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.alienvault", false))
{
return(lFidoReturnValues);
}
//initialize AlienVault area if null
if (lFidoReturnValues.PaloAlto.AlienVault == null)
{
lFidoReturnValues.PaloAlto.AlienVault = new AlienVaultReturnValues();
}
//next send PAN return to AlienVault
if ((lFidoReturnValues.PaloAlto != null) && (lFidoReturnValues.PaloAlto.DstIp != null))
{
Console.WriteLine(@"Getting IP informaiton from AlienVault.");
lFidoReturnValues.PaloAlto.AlienVault = Feeds_AlientVault.AlienVaultIP(lFidoReturnValues.PaloAlto.DstIp);
}
return(lFidoReturnValues);
}
private static FidoReturnValues SendPaloAltoToVirusTotal(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
return(lFidoReturnValues);
}
var sIPToCheck = new List <string> {
lFidoReturnValues.PaloAlto.DstIp
};
//send ProtectWise return to VT IP API
if (lFidoReturnValues.PaloAlto.DstIp.Any())
{
if (lFidoReturnValues.PaloAlto.VirusTotal == null)
{
lFidoReturnValues.PaloAlto.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
try
{
var IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
if (IPReturn != null)
{
lFidoReturnValues.PaloAlto.VirusTotal.IPReturn = IPReturn;
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in retrieving VT IP information:" + e);
}
//todo: move the url to the database
lFidoReturnValues.PaloAlto.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.PaloAlto.DstIp + "/information/";
}
return(lFidoReturnValues);
}
private static FidoReturnValues CyphortHash(FidoReturnValues lFidoReturnValues)
{
//if Cyphort has hashes send to threat feeds
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
if ((lFidoReturnValues.Cyphort != null) && (lFidoReturnValues.Cyphort.MD5Hash != null) && (lFidoReturnValues.Cyphort.MD5Hash.Any()))
{
if (lFidoReturnValues.Cyphort.VirusTotal == null)
{
lFidoReturnValues.Cyphort.VirusTotal = new VirusTotalReturnValues();
}
Console.WriteLine(@"Sending Cyphort hashes to VirusTotal.");
lFidoReturnValues.Cyphort.VirusTotal.MD5HashReturn = Feeds_VirusTotal.VirusTotalHash(lFidoReturnValues.Cyphort.MD5Hash);
}
}
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
Console.WriteLine(@"Sending Cyphort hashes to ThreatGRID.");
lFidoReturnValues = SendCyphortToThreatGRID(lFidoReturnValues);
}
return(lFidoReturnValues);
}
private static FidoReturnValues SendPaloAltoToThreatGRID(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.threatgrid", false))
{
return(lFidoReturnValues);
}
Int16 iDays = -7;
lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays);
while (Convert.ToInt16(lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.CurrentItemCount) < 50)
{
if (iDays < -364)
{
break;
}
iDays = (Int16)(iDays * 2);
lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch = Feeds_ThreatGRID.SearchInfo(lFidoReturnValues.DstIP, false, iDays);
}
Console.WriteLine(@"Successfully found ThreatGRID IP data (" + lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.CurrentItemCount + @" records)... storing in Fido.");
for (var i = 0; i < Convert.ToInt16(lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.CurrentItemCount); i++)
{
if (i >= 50)
{
continue;
}
if (lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo == null)
{
lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo = new List <Object_ThreatGRID_Threat_ConfigClass.ThreatGRID_Threat_Info>();
}
lFidoReturnValues.PaloAlto.ThreatGRID.IPThreatInfo.Add(Feeds_ThreatGRID.ThreatInfo(lFidoReturnValues.PaloAlto.ThreatGRID.IPSearch.Data.Items[i].HashID));
}
return(lFidoReturnValues);
}
//The load will grab configurations for what FIDO is monitoring,
//then go to each configured external system to parse any alerts.
