public App() : base() { this.ShutdownMode = ShutdownMode.OnMainWindowClose; #if DEBUG this.Connections.Add(AppDataSample.DemoConnection); #endif LogHelper.Info("Init notification window..."); notifierWindow = new NotificationWindow { WindowState = WindowState.Normal }; MainWindow = notifierWindow; activityWindow = new ActivityWindow(notifierWindow, Settings.Default.ActivityWindow_Shown); try { eventLogListener = new EventLogAsyncReader <LogEntryViewModel>(EventLogAsyncReader.EVENTLOG_SECURITY, LogEntryViewModel.CreateFromEventLogEntry); eventLogListener.FilterPredicate = EventLogAsyncReader.IsFirewallEventSimple; eventLogListener.EntryWritten += HandleEventLogNotification; } catch (SecurityException se) { LogHelper.Error($"Notifier cannot access security event log: {se.Message}. Notifier needs to be started with admin rights and will exit now", se); MessageBox.Show($"Notifier cannot access security event log:\n{se.Message}\nNotifier needs to be started with admin rights.\nNotifier will exit.", "Error", MessageBoxButton.OK, MessageBoxImage.Error); Shutdown(); } }
internal void HandleEventLogNotification(object sender, EntryWrittenEventArgs eventArgs) { var entry = eventArgs.Entry; bool allowed = EventLogAsyncReader.IsFirewallEventAllowed(entry.InstanceId); activityWindow.ShowActivity(allowed ? ActivityWindow.ActivityEnum.Allowed : ActivityWindow.ActivityEnum.Blocked); if (allowed || !LogEntryViewModel.TryCreateFromEventLogEntry(entry, 0, out CurrentConn view)) { return; } LogHelper.Info($"Handle {view.Direction}-going connection for '{view.FileName}', service: {view.ServiceName} ..."); if (!AddItem(view)) { //This connection is blocked by a specific rule. No action necessary. LogHelper.Info($"{view.Direction}-going connection for '{view.FileName}' is blocked by a rule - ignored."); return; } //if (notifierWindow.WindowState == WindowState.Minimized) //{ // notifierWindow.ShowActivityTrayIcon($"Notifier blocked connections - click tray icon to show"); // max 64 chars! //} }
public static bool TryCreateFromEventLogEntry <T>(EventLogEntry entry, int index, out T?view) where T : LogEntryViewModel, new() { if (entry == null) { view = null; return(false); } try { //LogHelper.Debug($"Create EntryViewModel entry..."); var pid = uint.Parse(GetReplacementString(entry, 0)); var direction = GetReplacementString(entry, 2) == @"%%14593" ? "Out" : "In"; var protocol = int.Parse(GetReplacementString(entry, 7)); var path = GetReplacementString(entry, 1); if (path == "-") { path = "System"; } else { path = PathResolver.ResolvePath(path); } var fileName = System.IO.Path.GetFileName(path); // try to get the servicename from pid (works only if service is running) var serviceName = ServiceNameResolver.GetServicName(pid); var le = new T() { Index = index, Id = entry.Index, Pid = pid, CreationTime = entry.TimeGenerated, Path = (path == "-" ? "System" : path), FileName = fileName, ServiceName = serviceName, SourceIP = GetReplacementString(entry, 3), SourcePort = GetReplacementString(entry, 4), TargetIP = GetReplacementString(entry, 5), TargetPort = GetReplacementString(entry, 6), RawProtocol = protocol, Protocol = WFP.Protocol.GetProtocolAsString(protocol), Direction = direction, FilterId = GetReplacementString(entry, 8), Reason = EventLogAsyncReader.GetEventInstanceIdAsString(entry.InstanceId), Message = entry.Message }; le.ReasonColor = le.Reason.StartsWith("Block") ? Brushes.OrangeRed : Brushes.Blue; le.DirectionColor = le.Direction.StartsWith("In") ? Brushes.OrangeRed : Brushes.Black; view = le; return(true); } catch (Exception ex) { LogHelper.Error("Cannot parse eventlog entry: eventID=" + entry.InstanceId.ToString(), ex); } view = null; return(false); }