private static void SET_WindowsEventLog_Location() { try { if (!EventLog.SourceExists(SWELF_EventLog_Name)) { EventLog.CreateEventSource(SWELF_PROC_Name.ProcessName, SWELF_EventLog_Name); SWELF_EvtLog_OBJ.Source = SWELF_EventLog_Name; if (Reg_Operation.CHECK_Eventlog_SWELF_Reg_Key_Exists(Reg_Operation.EventLog_Base_Key + "\\" + SWELF_EventLog_Name)) { Reg_Operation.SET_Event_Log_MaxSize(SWELF_EventLog_Name); } } else { SWELF_EvtLog_OBJ.Source = SWELF_EventLog_Name; } } catch (Exception e) { EventLog.CreateEventSource(SWELF_PROC_Name.ProcessName, SWELF_EventLog_Name); Error_Operation.Log_Error("SET_WindowsEventLog_Loc() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Critical); SWELF_EvtLog_OBJ.Source = SWELF_EventLog_Name; } }
private static bool SEND_Data_from_File_UDP(string Log_File_Data, UdpClient client) { bool Data_Sent = true; try { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { byte[] sendBytes = GET_Encoding_to_Return(Log_File_Data); client.Send(sendBytes, sendBytes.Length); } catch (Exception e) { Data_Sent = false; Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Data_from_File_UDP(Log_File_Data)", "SWELF NETWORK ERROR: " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } catch (Exception e) { Data_Sent = false; Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Data_from_File(string Log_File_Data)", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } return(Data_Sent); }
internal static void ErrorLogging_Level() { try { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.logging_level) == false) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]); } else { Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level); } int index = Array.FindIndex(Severity_Levels, row => row == Settings.Logging_Level_To_Report); Logging_Level_To_Report = Convert.ToInt32(index); } catch (Exception e) { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.logging_level)) { Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level); } else { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, "warning"); Settings.Logging_Level_To_Report = "warning"; Logging_Level_To_Report = 3; } } }
private static void CHECK_SWELF_Version() { if (Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.SWELF_Current_Version) != fvi.FileVersion) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SWELF_Current_Version, fvi.FileVersion); } //TODO ADD Updaqte feature here }
internal static void CHECK_Reg_vs_File_Config(string Settings_FilePath) { if (Settings.GET_AppConfigFile_Path == Settings_FilePath)//Appconfig { if (CHECK_File_vs_Reg_Contents(Settings_FilePath, Reg_Operation.REG_KEY.ConsoleAppConfig_Contents) == false) { EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The app config file(ConsoleAppConfig.conf) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath); if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)) { File_Operation.DELETE_AND_CREATE_File(Settings.GET_AppConfigFile_Path); File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents); } else { File_Operation.DELETE_AND_CREATE_File(Settings.GET_AppConfigFile_Path); File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)); Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, Crypto_Operation.Decrypt_File_Contents(Settings.GET_AppConfigFile_Path)); } } } else if (Settings.GET_EventLogID_PlaceHolder_Path == Settings_FilePath)//EventLog ID { EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The file that tracks the event id of an eventlog config file (Eventlog_with_PlaceKeeper.txt) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath); File_Operation.DELETE_AND_CREATE_File(Settings.GET_EventLogID_PlaceHolder_Path); File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents); } else if (Settings.GET_SearchTermsFile_Path == Settings_FilePath)//Search SearchFile { if (CHECK_File_vs_Reg_Contents(Settings_FilePath, Reg_Operation.REG_KEY.SearchTerms_File_Contents) == false) { EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Search term file (Searchs.txt) config file