//Finally, FIDO is configured to pause per iteration on a
//configurable timed basis.
private void Fido_Load(object sender, EventArgs aug)
{
//Disabled the current time during current iteration.
timer1.Enabled = false;
Hide();
if (!ConfigurationOK())
{
Application.Exit();
}
SetupSyslog();
//Beginning of primary area which starts parsing of alerts.
var isParamTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
var sDetectors = Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(',');
try
{
Console.WriteLine(isParamTest ? @"Running test configs." : @"Running production configs.");
foreach (var detect in sDetectors)
{
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs(detect);
//Get the detector, ie, email, log, web service, etc.
var sDetectorType = parseConfigs.DetectorType;
switch (sDetectorType)
{
case "api":
Console.WriteLine(@"Loading webservice receiver.");
Recieve_API.DirectToEngine(sDetectorType, detect);
break;
case "log":
Console.WriteLine(@"Loaded log receiver.");
var sDefaultServer = parseConfigs.Server;
var sDefaultFile = parseConfigs.File;
var sVendor = parseConfigs.Vendor;
Receive_Logging.DirectToEngine(detect, sVendor, sDefaultServer, sDefaultFile, isParamTest);
break;
case "sql":
Console.WriteLine(@"Loaded sql receiver.");
Receive_SQL.DirectToEngine(sDetectorType, detect);
break;
case "email":
Console.WriteLine(@"Loaded email receiver.");
var sEmailVendor = Object_Fido_Configs.GetAsString("fido.email.vendor", "imap");
var sDetectorsEmail = parseConfigs.EmailFrom;
var sDetectorsFolder = parseConfigs.Folder;
Receive_Email.ReadEmail(sEmailVendor, sDetectorsFolder, null, sDetectorsEmail, isParamTest);
break;
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in fidomain area:" + e);
}
//Sleep for X # of seconds per iteration specified in Fido configuration
Application.DoEvents();
var iSleep = Object_Fido_Configs.GetAsInt("fido.application.sleepiteration", 5);
Console.WriteLine(@"Fido processing complete... sleeping for " + (iSleep / 1000).ToString(CultureInfo.InvariantCulture) + @" seconds.");
Thread.Sleep(iSleep);
timer1.Enabled = true;
}
public static FidoReturnValues RunMatrix(FidoReturnValues lFidoReturnValues)
{
//Iterate through each detector and the corresponding threat feed looking for values to score
#region ThreatScore
Console.WriteLine(@"Starting threat feed evaluation.");
lFidoReturnValues = Matrix_Scoring.GetDetectorsScore(lFidoReturnValues);
#endregion
var isRunAssett = Object_Fido_Configs.GetAsBool("fido.director.assetscore", false);
if (isRunAssett)
{
#region AssetValue
Console.WriteLine(@"Starting assest evaluation.");
//asset evaluation
var isPaired = Object_Fido_Configs.GetAsBool("fido.posture.asset.paired", false);
lFidoReturnValues = Matrix_Scoring.GetAssetScore(lFidoReturnValues, isPaired);
#endregion
#region MachinePosture
Console.WriteLine(@"Scoring machine posture evaluation.");
//Patch evaluation
lFidoReturnValues = Matrix_Scoring.GetPatchScore(lFidoReturnValues);
//AV evaluation
lFidoReturnValues = Matrix_Scoring.GetAVScore(lFidoReturnValues);
#endregion
#region UserPosture
Console.WriteLine(@"Starting user posture evaluation.");
if (lFidoReturnValues.UserInfo != null)
{
lFidoReturnValues = Matrix_Scoring.GetUserScore(lFidoReturnValues);
}
#endregion
}
#region HistoricalInfo
Console.WriteLine(@"Starting historical artifact evaluation.");
lFidoReturnValues = Matrix_Historical_Helper.HistoricalEvent(lFidoReturnValues);
lFidoReturnValues = Matrix_Scoring.GetHistoricalHashCount(lFidoReturnValues);
lFidoReturnValues = Matrix_Scoring.GetHistoricalURLCount(lFidoReturnValues);
lFidoReturnValues = Matrix_Scoring.GetHistoricalIPCount(lFidoReturnValues);
#endregion
#region PreviousAlerts
Console.WriteLine(@"Checking to see if this machine has previous alerted.");
lFidoReturnValues.PreviousAlerts = Matrix_Historical_Helper.GetPreviousMachineAlerts(lFidoReturnValues, true);
#endregion
//todo: put configuration in DB for whether to include user/machine score in division of their score.
