private bool FindSourceAndUserNameForInfo(IPAddressLogEvent info, XmlDocument doc) { if (string.IsNullOrWhiteSpace(info.IPAddress)) { return(false); } else if (string.IsNullOrWhiteSpace(info.Source)) { XmlNode sourceNode = doc.SelectSingleNode("//Source"); if (sourceNode != null) { info.Source = sourceNode.InnerText.Trim(); } } if (string.IsNullOrWhiteSpace(info.UserName)) { XmlNode userNameNode = doc.SelectSingleNode("//Data[@Name='TargetUserName']"); if (userNameNode is null) { userNameNode = doc.SelectSingleNode("//TargetUserName"); } if (userNameNode != null) { info.UserName = userNameNode.InnerText.Trim(); } } return(true); }
private static void ProcessIPAddressEvent(IPAddressLogEvent newEvent, List <IPAddressLogEvent> pendingEvents, TimeSpan minTimeBetweenEvents, string type) { if (newEvent.Type != IPAddressEventType.FailedLogin && newEvent.Type != IPAddressEventType.SuccessfulLogin) { return; } newEvent.Source ??= "?"; newEvent.UserName ??= string.Empty; lock (pendingEvents) { IPAddressLogEvent existing = pendingEvents.FirstOrDefault(p => p.IPAddress == newEvent.IPAddress && (p.UserName is null || p.UserName == newEvent.UserName)); if (existing is null) { pendingEvents.Add(newEvent); } else { existing.UserName ??= newEvent.UserName; if (existing.FailedLoginThreshold <= 0) { existing.FailedLoginThreshold = newEvent.FailedLoginThreshold; } // if more than n seconds has passed, increment the counter // we don't want to count multiple events that all map to the same ip address that happen rapidly // multiple logs or event viewer entries can trigger quickly, piling up the counter too fast, // locking out even a single failed login for example if (newEvent.Type == IPAddressEventType.SuccessfulLogin) { // for success logins increase time to log between events as some events (SSH) are reported multiple times minTimeBetweenEvents = TimeSpan.FromSeconds(15.0); } if ((UtcNow - existing.Timestamp) >= minTimeBetweenEvents) { // update to the latest timestamp of the event existing.Timestamp = UtcNow; // increment counter existing.Count += newEvent.Count; } else { Logger.Debug("Ignoring event {0} from {1}, min time between events has not elapsed", type, existing.IPAddress); } } } }
private bool ParseRegex(Regex regex, string line, bool notifyOnly) { if (regex != null) { IPAddressLogEvent info = IPBanService.GetIPAddressInfoFromRegex(dns, regex, line); if (info.FoundMatch) { info.Type = (notifyOnly ? IPAddressEventType.SuccessfulLogin : IPAddressEventType.FailedLogin); info.Source = info.Source ?? Source; IPBanLog.Debug("Log file found match, ip: {0}, user: {1}, source: {2}, count: {3}, type: {4}", info.IPAddress, info.UserName, info.Source, info.Count, info.Type); loginHandler.AddIPAddressLogEvents(new IPAddressLogEvent[] { info }); return(true); } } return(false); }
/// <summary> /// Process event viewer XML /// </summary> /// <param name="xml">XML</param> /// <returns>Log event or null if fail to parse/process</returns> public IPAddressLogEvent ProcessEventViewerXml(string xml) { Logger.Debug("Processing event viewer xml: {0}", xml); XmlDocument doc = ParseXml(xml); IPAddressLogEvent info = ExtractEventViewerXml(doc); if (info != null && info.FoundMatch && (info.Type == IPAddressEventType.FailedLogin || info.Type == IPAddressEventType.SuccessfulLogin)) { if (!FindSourceAndUserNameForInfo(info, doc)) { // bad ip address return(null); } service.AddIPAddressLogEvents(new IPAddressLogEvent[] { info }); Logger.Debug("Event viewer found: {0}, {1}, {2}, {3}", info.IPAddress, info.Source, info.UserName, info.Type); } return(info); }
private IPAddressLogEvent ExtractEventViewerXml(XmlDocument doc) { XmlNode keywordsNode = doc.SelectSingleNode("//Keywords"); string keywordsText = keywordsNode.InnerText; if (keywordsText.StartsWith("0x")) { keywordsText = keywordsText.Substring(2); } ulong keywordsULONG = ulong.Parse(keywordsText, NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture); IPAddressLogEvent info = null; bool foundNotifyOnly = false; if (keywordsNode != null) { // we must match on keywords foreach (EventViewerExpressionGroup group in service.Config.WindowsEventViewerGetGroupsMatchingKeywords(keywordsULONG)) { string userName = null; string source = null; foreach (EventViewerExpression expression in group.Expressions) { // find all the nodes, try and get an ip from any of them, all must match XmlNodeList nodes = doc.SelectNodes(expression.XPath); if (nodes.Count == 0) { Logger.Debug("No nodes found for xpath {0}", expression.XPath); info = null; break; } // if there is a regex, it must match if (string.IsNullOrWhiteSpace(expression.Regex)) { // count as a match, do not modify the ip address if it was already set Logger.Debug("No regex, so counting as a match"); } else { info = null; // try and find an ip from any of the nodes foreach (XmlNode node in nodes) { // if we get a match, stop checking nodes info = IPBanService.GetIPAddressInfoFromRegex(service.DnsLookup, expression.RegexObject, node.InnerText); if (info.FoundMatch) { if (group.NotifyOnly) { foundNotifyOnly = true; } else if (foundNotifyOnly) { throw new InvalidDataException("Conflicting expressions in event viewer, both failed and success logins matched keywords " + group.Keywords); } userName = (userName ?? info.UserName); source = (source ?? info.Source); break; } } if (info != null && !info.FoundMatch) { // match fail, null out ip, we have to match ALL the nodes or we get null ip and do not ban Logger.Debug("Regex {0} did not match any nodes with xpath {1}", expression.Regex, expression.XPath); info = null; foundNotifyOnly = false; break; } } } if (info != null && info.FoundMatch && info.IPAddress != null) { info.UserName = (info.UserName ?? userName); info.Source = info.Source ?? source ?? group.Source; break; } info = null; // set null for next attempt } } if (info != null) { info.Type = (foundNotifyOnly ? IPAddressEventType.SuccessfulLogin : IPAddressEventType.FailedLogin); } return(info); }