void Service_ClientIpAddressSoftLocked(object sender, EventArgs e)
{
ClientOperationInformation op = (ClientOperationInformation)sender;
IntrusionLog.AddEntry(DateTime.Now, op.AgentId, op.IpAddress, IntrusionLog.STATUS_SOFT_LOCKED, false);
SendInfoMail(sender, LockType.SoftLock);
}
void Service_ClientIpAddressUnlocked(object sender, EventArgs e)
{
ClientOperationInformation op = (ClientOperationInformation)sender;
if (op.HasError)
{
IntrusionLog.AddEntry(DateTime.Now, IntrusionLog.GetSystemId(), op.IpAddress, IntrusionLog.STATUS_UNLOCK_ERROR, false);
}
else
{
IntrusionLog.AddEntry(DateTime.Now, IntrusionLog.GetSystemId(), op.IpAddress, IntrusionLog.STATUS_UNLOCKED, false);
}
SendInfoMail(sender, LockType.None);
}
void Service_AttackDetected(object sender, INotificationEventArgs notificationEventArgs)
{
try
{
if (notificationEventArgs == null)
{
if (IddsConfig.Instance.IsDebug)
{
// the following error should just be thrown when running in debug mode.
throw new ApplicationException("Operation not supported. EventArgs must be passed as NotificationEventArgs");
}
else
{
// otherwise write to the log file
WindowsLogManager.Instance.WriteEntry("Plugin error: the lock delegate was called, but notificationEventArgs must not be null!",
EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_INVALID_FUNCTION_CALL, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN);
return;
}
}
SecurityAgent reportingAgent = SecurityAgents.Instance.FindByName((sender as IAgentPlugin).Configuration.AgentName);
long incidentId;
if (IddsConfig.IsValidIpAddress(notificationEventArgs.IpAddress))
{
Statistics.Instance.IncreaseFailedLoginStatistics(reportingAgent);
System.Net.IPAddress ipAddress;
if (System.Net.IPAddress.TryParse(notificationEventArgs.IpAddress, out ipAddress) && IddsConfig.Instance.IsIpAddressLocal(ipAddress))
{
incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_LOCAL, false);
}
else if (IddsConfig.Instance.UseSafeNetworkList && IddsConfig.Instance.IsInSafeNetwork(notificationEventArgs.IpAddress))
{
incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_SAFE, false);
}
else
{
incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
IntrusionLog.STATUS_INTRUSION_ATTEMPT, false);
try
{
if (!Locks.LockExists(notificationEventArgs.IpAddress))
{
LockType lockType = reportingAgent.GetCurrentLockType(notificationEventArgs.IpAddress);
switch (lockType)
{
case LockType.SoftLockRequested:
//IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id,
// notificationEventArgs.IpAddress, IntrusionLog.STATUS_SOFT_LOCK_REQUESTED, false);
LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddMinutes(IddsConfig.Instance.GetSoftLockMinutes(reportingAgent)), incidentId, Lock.LOCK_STATUS_SOFTLOCK, 0, notificationEventArgs.IpAddress), LockType.SoftLock, reportingAgent);
break;
case LockType.SoftLock:
// already locked, ignore
break;
case LockType.HardLockRequested:
//IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id,
// notificationEventArgs.IpAddress, IntrusionLog.STATUS_HARD_LOCK_REQUESTED, false);
LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddHours(IddsConfig.Instance.GetHardLockHours(reportingAgent)), incidentId, Lock.LOCK_STATUS_HARDLOCK, 0, notificationEventArgs.IpAddress), LockType.HardLock, reportingAgent);
break;
}
}
}
catch (Exception ex)
{
WindowsLogManager.Instance.WriteEntry(String.Format("Unrecoverable error: {0}",
ex.Message), EventLogEntryType.FailureAudit, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR,
Globals.CYBERARMS_LOG_CATEGORY_RUNTIME);
// OnClientIpAddressSoftLocked(new Lock( new Client(notificationEventArgs.IpAddress), ex);
}
}
}
else
{
return;
}
}
catch (Exception ex)
{
WindowsLogManager.Instance.WriteEntry(String.Format("AttackDetected delegate invocation of {0} caused a problem. \r\nDetails:\r\n{1}", (sender != null ? sender.GetType().Name : "unknown"), ex.Message),
EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN);
}
}