//lFidoReturnValues.TotalScore = lFidoReturnValues.TotalScore / 10;
//lFidoReturnValues.UserScore = lFidoReturnValues.UserScore / 10;
//lFidoReturnValues.MachineScore = lFidoReturnValues.MachineScore / 10;
lFidoReturnValues.ThreatScore = lFidoReturnValues.ThreatScore / 10;
lFidoReturnValues = Matrix_Scoring.SetScoreValues(lFidoReturnValues);
Console.WriteLine(@"Total Score for event = " + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"Threat Score for event = " + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"Machine Score for event = " + lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture));
Console.WriteLine(@"User Score for event = " + lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture));
return(lFidoReturnValues);
}
private static FidoReturnValues SendCyphortToVirusTotal(FidoReturnValues lFidoReturnValues)
{
if (Object_Fido_Configs.GetAsBool("fido.director.virustotal", false))
{
return(lFidoReturnValues);
}
//convert return from Cyphort to list
var sURLToCheck = new List <string>();
if ((lFidoReturnValues.Cyphort.URL.Any()) && (lFidoReturnValues.Cyphort.URL.Count > 0))
{
for (var i = 0; i < lFidoReturnValues.Cyphort.URL.Count(); i++)
{
if (string.IsNullOrEmpty(lFidoReturnValues.Cyphort.URL[i]))
{
continue;
}
if (lFidoReturnValues.Cyphort.URL[i].Contains(".exe"))
{
continue;
}
//if (!lFidoReturnValues.Cyphort.URL[i].Contains(".com"))
//{
// lFidoReturnValues.Cyphort.URL[i] = lFidoReturnValues.Cyphort.URL[i] + @".com";
//}
sURLToCheck.Add(lFidoReturnValues.Cyphort.URL[i]);
}
}
if ((lFidoReturnValues.Cyphort.Domain != null) && (lFidoReturnValues.Cyphort.Domain.Count > 0))
{
sURLToCheck.AddRange(lFidoReturnValues.Cyphort.Domain);
}
if (lFidoReturnValues.Cyphort.DstIP != null)
{
sURLToCheck.Add(lFidoReturnValues.Cyphort.DstIP);
}
sURLToCheck = sURLToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();
//send Cyphort return to VT URL API
if (sURLToCheck.Any())
{
Console.WriteLine(@"Sending Cyport URLs to VirusTotal.");
lFidoReturnValues.Cyphort.VirusTotal.URLReturn = Feeds_VirusTotal.VirusTotalUrl(sURLToCheck);
}
var sIPToCheck = new List <string>();
if (lFidoReturnValues.Cyphort.DstIP != null)
{
sIPToCheck.Add(lFidoReturnValues.Cyphort.DstIP);
}
sIPToCheck = sIPToCheck.Where(s => !string.IsNullOrEmpty(s)).Distinct().ToList();
//send Cyphort return to VT IP API
if (sIPToCheck.Any())
{
Console.WriteLine(@"Getting detailed IP information from VirusTotal.");
lFidoReturnValues.Cyphort.VirusTotal.IPReturn = Feeds_VirusTotal.VirusTotalIP(sIPToCheck);
//todo: move the url to the database
lFidoReturnValues.Cyphort.VirusTotal.IPUrl = "http://www.virustotal.com/en/ip-address/" + lFidoReturnValues.Cyphort.DstIP + "/information/";
}
return(lFidoReturnValues);
}
//module to compose notifications
public static void Notify(FidoReturnValues lFidoReturnValues)
{
try
{
var sFidoEmail = Object_Fido_Configs.GetAsString("fido.email.fidoemail", null);
var sPrimaryEmail = Object_Fido_Configs.GetAsString("fido.email.primaryemail", null);
var sSecondaryEmail = Object_Fido_Configs.GetAsString("fido.email.secondaryemail", null);
var sNonAlertEmail = Object_Fido_Configs.GetAsString("fido.email.nonalertemail", null);
var lAttachment = new List <string>
{
Application.StartupPath + "\\media\\gauge\\total" + lFidoReturnValues.TotalScore.ToString(CultureInfo.InvariantCulture) + ".png",
Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.UserScore.ToString(CultureInfo.InvariantCulture) + ".png",
Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.MachineScore.ToString(CultureInfo.InvariantCulture) + ".png",
Application.StartupPath + "\\media\\gauge\\red" + lFidoReturnValues.ThreatScore.ToString(CultureInfo.InvariantCulture) + ".png"
};
string sSubject;
if (lFidoReturnValues.IsPreviousAlert)
{
sSubject = @"Previously Alerted! Fido Alert: " + lFidoReturnValues.MalwareType + ". ";
}
else
{
sSubject = @"Fido Alert: " + lFidoReturnValues.MalwareType + ". ";
}
if (lFidoReturnValues.IsHostKnown)
{
sSubject += "Hostname = " + lFidoReturnValues.Hostname;
}
else
{
sSubject += "Hostname = Unknown (" + lFidoReturnValues.SrcIP + ")";
}
lFidoReturnValues = SummaryEmail(lFidoReturnValues);
lFidoReturnValues.Recommendation = ReturnRecommendation(lFidoReturnValues);
lFidoReturnValues.SummaryEmail = ReplacingValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
lFidoReturnValues.SummaryEmail = ReplacingBadGuyValues(lFidoReturnValues.SummaryEmail, lFidoReturnValues);
if (!lFidoReturnValues.IsTargetOS)
{
sSubject = "Fido InfoSec only Alert : Target OS does not match.";
}
else if (!lFidoReturnValues.IsSendAlert)
{
sSubject = "Fido InfoSec only alert. " + lFidoReturnValues.MalwareType + ". Hostname = " + lFidoReturnValues.Hostname + " (" + lFidoReturnValues.SrcIP + ")";
}
lFidoReturnValues.IsTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
if (lFidoReturnValues.IsTest)
{
sSubject = @"TEST: " + sSubject;
}
if (lFidoReturnValues.IsSendAlert)
{
Email_Send.Send(sPrimaryEmail, sSecondaryEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null);
}
else
{
Email_Send.Send(sNonAlertEmail, sNonAlertEmail, sFidoEmail, sSubject, lFidoReturnValues.SummaryEmail, lAttachment, null);
}
}
catch (Exception e)
{
Console.WriteLine(@"Error creating FIDO email. " + e);
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to threat feeds:" + e);
}
}
public static void Direct(FidoReturnValues lFidoReturnValues)
{
var sSrcIP = lFidoReturnValues.SrcIP;
var sHostname = lFidoReturnValues.Hostname;
try
{
//check detector values versus whitelist and exclude if true
var isFound = new The_Director_Whitelist().CheckFidoWhitelist(lFidoReturnValues.DstIP, lFidoReturnValues.Hash, lFidoReturnValues.DNSName, lFidoReturnValues.Url);
if (isFound)
{
return;
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director processing whitelist:" + e);
}
try
{
//if HostDetection is turned on, then gather information directly from host
if (Object_Fido_Configs.GetAsBool("fido.director.hostdetection", true))
{
lFidoReturnValues = The_Director_HostDetection.HostDetection(lFidoReturnValues, sHostname, sSrcIP);
}
//Write results out to console
if (!string.IsNullOrEmpty(sHostname))
{
Console.WriteLine(@"Detected hostname=" + sHostname + @", gathering detailed inventory.");
}
else
{
Console.WriteLine(@"Unable to detect hostname, gathering detailed inventory for " + sSrcIP + @".");
}
//go to our sysmgmt data sources to get detailed inventory information
if (Object_Fido_Configs.GetAsBool("fido.director.runinventory", false))
{
lFidoReturnValues = The_Director_HostDetection.SQLFidoReturnValues(lFidoReturnValues, sSrcIP, sHostname);
}
//determine if hostname from host discover matches inventory data
if (string.IsNullOrEmpty(lFidoReturnValues.Hostname))
{
Console.WriteLine(@"Hostname still unknown. Proceeding to evaluate threat.");
lFidoReturnValues.IsHostKnown = false;
lFidoReturnValues.Hostname = "unknown";
}
else if (lFidoReturnValues.Hostname.ToLower() == "unknown")
{
//todo: need to write code to take existing data
