Example #1
0
        private void Run()
        {
            try
            {
                //Init Worker Thread
                LoadConfiguration();

                //prepare datastructures
                Dictionary <string, List <LogTask> > requiredEventTypesToLogTasks = new Dictionary <string, List <LogTask> >();
                foreach (LogTask l in _logTasks)
                {
                    foreach (string s in l.EventPath)
                    {
                        if (!requiredEventTypesToLogTasks.ContainsKey(s))
                        {
                            requiredEventTypesToLogTasks[s] = new List <LogTask>();
                        }

                        requiredEventTypesToLogTasks[s].Add(l);
                    }
                }

                var eventTypesToLastEvent        = new Dictionary <string, DateTime>();
                var eventTypesToMaxAge           = new Dictionary <string, int>();
                var eventTypesToNewEvents        = new Dictionary <string, List <EventRecord> >();
                var eventTypesToTimeFramedEvents = new Dictionary <string, List <EventRecord> >();

                //load structure so that only required events are read
                foreach (string requiredEventType in requiredEventTypesToLogTasks.Keys)
                {
                    eventTypesToLastEvent.Add(requiredEventType, DateTime.Now);
                    eventTypesToMaxAge.Add(requiredEventType, 0);
                    foreach (LogTask t in requiredEventTypesToLogTasks[requiredEventType])
                    {
                        if (!t.OnlyNew && eventTypesToMaxAge[requiredEventType] < t.EventAge)
                        {
                            eventTypesToMaxAge[requiredEventType] = t.EventAge;
                        }
                    }
                }


                //start monitoring the logs
                while (true)
                {
                    DateTime scanStart = DateTime.Now;

                    if (_verbose)
                    {
                        Dump("Scanning the logs now, scanned logs are:", EventLogEntryType.Information, true);
                    }

                    DateTime referenceTimeForTimeFramedEvents = DateTime.Now;
                    try
                    {
                        eventTypesToNewEvents.Clear();
                        eventTypesToTimeFramedEvents.Clear();

                        //first read all relevant events (events that are required by any of the tasks)
                        foreach (string requiredEventType in requiredEventTypesToLogTasks.Keys)
                        {
                            eventTypesToNewEvents.Add(requiredEventType, new List <EventRecord>());
                            eventTypesToTimeFramedEvents.Add(requiredEventType, new List <EventRecord>());

                            var eventLogQuery = new EventLogQuery(requiredEventType, PathType.LogName)
                            {
                                ReverseDirection = true
                            };

                            try
                            {
                                var         eventLogReader = new EventLogReader(eventLogQuery);
                                EventRecord r;

                                while ((r = eventLogReader.ReadEvent()) != null)
                                {
                                    if (!r.TimeCreated.HasValue)
                                    {
                                        continue;
                                    }

                                    bool canbreak = false;

                                    //fill new event list
                                    if (r.TimeCreated > eventTypesToLastEvent[requiredEventType])
                                    {
                                        eventTypesToNewEvents[requiredEventType].Add(r);
                                        eventTypesToLastEvent[requiredEventType] = r.TimeCreated.Value;
                                    }
                                    else
                                    {
                                        canbreak = true;
                                    }

                                    //fill time framed event list
                                    if (r.TimeCreated > referenceTimeForTimeFramedEvents.Subtract(new TimeSpan(0, 0, eventTypesToMaxAge[requiredEventType])))
                                    {
                                        eventTypesToTimeFramedEvents[requiredEventType].Add(r);
                                    }
                                    else if (canbreak)
                                    {
                                        break;
                                    }
                                }
                            }
                            catch (EventLogNotFoundException)
                            {
                                Dump($"Event Log {requiredEventType} was not found, tasks that require these events will not work", EventLogEntryType.Warning);
                            }
                        }

                        if (_verbose)
                        {
                            Dump($"Scanning finished in {DateTime.Now.Subtract(scanStart).TotalMilliseconds}[ms] ", EventLogEntryType.Information, true);
                        }

                        //then supply the events to the requesting tasks
                        foreach (string key in requiredEventTypesToLogTasks.Keys)
                        {
                            foreach (LogTask t in requiredEventTypesToLogTasks[key])
                            {
                                if (t.OnlyNew)
                                {
                                    t.ProvideEvents(eventTypesToNewEvents[key]);
                                }
                                else
                                {
                                    var eventsForThisTask = new List <EventRecord>();
                                    foreach (EventRecord e in eventTypesToTimeFramedEvents[key])
                                    {
                                        if (e.TimeCreated > referenceTimeForTimeFramedEvents.Subtract(new TimeSpan(0, 0, t.EventAge)))
                                        {
                                            eventsForThisTask.Add(e);
                                        }
                                    }

