Beispiel #1
0
        public App() : base()
        {
            this.ShutdownMode = ShutdownMode.OnMainWindowClose;

#if DEBUG
            this.Connections.Add(AppDataSample.DemoConnection);
#endif

            LogHelper.Info("Init notification window...");
            notifierWindow = new NotificationWindow
            {
                WindowState = WindowState.Normal
            };
            MainWindow     = notifierWindow;
            activityWindow = new ActivityWindow(notifierWindow, Settings.Default.ActivityWindow_Shown);

            try
            {
                eventLogListener = new EventLogAsyncReader <LogEntryViewModel>(EventLogAsyncReader.EVENTLOG_SECURITY, LogEntryViewModel.CreateFromEventLogEntry);
                eventLogListener.FilterPredicate = EventLogAsyncReader.IsFirewallEventSimple;
                eventLogListener.EntryWritten   += HandleEventLogNotification;
            }
            catch (SecurityException se)
            {
                LogHelper.Error($"Notifier cannot access security event log: {se.Message}. Notifier needs to be started with admin rights and will exit now", se);
                MessageBox.Show($"Notifier cannot access security event log:\n{se.Message}\nNotifier needs to be started with admin rights.\nNotifier will exit.", "Error", MessageBoxButton.OK, MessageBoxImage.Error);
                Shutdown();
            }
        }
Beispiel #2
0
        internal void HandleEventLogNotification(object sender, EntryWrittenEventArgs eventArgs)
        {
            var  entry   = eventArgs.Entry;
            bool allowed = EventLogAsyncReader.IsFirewallEventAllowed(entry.InstanceId);

            activityWindow.ShowActivity(allowed ? ActivityWindow.ActivityEnum.Allowed : ActivityWindow.ActivityEnum.Blocked);
            if (allowed || !LogEntryViewModel.TryCreateFromEventLogEntry(entry, 0, out CurrentConn view))
            {
                return;
            }

            LogHelper.Info($"Handle {view.Direction}-going connection for '{view.FileName}', service: {view.ServiceName} ...");
            if (!AddItem(view))
            {
                //This connection is blocked by a specific rule. No action necessary.
                LogHelper.Info($"{view.Direction}-going connection for '{view.FileName}' is blocked by a rule - ignored.");
                return;
            }

            //if (notifierWindow.WindowState == WindowState.Minimized)
            //{
            //    notifierWindow.ShowActivityTrayIcon($"Notifier blocked connections - click tray icon to show");  // max 64 chars!
            //}
        }
Beispiel #3
0
        public static bool TryCreateFromEventLogEntry <T>(EventLogEntry entry, int index, out T?view) where T : LogEntryViewModel, new()
        {
            if (entry == null)
            {
                view = null;
                return(false);
            }

            try
            {
                //LogHelper.Debug($"Create EntryViewModel entry...");
                var pid       = uint.Parse(GetReplacementString(entry, 0));
                var direction = GetReplacementString(entry, 2) == @"%%14593" ? "Out" : "In";
                var protocol  = int.Parse(GetReplacementString(entry, 7));

                var path = GetReplacementString(entry, 1);
                if (path == "-")
                {
                    path = "System";
                }
                else
                {
                    path = PathResolver.ResolvePath(path);
                }
                var fileName = System.IO.Path.GetFileName(path);

                // try to get the servicename from pid (works only if service is running)
                var serviceName = ServiceNameResolver.GetServicName(pid);

                var le = new T()
                {
                    Index        = index,
                    Id           = entry.Index,
                    Pid          = pid,
                    CreationTime = entry.TimeGenerated,
                    Path         = (path == "-" ? "System" : path),
                    FileName     = fileName,
                    ServiceName  = serviceName,
                    SourceIP     = GetReplacementString(entry, 3),
                    SourcePort   = GetReplacementString(entry, 4),
                    TargetIP     = GetReplacementString(entry, 5),
                    TargetPort   = GetReplacementString(entry, 6),
                    RawProtocol  = protocol,
                    Protocol     = WFP.Protocol.GetProtocolAsString(protocol),
                    Direction    = direction,
                    FilterId     = GetReplacementString(entry, 8),
                    Reason       = EventLogAsyncReader.GetEventInstanceIdAsString(entry.InstanceId),
                    Message      = entry.Message
                };

                le.ReasonColor    = le.Reason.StartsWith("Block") ? Brushes.OrangeRed : Brushes.Blue;
                le.DirectionColor = le.Direction.StartsWith("In") ? Brushes.OrangeRed : Brushes.Black;

                view = le;

                return(true);
            }
            catch (Exception ex)
            {
                LogHelper.Error("Cannot parse eventlog entry: eventID=" + entry.InstanceId.ToString(), ex);
            }

            view = null;

            return(false);
        }