//hold it for %configurable% minutes and then
//send it out 'unmanaged' if hostinfo continues to come
//back empty
}
else
{
if (Object_Fido_Configs.GetAsBool("fido.director.userdetect", false))
{
lFidoReturnValues = The_Director_HostDetection.GetUserInfo(lFidoReturnValues);
}
}
if (lFidoReturnValues.Username != null)
{
var runUserDetect = Object_Fido_Configs.GetAsBool("fido.director.userdetect", false);
if (runUserDetect)
{
lFidoReturnValues = The_Director_HostDetection.GetUserInfo(lFidoReturnValues);
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director gathering host information:" + e);
}
try
{
//Gather more information about destination IP address
lFidoReturnValues = The_Director_ThreatFeeds_URL.ThreatGRIDIPInfo(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director gathering host IP/GEO information:" + e);
}
try
{
//todo: this area is half-baked... why is bit9 return not being assigned to lFidoReturnValues?
//If detector == AV then check if AV information has a filepath/name
//then parse and send to bit9 to get additional info
if ((lFidoReturnValues.Antivirus != null) && (The_Director_HostDetection.IsBit9Installed()))
{
AntiVirusToBit9(lFidoReturnValues);
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending AV info to Bit9:" + e);
}
try
{
//this area will take detector hashes and reference them against Bit9
//to see if Bit9 has seen the hash, where and if it was executed
if (The_Director_HostDetection.IsBit9Installed())
{
Console.WriteLine(@"Bit9 detected... cross-referencing hashes.");
//if FireEye has hashes send to Bit9
if ((lFidoReturnValues.FireEye != null) && (lFidoReturnValues.FireEye.MD5Hash.Any()))
{
if (lFidoReturnValues.Bit9 == null)
{
lFidoReturnValues.Bit9 = new Bit9ReturnValues();
}
lFidoReturnValues.Bit9.Bit9Hashes = Detect_Bit9.GetFileInfo(lFidoReturnValues.FireEye.MD5Hash, null).ToArray();
//lFidoReturnValues = FireEyeHashToBit9(lFidoReturnValues);
}
//if FireEyeMPS has hashes send to Bit9
//if PaloAlto has hashes send to Bit9
//if Cyphort has hashes send to Bit9
//if Protectwise has hashes send to Bit9
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to Bit9:" + e);
}
try
{
//this area will send hash data to threatfeeds to get additional information
//to be used in scoring for the attack
lFidoReturnValues = The_Director_ThreatFeeds_Hash.DetectorsToThreatFeeds(lFidoReturnValues);
//this area will send URL data to threatfeeds to get additional information
//to be used in scoring for the attack
lFidoReturnValues = The_Director_ThreatFeeds_URL.DetectorsToThreatFeeds(lFidoReturnValues);
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in Director sending network detector info to threat feeds:" + e);
}
//Send accumulated information to the Matrix for scoring
Console.WriteLine(@"Running scoring matrix.");
lFidoReturnValues = Matrix.RunMatrix(lFidoReturnValues);
Console.WriteLine(@"Exiting scoring matrix.");
var actions = new List <string>();
//handoff to enforcement
//
//
//todo: more whack
if (!lFidoReturnValues.IsSendAlert)
{
actions.Add("Created Ticket");
actions.Add("Not Needed");
}
else
{
actions.Add("Created Ticket");
actions.Add("Success");
}
//Thebelow highlighted out as the Service-Now module is too proprietary
//in its current form to be included with OSS. What will happen in a future
//version is a module to handle the different ticketing solutions,
//Service-Now, Zendesk, ServiceDesk, etc., so that tickets can be
//created based on user configuration.