did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath); File_Operation.DELETE_AND_CREATE_File(Settings.GET_SearchTermsFile_Path); File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Search_File_Location, Settings.SearchTermsFileName_FileName, File_Operation.GET_Default_Eventlog_with_PlaceKeeper_File_Contents); } } else if (Settings.GET_WhiteList_SearchTermsFile_Path == Settings_FilePath)//Search WHitelist { EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The white list search terms file (WhiteList_Searchs.txt) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath); File_Operation.DELETE_AND_CREATE_File(Settings.GET_WhiteList_SearchTermsFile_Path); File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Search_File_Location, Settings.Search_WhiteList_FileName, File_Operation.GET_Default_Whitelist_File_Contents); } else if (Settings.GET_SearchTermsFile_PLUGIN_Path == Settings_FilePath)//PLUGIN Search { EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Plugin config file (Search.txt in the Plugins Folder) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath); File_Operation.DELETE_AND_CREATE_File(Settings.GET_SearchTermsFile_PLUGIN_Path); File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Plugin_Files_Location, Settings.SearchTermsFileName_FileName, File_Operation.GET_Default_Powershell_Plugins_File_Contents); } else if (Settings.GET_WhiteList_SearchTermsFile_PLUGIN_Path == Settings_FilePath)//PLugin WHitelist { EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Plugin config file (WhiteList_Searchs.txt in the Plugins Folder) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath); File_Operation.DELETE_AND_CREATE_File(Settings.GET_WhiteList_SearchTermsFile_PLUGIN_Path); File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Plugin_Files_Location, Settings.Search_WhiteList_FileName, File_Operation.GET_Default_Whitelist_File_Contents); } else { LOG_SEC_CHECK_Fail("CHECK_Reg_vs_File_Config() File Path:" + Settings_FilePath + " did not match encrypted config file path"); } }
internal static void UPDATE_EventLog_w_PlaceKeeper_RegKeys() { if (Logs_Sent_to_ALL_Collectors) { for (int x = 0; x < EventLog_w_PlaceKeeper.Count; ++x) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(EventLog_w_PlaceKeeper.ElementAt(x).Key, EventLog_w_PlaceKeeper.ElementAt(x).Value.ToString()); } } }
private static void Update_Eventlog_Placekeeper_Reg() { for (int y = 0; y < Settings.EventLog_w_PlaceKeeper_List.Count; ++y)//what reg key is eventlog { if (Settings.EventLog_w_PlaceKeeper.ContainsKey(Settings.EventLog_w_PlaceKeeper_List.ElementAt(y).ToLower())) { Reg_Operation.ADD_or_CHANGE_Non_SWELF_Reg_Key(Settings.EventLog_w_PlaceKeeper_List.ElementAt(y).ToLower(), Settings.EventLog_w_PlaceKeeper[Settings.EventLog_w_PlaceKeeper_List.ElementAt(y).ToLower()]); } } }
internal static void SEND_Logs(Queue <EventLog_Entry> Event_logs) { if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false) { if (Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[14]] == "tcp")//If user wants send logs tcp { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { for (int y = 0; y < Event_logs.Count; ++y) { TcpClient client = new TcpClient(Get_IP_from_Socket_string(Settings.Log_Forwarders_HostNames.ElementAt(x)), Settings.Log_Forwarders_Port.ElementAt(x)); NetworkStream stream = client.GetStream(); var data = GET_Encoding_to_Return(Event_logs.ElementAt(y)); stream.Write(data, 0, data.Length); stream.Close(); client.Close(); } } catch (Exception e) { Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Logs() [transport_protocol] == tcp", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } else//Default send logs UDP { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { for (int y = 0; y < Event_logs.Count; ++y) { UdpClient client = new UdpClient(Get_IP_from_Socket_string(Settings.Log_Forwarders_HostNames.ElementAt(x)), Settings.Log_Forwarders_Port.ElementAt(x)); var data = GET_Encoding_to_Return(Event_logs.ElementAt(y)); client.Send(data, data.Length); client.Close(); } } catch (Exception e) { Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Logs() else//Default send logs UDP", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Verbose); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } } }
internal static bool SEND_Logs(string Log, string FilePath = "", bool DeleteWhenDone = false) { bool Data_Sent = true; if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false) { if (Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[14]] == "tcp")//If user wants send logs tcp { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { TcpClient client = new TcpClient(Get_IP_from_Socket_string(Settings.Log_Forwarders_HostNames.ElementAt(x)), Settings.Log_Forwarders_Port.ElementAt(x)); NetworkStream stream = client.GetStream(); Byte[] data = GET_Encoding_to_Return(Log); stream.Write(data, 0, data.Length); stream.Close(); client.Close(); } catch (Exception e) { Data_Sent = false; Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Logs() transport_protocol tcp", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } else//Default send logs UDP { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { UdpClient client = new UdpClient(Get_IP_from_Socket_string(Settings.Log_Forwarders_HostNames.ElementAt(x)), Settings.Log_Forwarders_Port.ElementAt(x)); Data_Sent = SEND_Data_from_File_UDP(Log, client); client.Close(); } catch (Exception e) { Data_Sent = false; Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Logs() Default send logs UDP", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } } return(Data_Sent); }
internal static void SEND_Logs(Queue <EventLog_Entry> Event_logs) { if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false) { if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[14]) == false) { Settings.AppConfig_File_Args.Add(Settings.SWELF_AppConfig_Args[14], "udp"); } if (Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[14]] == "tcp")//If user wants send logs tcp { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { for (int y = 0; y < Event_logs.Count; ++y) { Socket_Client_TCP(Crypto_Operation.CONVERT_To_ASCII_Bytes(GET_Log_Output_Format(Event_logs.ElementAt(y))), x); } } catch (Exception e) { Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Logs() [transport_protocol] == tcp", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } else//Default send logs UDP { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { for (int y = 0; y < Event_logs.Count; ++y) { Socket_Client_UDP(Crypto_Operation.CONVERT_To_ASCII_Bytes(GET_Log_Output_Format(Event_logs.ElementAt(y))), x); } } catch (Exception e) { Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Logs() else//Default send logs UDP", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } } }
internal static void ErrorLogging_Level() { try { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.logging_level) == false) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]); } else if (string.IsNullOrEmpty(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level))) { if (File_Operation.CHECK_File_Encrypted(Settings.GET_AppConfigFile_Path) && File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path) == Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_CreationDate)) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]); } else { //error in logic here } } else if (Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level) != Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]) { if (File_Operation.CHECK_File_Encrypted(Settings.GET_AppConfigFile_Path) && File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path) == Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_CreationDate)) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]); } else { ErrorsLog.Add("ErrorLogging_Level()" + "Possible Tampering (Reg.Reg_Keys_and_Values[\"logging_level\"] != Settings.AppConfig_File_Args[\"logging_level\"] settings changed to match."); Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]); } } else { Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level); } int index = Array.FindIndex(Severity_Levels, row => row == Settings.Logging_Level_To_Report); Logging_Level_To_Report = Convert.ToInt32(index); } catch (Exception e) { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.logging_level)) { Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level); } else { Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level); Logging_Level_To_Report = 1; } } }
