示例#1
0
 private static int[] VirusTotalPosReturnURL(VirusTotalReturnValues virusTotalReturnValues)
 {
   var iPosReturns = 0;
   var iPostTrojReturns = 0;
   var lVTReport = virusTotalReturnValues.URLReturn;
   foreach (var vtEntry in lVTReport.Where(vtEntry => vtEntry.Positives > 0))
   {
     iPostTrojReturns += (from t in vtEntry.Scans
                          where t.Result != null
                          select t.Result.ToLower()
                            into sResult
                            let isTrojan = false
                            select sResult.Contains("malicious site")).Count(isTrojan => isTrojan);
     iPosReturns += vtEntry.Positives;
   }
   var iReturn = new[] { iPosReturns, iPostTrojReturns };
   return iReturn;
 }
示例#2
0
    private static List<double> VirusTotalPosIPReturn(VirusTotalReturnValues virusTotalReturnValues)
    {

      List<Object_VirusTotal_IP.IPReport> lVTReport = virusTotalReturnValues.IPReturn;
      double countDetectedUrls = 0;
      double countDetectedDownloads = 0;
      double countDetectedComms = 0;

      foreach (var vtEntry in lVTReport)
      {
        if (vtEntry.DetectedUrls != null && vtEntry.DetectedUrls.Any())
        {
          for (var i = 0; i < vtEntry.DetectedUrls.Count(); i++)
          {
            if (vtEntry.DetectedUrls[i].Positives != null & vtEntry.DetectedUrls[i].Positives > 0)
            {
              //todo: move the below integer values to database configuration
              if (vtEntry.DetectedUrls[i].Positives >= 20)
              {
                countDetectedUrls = countDetectedUrls + (vtEntry.DetectedUrls[i].Positives * .5);
              }
              else if ((vtEntry.DetectedUrls[i].Positives >= 5) && (vtEntry.DetectedUrls[i].Positives < 20))
              {
                countDetectedUrls = countDetectedUrls + (vtEntry.DetectedUrls[i].Positives * .6);
              }
              else if (vtEntry.DetectedUrls[i].Positives >= 3)
              {
                countDetectedUrls = countDetectedUrls + (vtEntry.DetectedUrls[i].Positives * .75);
              }

            }
          }
        }
        if (vtEntry.DetectedCommunicatingSamples != null && vtEntry.DetectedCommunicatingSamples.Any())
        {
          for (var i = 0; i < vtEntry.DetectedCommunicatingSamples.Count(); i++)
          {
            if (vtEntry.DetectedCommunicatingSamples[i].Positives != null & vtEntry.DetectedCommunicatingSamples[i].Positives >= 3)
            {
              if (vtEntry.DetectedCommunicatingSamples[i].Positives >= 20)
              {
                countDetectedComms = countDetectedComms + (vtEntry.DetectedCommunicatingSamples[i].Positives * .65);
              }
              else if ((vtEntry.DetectedCommunicatingSamples[i].Positives >= 10) && (vtEntry.DetectedCommunicatingSamples[i].Positives < 20))
              {
                countDetectedComms = countDetectedComms + (vtEntry.DetectedCommunicatingSamples[i].Positives * .75);
              }
              else if (vtEntry.DetectedCommunicatingSamples[i].Positives < 10)
              {
                countDetectedComms = countDetectedComms + (vtEntry.DetectedCommunicatingSamples[i].Positives * 1);
              }
            }
          }
        }
        if (vtEntry.DetectedDownloadedSamples != null && vtEntry.DetectedDownloadedSamples.Any())
        {
          for (var i = 0; i < vtEntry.DetectedDownloadedSamples.Count(); i++)
          {
            if (vtEntry.DetectedDownloadedSamples[i].Positives != null & vtEntry.DetectedDownloadedSamples[i].Positives >= 3)
            {
              if (vtEntry.DetectedDownloadedSamples[i].Positives >= 20)
              {
                countDetectedDownloads = countDetectedDownloads + (vtEntry.DetectedDownloadedSamples[i].Positives * .50);
              }
              else if ((vtEntry.DetectedDownloadedSamples[i].Positives < 20) && (vtEntry.DetectedDownloadedSamples[i].Positives >= 10))
              {
                countDetectedDownloads = countDetectedDownloads + (vtEntry.DetectedDownloadedSamples[i].Positives * .65);
              }
              else if (vtEntry.DetectedDownloadedSamples[i].Positives < 10)
              {
                countDetectedDownloads = countDetectedDownloads + (vtEntry.DetectedDownloadedSamples[i].Positives * .75);
              }
            }
          }
        }
      }

      var lReturn = new List<double> { countDetectedComms, countDetectedDownloads, countDetectedUrls };
      return lReturn;

    }
示例#3
0
 //todo: is this still necessary? should we handle this in the bit9 module?
 private static FidoReturnValues FireEyeHashToBit9(FidoReturnValues lFidoReturnValues)
 {
   //Check FireEye returns and  go to Bit9 to see if the hash exists, where and
   //if it was executed, then go to VT and pass hash info on there too
   var lVirusTotalReturnValues = new VirusTotalReturnValues();
   List<string> sBit9FileInfo = Detect_Bit9.GetFileInfo(lFidoReturnValues.FireEye.MD5Hash, null);
   if (sBit9FileInfo.Count == 0) return lFidoReturnValues;
   if (lFidoReturnValues.Bit9 == null)
   {
     lFidoReturnValues.Bit9 = new Bit9ReturnValues {Bit9Hashes = sBit9FileInfo.ToArray()};
   }
   else
   {
     lFidoReturnValues.Bit9.Bit9Hashes = sBit9FileInfo.ToArray();
   }
   return lFidoReturnValues;
 }