//ServiceNowUpdate.InsertResponse(lFidoReturnValues);
lFidoReturnValues.Actions = actions;
//send information for notifications
Console.WriteLine(@"Sending notification.");
Notification.Notification.Notify(lFidoReturnValues);
//Send configurable information for output to syslog
//SysLogger.SendEventToSyslog(lFidoReturnValues);
//todo: WTF is this? It's whack, thats what...
actions.Add("Update FIDO DB");
actions.Add("Success");
//update FIDO DB with event information
Console.WriteLine(@"Updating FidoDB.");
Fido_UpdateDB.InsertEventToDB(lFidoReturnValues);
}
private static List<UrlReport> ParseUrl(IEnumerable<string> sURL)
{
//The below is a placeholder for when this will be encrypted.
//var sAcek = xfidoconf.getVarSet("securityfeed").getVarSet("virustotal").getString("acek", null);
var sVTKey = Object_Fido_Configs.GetAsString("fido.securityfeed.virustotal.apikey", null);
var vtLogin = new VirusTotal(sVTKey);
var isRateLimited = Object_Fido_Configs.GetAsBool("fido.securityfeed.virustotal.ratelimited", false);
List<UrlReport> sVirusTotalUrl = null;
var sVTURLreturn = new List<UrlReport>();
var newurl = string.Empty;
var url = sURL as IList<string> ?? sURL.ToList();
var fidoDB = new SqLiteDB();
var isPaidFeed = Convert.ToBoolean(fidoDB.ExecuteScalar("Select paid_feed from configs_threatfeed_virustotal"));
try
{
if (sURL != null)
{
for (var i = 0; i < url.Count(); i++)
{
if (!url[i].Contains("http://"))
{
newurl = "http://" + url[i];
}
else
{
newurl = url[i];
}
if (!isPaidFeed) Thread.Sleep(15000);
var sVTURLtemp = new List<UrlReport> { vtLogin.GetUrlReport(newurl) };
if (!isPaidFeed) Thread.Sleep(20000);
var icount = 1;
if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object")
{
Console.WriteLine(sVTURLtemp[0].VerboseMsg);
Console.WriteLine(newurl);
sVTURLreturn.Add(sVTURLtemp[0]);
continue;
}
while (sVTURLtemp[0].VerboseMsg == "The requested resource is not among the finished, queued or pending scans" && icount <= 3)
{
Console.WriteLine(sVTURLtemp[0].VerboseMsg);
Console.WriteLine(newurl);
sVTURLtemp.RemoveAt(0);
vtLogin.ScanUrl(newurl);
//todo: move sleep integer to db
Thread.Sleep(120000);
icount++;
sVTURLtemp.Add(vtLogin.GetUrlReport(newurl));
if (sVTURLtemp[0].VerboseMsg == "Scan finished, scan information embedded in this object")
{
Console.WriteLine(sVTURLtemp[0].VerboseMsg);
Console.WriteLine(newurl);
sVTURLreturn.Add(sVTURLtemp[0]);
}
}
//if (icount == 1)
//{
// sVTURLreturn.Add(sVTURLtemp[0]);
//}
}
if (sVTURLreturn.Any())
{
sVirusTotalUrl = sVTURLreturn;
return sVirusTotalUrl;
}
}
}
catch (Exception e)
{
if (e.Message == "You have reached the 5 requests pr. min. limit of VirusTotal")
{
if (!isPaidFeed) Thread.Sleep(60000);
sVirusTotalUrl = ParseUrl(url);
return sVirusTotalUrl;
}
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in VT URL area:" + e);
}
return sVirusTotalUrl;
}
//The load will grab configurations for what FIDO is monitoring,
//then go to each configured external system to parse any alerts.