internal static void UnSecure_File(string FilePath, int RetryNumber = 0) { try { if (File_Operation.CHECK_File_Encrypted(FilePath) == true) { File.AppendAllText(FilePath, Decrypt_File_Contents(FilePath)); } File.Decrypt(FilePath); } catch (Exception e) { if (RetryNumber == 0) { if (e.Message.ToString().Contains("The input data is not a complete block.") && File_Operation.CHECK_File_Encrypted(FilePath) == false) { Encrypt_File_Contents(FilePath); File.Encrypt(FilePath); UnSecure_File(FilePath, 1); } else { File.Decrypt(FilePath); } } if (e.Message.Contains("Padding")) { Sec_Checks.CHECK_Reg_vs_File_Config(FilePath); } else if (e.Message.Contains("The input data is not a complete block.")) { if (FilePath.Contains(Settings.AppConfigFile_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)) { File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)); } else if (FilePath.Contains(Settings.SearchTermsFileName_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.SearchTerms_File_Contents)) { File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents)); } else { //error is logic } } else { Error_Operation.Log_Error("UnLock_File()", e.Message.ToString() + " " + FilePath + " retry=" + RetryNumber, "", Error_Operation.LogSeverity.FailureAudit); } } }
private static void RUN_Thread_Whitelist_SearchFile() { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents))//use reg { READ_WhiteList_Search_Terms_File(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents)); } else if (File_Operation.CHECK_if_File_Exists(GET_WhiteList_SearchTermsFile_Path))//no reg, look for file { READ_WhiteList_Search_Terms_File(File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path)); File_Operation.DELETE_File(GET_WhiteList_SearchTermsFile_Path); } else//no file, no reg, Create Default then load it into the reg to use later { File_Operation.VERIFY_Search_Default_Files_Ready(); READ_WhiteList_Search_Terms_File(File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path)); Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path)); } ++ThreadsDone_Setup; }
internal static void WRITE_Default_Configs_Files_and_Reg() { File_Operation.Turnicate_File(GET_AppConfigFile_Path); File_Operation.Turnicate_File(GET_EventLogID_PlaceHolder_Path); File_Operation.Turnicate_File(GET_SearchTermsFile_Path); File_Operation.Turnicate_File(GET_WhiteList_SearchTermsFile_Path); File_Operation.Turnicate_File(GET_SearchTermsFile_PLUGIN_Path); File_Operation.CREATE_NEW_Files_And_Dirs(Config_File_Location, AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents, true); File_Operation.CREATE_NEW_Files_And_Dirs(Config_File_Location, EventLogID_PlaceHolde_FileName, File_Operation.GET_Default_Eventlog_with_PlaceKeeper_File_Contents, true); File_Operation.CREATE_NEW_Files_And_Dirs(Search_File_Location, SearchTermsFileName_FileName, File_Operation.GET_Default_Logs_Search_File_Contents, true); File_Operation.CREATE_NEW_Files_And_Dirs(Search_File_Location, Search_WhiteList_FileName, "", true); File_Operation.CREATE_NEW_Files_And_Dirs(Plugin_Search_Location, SearchTermsFileName_FileName, File_Operation.GET_Default_Powershell_Plugins_File_Contents, true); Reg_Operation.WRITE_Default_SWELF_Reg_Keys(); Error_Operation.Log_Error("WRITE_Default_Configs()", "SWELF created new default config files for all settings", "", Error_Operation.LogSeverity.FailureAudit); }
