void Service_ClientIpAddressSoftLocked(object sender, EventArgs e)
{
ClientOperationInformation op = (ClientOperationInformation)sender;
IntrusionLog.AddEntry(DateTime.Now, op.AgentId, op.IpAddress, IntrusionLog.STATUS_SOFT_LOCKED, false);
SendInfoMail(sender, LockType.SoftLock);
}
void Service_ClientIpAddressUnlocked(object sender, EventArgs e)
{
ClientOperationInformation op = (ClientOperationInformation)sender;
if (op.HasError)
{
IntrusionLog.AddEntry(DateTime.Now, IntrusionLog.GetSystemId(), op.IpAddress, IntrusionLog.STATUS_UNLOCK_ERROR, false);
}
else
{
IntrusionLog.AddEntry(DateTime.Now, IntrusionLog.GetSystemId(), op.IpAddress, IntrusionLog.STATUS_UNLOCKED, false);
}
SendInfoMail(sender, LockType.None);
}
public void ReadIntervalTest()
{
prepareIntrusionLog();
IDataReader rdr = IntrusionLog.ReadInterval(new TimeSpan(0, 24, 0, 0, 0));
if (rdr.FieldCount != 6)
{
Assert.Fail("Field count changed!");
}
while (rdr.Read())
{
System.Diagnostics.Debug.Print("Log Id {0} ({1}): {2}", rdr["Id"], rdr["IncidentTime"], rdr["ClientIP"]);
}
}
void OnClientIpAddressUnlocked(Lock lockItem, Exception ex)
{
if (ClientIpAddressUnlocked != null)
{
ClientOperationInformation op = new ClientOperationInformation();
op.IpAddress = lockItem.IpAddress;
op.Exception = ex;
op.AgentId = IntrusionLog.GetSystemId();
if (ex != null)
{
op.HasError = true;
op.Message = "Error while unlocking " + lockItem.IpAddress + ":\r\n" + ex.Message;
}
else
{
op.Message = "Client with IP address " + lockItem.IpAddress + " was unlocked";
}
ClientIpAddressUnlocked(op, EventArgs.Empty);
}
}
static void Main(string[] args)
{
string path = System.Reflection.Assembly.GetExecutingAssembly().Location;
path = path.Substring(0, path.LastIndexOf('\\') + 1);
// Console.WriteLine("Directory: {0}", path);
if (args.Length == 0 || args[0].ToLower() == "help")
{
ShowUsage();
return;
}
try {
Database.Instance.Configure(path);
IddsConfig.Instance.ApplicationPath = path;
switch (args[0].ToLower())
{
case "islicensed":
Console.WriteLine(@"Cyberarms IDDS does not require licensing anymore. Please visit https://cyberarms.net for support options!");
break;
case "manualreport":
if (args.Length < 2)
{
Console.WriteLine("Please enter output filename as parameter.");
return;
}
string report = ReportGenerator.Instance.GetReport(String.Format("Manual report, {0:MM/dd/yyyy}", DateTime.Now),
String.Format("Manually created report for system {0}.{1}", System.Net.Dns.GetHostName(), System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName), ""
, DateTime.Now.AddMonths(-1), DateTime.Now);
try {
StreamWriter sw = System.IO.File.CreateText(args[1]);
sw.Write(report);
sw.Close();
} catch (Exception ex) {
Console.WriteLine(ex.Message);
}
break;
case "exportcsv":
if (args.Length < 2)
{
Console.WriteLine("Please enter output filename as parameter.");
return;
}
int lastSquenceNumber = 0;
if (args.Length > 2)
{
if (!int.TryParse(args[2], out lastSquenceNumber))
{
Console.WriteLine("Please enter last sequence number as parameter.");
}
}
try {
StreamWriter swexport = System.IO.File.CreateText(args[1]);
System.Data.IDataReader rdr = IntrusionLog.ReadDifferential(lastSquenceNumber);
swexport.WriteLine("Sequence Number;Date and Time;Security Agent;IP Address;Status");
while (rdr.Read())
{
swexport.WriteLine("{0};{1};{2};{3};{4}", rdr[0].ToString(), rdr[1].ToString(), SecurityAgents.Instance.GetDisplayName(rdr[2].ToString()),
rdr[3].ToString(), IntrusionLog.GetStatusName(int.Parse(rdr[4].ToString())));
}
swexport.Flush();
swexport.Close();
rdr.Close();
} catch (Exception ex) {
Console.WriteLine(ex.Message);
}
break;
default:
ShowUsage();
break;
}
} catch (Exception ex) {
Console.WriteLine(ex);
}
}
void logReader_Tick(object sender, EventArgs e)
{
DateTime metering = DateTime.Now;
if (!IsUpdating && Database.Instance.IsConfigured)
{
IsUpdating = true;
if (CurrentMenu == labelMenuSecurityLog && IntrusionLog.HasUpdates(LastLogId))
{
IDataReader rdr = IntrusionLog.ReadDifferential(LastLogId);
int maxLogId = LastLogId;
while (rdr.Read())
{
int action = int.Parse(rdr["Action"].ToString());
string agentId = Shared.Db.DbValueConverter.ToString(rdr["AgentId"]);
PanelSecurityLog.AddLogEntry(int.Parse(rdr["id"].ToString()), action,
agentId,
IntrusionLog.GetStatusIcon(action),
IntrusionLog.GetStatusClass(action), DateTime.Parse(rdr["IncidentTime"].ToString()), rdr["ClientIP"].ToString(),
GetLogMessage(agentId, action));
if (Convert.ToInt32(rdr["Id"]) > maxLogId)
{
maxLogId = Convert.ToInt32(rdr["Id"]);
}
}
rdr.Close();
rdr.Dispose();
if (maxLogId > LastLogId)
{
LastLogId = maxLogId;
}
}
if (CurrentMenu == labelMenuCurrentLocks && Locks.HasUpdates(LastLockUpdate))
{
LastLockUpdate = DateTime.Now;
PanelCurrentLocks.Clear();