//Finally, FIDO is configured to pause per iteration on a
//configurable timed basis.
private void Fido_Load(object sender, EventArgs aug)
{
//Disabled the current time during current iteration.
timer1.Enabled = false;
Hide();
//Check to see if Fido configurations exists and if not
//fail with prompt that configurations are not found.
Console.Clear();
var sAppStartupPath = Application.StartupPath + @"\data\fido.db";
if (!File.Exists(sAppStartupPath))
{
Console.WriteLine(@"Failed to load FIDO DB.");
Application.Exit();
}
else
{
Console.WriteLine(@"Loaded FIDO DB successfully.");
}
//Load fido configs from database
Object_Fido_Configs.LoadConfigFromDb("config");
//Setup syslog
var server1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.server", "localhost");
var port1 = Object_Fido_Configs.GetAsInt("fido.logger.syslog.port", 514);
var facility1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.facility", "local1");
var sender1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.sender", "Fido");
var layout1 = Object_Fido_Configs.GetAsString("fido.logger.syslog.layout", "$(message)");
//SysLogger.Setup(server1, port1, facility1, sender1, layout1);
//Beginning of primary area which starts parsing of alerts.
var isParamTest = Object_Fido_Configs.GetAsBool("fido.application.teststartup", true);
var sDetectors = Object_Fido_Configs.GetAsString("fido.application.detectors", string.Empty).Split(',');
try
{
Console.WriteLine(isParamTest ? @"Running test configs." : @"Running production configs.");
foreach (var detect in sDetectors)
{
var parseConfigs = Object_Fido_Configs.ParseDetectorConfigs(detect);
//Get the detector, ie, email, log, web service, etc.
var sDetectorType = parseConfigs.DetectorType;
switch (sDetectorType)
{
case "api":
Console.WriteLine(@"Loading webservice receiver.");
Recieve_API.DirectToEngine(sDetectorType, detect);
break;
case "log":
Console.WriteLine(@"Loaded log receiver.");
var sDefaultServer = parseConfigs.Server;
var sDefaultFile = parseConfigs.File;
var sVendor = parseConfigs.Vendor;
Receive_Logging.DirectToEngine(detect, sVendor, sDefaultServer, sDefaultFile, isParamTest);
break;
case "sql":
Console.WriteLine(@"Loaded sql receiver.");
Receive_SQL.DirectToEngine(sDetectorType, detect);
break;
case "email":
Console.WriteLine(@"Loaded email receiver.");
var sEmailVendor = Object_Fido_Configs.GetAsString("fido.email.vendor", "imap");
var sDetectorsEmail = parseConfigs.EmailFrom;
var sDetectorsFolder = parseConfigs.Folder;
Receive_Email.ReadEmail(sEmailVendor, sDetectorsFolder, null, sDetectorsEmail, isParamTest);
break;
}
}
}
catch (Exception e)
{
Fido_EventHandler.SendEmail("Fido Error", "Fido Failed: {0} Exception caught in fidomain area:" + e);
}
//Sleep for X # of seconds per iteration specified in Fido configuration
Application.DoEvents();
var iSleep = Object_Fido_Configs.GetAsInt("fido.application.sleepiteration", 5);
Console.WriteLine(@"Fido processing complete... sleeping for " + (iSleep / 1000).ToString(CultureInfo.InvariantCulture) + @" seconds.");
Thread.Sleep(iSleep);
timer1.Enabled = true;
}