                                    if (_verbose)
                                    {
                                        Dump($"Provided {eventsForThisTask.Count} events for {t.Name}", EventLogEntryType.Information, true);
                                    }
                                    if (eventsForThisTask.Count > 0)
                                    {
                                        DateTime start = DateTime.Now;

                                        t.ProvideEvents(eventsForThisTask);

                                        if (DateTime.Now.Subtract(start).TotalMilliseconds > 500)
                                        {
                                            Dump($"Warning: Task {t.Name} takes a lot of resources. This can make your server vulnerable to DOS attacks. Try better boosters.", EventLogEntryType.Warning);
                                        }
                                    }
                                }
                            }
                        }

                        List <IPAddress> blackList = new List <IPAddress>();

                        //let the tasks poll which ips they want to have blocked / or permanently banned
                        foreach (LogTask t in _logTasks)
                        {
                            if (t is IPBlockingLogTask ipTask)
                            {
                                foreach (IPAddress perma in ipTask.GetPermaBanVictims())
                                {
                                    SetPermanentBan(perma);
                                }

                                List <IPAddress> blockedIPs = ipTask.GetTempBanVictims();

                                if (_verbose)
                                {
                                    Dump($"Polled {t.Name} and got {blockedIPs.Count} temporary and {_permaBannedIPs.Count} permanent ban(s)", EventLogEntryType.Information, true);
                                }

                                foreach (IPAddress blockedIP in blockedIPs)
                                {
                                    if (!blackList.Contains(blockedIP))
                                    {
                                        blackList.Add(blockedIP);
                                    }
                                }
                            }
                        }

                        if (_verbose)
                        {
                            Dump($"\r\n-----Cycle complete, sleeping {_eventLogInterval / 1000} s......\r\n", EventLogEntryType.Information);
                        }

                        _lastPolledTempBans = blackList;
                        PushBanList();
                    }
                    catch (Exception executionException)
                    {
                        Dump(executionException, EventLogEntryType.Error);
                    }

                    //wait for next iteration or kill signal
                    try
                    {
                        Thread.Sleep(_eventLogInterval);
                    }
                    catch (ThreadInterruptedException)
                    {
                    }

                    //check if need to terminate
                    bool terminate;
                    lock (_syncObject)
                    {
                        terminate = _stop;
                    }
                    if (terminate)
                    {
                        try
                        {
                            FirewallAPI.ClearIPBanList();
                        }
                        catch (Exception ex)
                        {
                            Dump(ex, EventLogEntryType.Warning);
                        }
                        return;
                    }
                }
            }
            catch (Exception e)
            {
                Dump(e, EventLogEntryType.Error);
                Stop();
            }
        }
Example #2
0
        /// <summary>
        /// Pushes the current ban list down into the system API
        /// </summary>
        private void PushBanList()
        {
            lock (_syncObject)
            {
                List <IPAddress> banList = new List <IPAddress>();
                if (_lastPolledTempBans != null)
                {
                    foreach (IPAddress a in _lastPolledTempBans)
                    {
                        if (!banList.Contains(a))
                        {
                            banList.Add(a);
                        }
                    }
                }
                if (_permaBannedIPs != null)
                {
                    foreach (IPAddress p in _permaBannedIPs)
                    {
                        if (!banList.Contains(p))
                        {
                            banList.Add(p);
                        }
                    }
                }

                List <IPAddress> unbanned = new List <IPAddress>();
                foreach (IPAddress i in banList)
                {
                    foreach (string pattern in _whiteListPatterns)
                    {
                        if (IsPatternMatch(i, pattern) && !unbanned.Contains(i))
                        {
                            unbanned.Add(i);
                        }
                    }
                }

                foreach (IPAddress u in unbanned)
                {
                    banList.Remove(u);
                }

                FirewallAPI.AdjustIPBanList(banList);

                foreach (IPAddress ip in _lastBannedIPs)
                {
                    if (!banList.Contains(ip))
                    {
                        Dump($"Removed {ip} from the ban list", EventLogEntryType.Information);
                    }
                }

                foreach (IPAddress ip in banList)
                {
                    if (!_lastBannedIPs.Contains(ip))
                    {
                        Dump($"Banned {ip}", EventLogEntryType.Information);
                    }
                }

                _lastBannedIPs = banList;
            }
        }