IDataReader locksReader = Locks.ReadLocks();
while (locksReader.Read())
{
DateTime lockDate;
DateTime unlockDate;
DateTime.TryParse(locksReader["LockDate"].ToString(), out lockDate);
DateTime.TryParse(locksReader["UnlockDate"].ToString(), out unlockDate);
PanelCurrentLocks.Add(int.Parse(locksReader["LockId"].ToString()), global::Cyberarms.IntrusionDetection.Admin.Properties.Resources.logIcon_softLock,
LockStatusAdapter.GetLockStatusName(int.Parse(locksReader["Status"].ToString())), locksReader["ClientIp"].ToString(),
locksReader["DisplayName"].ToString(),
lockDate, unlockDate, IntrusionDetection.Shared.Db.DbValueConverter.ToInt(locksReader["Status"]));
}
locksReader.Close();
locksReader.Dispose();
}
if (CurrentMenu == labelMenuHome)
{
Dashboard.SetUnsuccessfulLogins(Locks.ReadUnsuccessfulLoginAttempts(DateTime.Now.AddDays(-30)));
foreach (SecurityAgent agent in SecurityAgents.Instance)
{
agent.UpdateStatistics();
}
}
if (CurrentMenu == labelMenuHome || CurrentMenu == labelMenuCurrentLocks)
{
int softLocks = Locks.ReadCurrentSoftLocks();
int hardLocks = Locks.ReadCurrentHardLocks();
PanelCurrentLocks.SetSoftLocks(softLocks);
PanelCurrentLocks.SetHardLocks(hardLocks);
Dashboard.SetHardLocks(hardLocks);
Dashboard.SetSoftLocks(softLocks);
}
if (!IsInitialized || (CurrentMenu == labelMenuHome || CurrentMenu == labelMenuSecurityLog))
{
// ??
}
}
IsInitialized = true;
IsUpdating = false;
System.Diagnostics.Debug.Print(DateTime.Now.Subtract(metering).TotalMilliseconds.ToString());
}
void Service_AttackDetected(object sender, INotificationEventArgs notificationEventArgs)
{
try
{
if (notificationEventArgs == null)
{
if (IddsConfig.Instance.IsDebug)
{
// the following error should just be thrown when running in debug mode.
throw new ApplicationException("Operation not supported. EventArgs must be passed as NotificationEventArgs");
}
else
{
// otherwise write to the log file
WindowsLogManager.Instance.WriteEntry("Plugin error: the lock delegate was called, but notificationEventArgs must not be null!",
EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_INVALID_FUNCTION_CALL, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN);
return;
}
}
SecurityAgent reportingAgent = SecurityAgents.Instance.FindByName((sender as IAgentPlugin).Configuration.AgentName);
long incidentId;
if (IddsConfig.IsValidIpAddress(notificationEventArgs.IpAddress))
{
Statistics.Instance.IncreaseFailedLoginStatistics(reportingAgent);
System.Net.IPAddress ipAddress;
if (System.Net.IPAddress.TryParse(notificationEventArgs.IpAddress, out ipAddress) && IddsConfig.Instance.IsIpAddressLocal(ipAddress))
{
incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_LOCAL, false);
}
else if (IddsConfig.Instance.UseSafeNetworkList && IddsConfig.Instance.IsInSafeNetwork(notificationEventArgs.IpAddress))
{
incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_SAFE, false);
}
else
{
incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
IntrusionLog.STATUS_INTRUSION_ATTEMPT, false);
try
{
if (!Locks.LockExists(notificationEventArgs.IpAddress))
{
LockType lockType = reportingAgent.GetCurrentLockType(notificationEventArgs.IpAddress);
switch (lockType)
{
case LockType.SoftLockRequested:
//IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id,
// notificationEventArgs.IpAddress, IntrusionLog.STATUS_SOFT_LOCK_REQUESTED, false);
LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddMinutes(IddsConfig.Instance.GetSoftLockMinutes(reportingAgent)), incidentId, Lock.LOCK_STATUS_SOFTLOCK, 0, notificationEventArgs.IpAddress), LockType.SoftLock, reportingAgent);
break;
case LockType.SoftLock:
// already locked, ignore
break;
case LockType.HardLockRequested:
//IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id,
// notificationEventArgs.IpAddress, IntrusionLog.STATUS_HARD_LOCK_REQUESTED, false);
LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddHours(IddsConfig.Instance.GetHardLockHours(reportingAgent)), incidentId, Lock.LOCK_STATUS_HARDLOCK, 0, notificationEventArgs.IpAddress), LockType.HardLock, reportingAgent);
break;
}
}
}
catch (Exception ex)
{
WindowsLogManager.Instance.WriteEntry(String.Format("Unrecoverable error: {0}",
ex.Message), EventLogEntryType.FailureAudit, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR,
Globals.CYBERARMS_LOG_CATEGORY_RUNTIME);
// OnClientIpAddressSoftLocked(new Lock( new Client(notificationEventArgs.IpAddress), ex);
}
}
}
else
{
return;
}
}
catch (Exception ex)
{
WindowsLogManager.Instance.WriteEntry(String.Format("AttackDetected delegate invocation of {0} caused a problem. \r\nDetails:\r\n{1}", (sender != null ? sender.GetType().Name : "unknown"), ex.Message),
EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN);
}
}