private static void RUN_Thread_Plugins() { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents))//use reg { READ_Powershell_SearchTerms(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents)); } else if (File_Operation.CHECK_if_File_Exists(Settings.GET_SearchTermsFile_PLUGIN_Path))//no reg, look for file { READ_Powershell_SearchTerms(File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path)); File_Operation.DELETE_File(GET_SearchTermsFile_PLUGIN_Path); } else//no file, no reg, Create Default then load it into the reg to use later { File_Operation.VERIFY_Search_Default_Files_Ready(); File_Operation.GET_Plugin_Scripts_Ready(); READ_Powershell_SearchTerms(File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path)); Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path)); } ++ThreadsDone_Setup; }
//-----------------------------End Settings Config------------------------------------ internal static void InitializeAppSettings() { GET_ErrorLog_Ready(); SET_WindowsEventLog_Location(); Reg_Operation.READ_ALL_SWELF_Reg_Keys(); RUN_Setup_AppConfig(); RUN_Setup_SearchFile(); Thread EventLogIDPlacekeepers_Thread = new Thread(() => RUN_Thread_EventLogIDPLacekeepers()); EventLogIDPlacekeepers_Thread.IsBackground = true; EventLogIDPlacekeepers_Thread.Start(); Thread Whitelist_Thread = new Thread(() => RUN_Thread_Whitelist_SearchFile()); Whitelist_Thread.IsBackground = true; Whitelist_Thread.Start(); Thread Pluging_Thread = new Thread(() => RUN_Thread_Plugins()); Pluging_Thread.IsBackground = true; Pluging_Thread.Start(); CHECK_SWELF_Version(); while (ThreadsDone_Setup != 5) { Thread.Sleep(5000); } EventLogIDPlacekeepers_Thread.Abort(); Whitelist_Thread.Abort(); Pluging_Thread.Abort(); Central_Config_Hashs.Clear(); GC.Collect(); }
private static string GET_Password() { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.Encryption) == false) { if (string.IsNullOrEmpty(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.Encryption, false)) == true) { Reg_Operation.BASE_SWELF_KEY.SetValue(Reg_Operation.SWELF_Keys[(int)Reg_Operation.REG_KEY.Encryption].ToString(), Protect_Data_Value(Generate_Decrypt())); } else { Settings.WRITE_Default_Configs_Files_and_Reg(); } } string password = (Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.Encryption)); string content = ""; string[] PWarray = (password).Split(',').ToArray(); for (int x = 0; x < PWarray.Length; ++x) { content += (Cipher_Parts.ElementAt(System.Convert.ToInt32(PWarray[x]))); } return(Hash(content)); }
internal static bool CHECK_File_vs_Reg_Contents(string SettingsConfigFilePath, Reg_Operation.REG_KEY RegKey) { if (Crypto_Operation.Decrypt_File_Contents(SettingsConfigFilePath).ToLower() == Reg_Operation.READ_SWELF_Reg_Key(RegKey).ToLower()) { return(true); } else { return(false); } }
internal static void Main(string[] args) { Process.GetCurrentProcess().PriorityClass = ProcessPriorityClass.BelowNormal; Program_Start_Args = Environment.GetCommandLineArgs().ToList(); string[] Program_Start_Args_Array = Environment.GetCommandLineArgs().Skip(1).ToArray(); if (Program_Start_Args.Count > 1) { if (Program_Start_Args.Count >= 3 && Program_Start_Args.ElementAt(1).ToLower() == "-c") { if (Program_Start_Args.Count < 3) { Program_Start_Args.Add(Settings.GET_AppConfigFile_Path); } //TODO make sure config file passed in is one of the correct file (by location and parsability) then update that reg key, then delete the file once read in if (File_Operation.CHECK_if_File_Exists(Program_Start_Args.ElementAt(2).ToLower())) { if (File_Operation.CHECK_if_File_Exists(Program_Start_Args.ElementAt(2).ToLower())) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, File_Operation.READ_AllText(Program_Start_Args.ElementAt(2).ToLower())); Error_Operation.Log_Error("MAIN()", "Config update. ConsoleAppConfig_Contents reg key from file " + Program_Start_Args.ElementAt(2).ToLower(), "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed); } else if (File_Operation.CHECK_if_File_Exists(Settings.GET_AppConfigFile_Path)) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, File_Operation.READ_AllText(Settings.GET_AppConfigFile_Path)); Error_Operation.Log_Error("MAIN()", "Config update. ConsoleAppConfig_Contents reg key from file " + Settings.GET_AppConfigFile_Path, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed); } if (File_Operation.CHECK_if_File_Exists(Settings.GET_SearchTermsFile_Path)) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, File_Operation.READ_AllText(Settings.GET_SearchTermsFile_Path)); Error_Operation.Log_Error("MAIN()", "Config update. SearchTerms_File_Contents reg key from file " + Settings.GET_SearchTermsFile_Path, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed); } if (File_Operation.CHECK_if_File_Exists(Settings.GET_WhiteList_SearchTermsFile_Path)) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, File_Operation.READ_AllText(Settings.GET_WhiteList_SearchTermsFile_Path)); Error_Operation.Log_Error("MAIN()", "Config update. WhiteList_SearchTerms_File_Contents reg key from file " + Settings.GET_WhiteList_SearchTermsFile_Path, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed); } Start_Process_Live_Method(); //TODO add option for password in config file to allow updates this way //if no password allow update?? //store password in reg } else { Settings.SHOW_Help_Menu(); Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "MAIN()", "The config file path doesnt exist for some reaosn, Also the app halted.", ""); } } else if (Program_Start_Args.Count < 2 && Program_Start_Args.Count > 1) { Settings.SHOW_Help_Menu(); } else { Start_EVTX_Process(); } } else { try { Start_Process_Live_Method(); } catch (Exception e) { Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Start_Live_Process()", e.Message.ToString() + ", Also the app halted.", e.StackTrace.ToString()); } } }
private static void CHECK_if_all_Search_Terms_have_Indexed_LogsSources() { List <string> Searchs = new List <string>(); try { foreach (string SearchLogType in Search_Rules_Unparsed)//search terms { string[] SearchsArgs = SearchLogType.Split(SplitChar_SearchCommandSplit, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (SearchsArgs.Length > 1 && String.IsNullOrEmpty(SearchsArgs[1]) == false && SearchLogType.StartsWith(CommentCharConfigs.ToString()) == false) { try { if (CHECK_If_EventLog_Exsits(SearchsArgs[0])) { Searchs.Add(SearchsArgs[0]); } else if (SearchsArgs.Length > 1 && (String.IsNullOrEmpty(SearchsArgs[1]) == false && SearchLogType.StartsWith(CommentCharConfigs.ToString()) == false && Settings.CHECK_If_EventLog_Exsits(SearchsArgs[1]))) { Searchs.Add(SearchsArgs[1]); } else if (SearchsArgs.Length > 2 && (String.IsNullOrEmpty(SearchsArgs[2]) == false && SearchLogType.StartsWith(CommentCharConfigs.ToString()) == false && Settings.CHECK_If_EventLog_Exsits(SearchsArgs[2]))) { Searchs.Add(SearchsArgs[2]); } } catch (Exception e) { Searchs = Searchs.Distinct().ToList(); Error_Operation.Log_Error("CHECK_if_all_Search_Terms_have_Indexed_LogsSources()", e.Message.ToString() + Searchs.Count, e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } } } EventLog_w_PlaceKeeper_List = Searchs.Distinct().ToList(); Searchs.Clear(); for (int x = 0; x < EventLog_w_PlaceKeeper_List.Count; ++x) { try { if (REG_Keys.ContainsKey(EventLog_w_PlaceKeeper_List.ElementAt(x).ToLower()) == false) { EventLog_w_PlaceKeeper.Add(EventLog_w_PlaceKeeper_List.ElementAt(x).ToLower(), 1); Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(EventLog_w_PlaceKeeper_List.ElementAt(x).ToLower(), "1"); EventLog_w_PlaceKeeper_List.Add(EventLog_w_PlaceKeeper_List.ElementAt(x).ToLower()); } else { EventLog_w_PlaceKeeper_Backup.Add(EventLog_w_PlaceKeeper_List.ElementAt(x), Convert.ToInt64(REG_Keys[EventLog_w_PlaceKeeper_List.ElementAt(x).ToLower()])); EventLog_w_PlaceKeeper.Add(EventLog_w_PlaceKeeper_List.ElementAt(x), Convert.ToInt64(REG_Keys[EventLog_w_PlaceKeeper_List.ElementAt(x).ToLower()])); } } catch (Exception e) { //skip already present } } EventLog_w_PlaceKeeper_List = EventLog_w_PlaceKeeper_List.Distinct().ToList(); EventLog_w_PlaceKeeper_List.Sort(); EventLog_w_PlaceKeeper_Backup = EventLog_w_PlaceKeeper; } catch (Exception e) { Searchs = Searchs.Distinct().ToList(); Stop(SWELF_CRIT_ERROR_EXIT_CODE, "CHECK_if_all_Search_Terms_have_Indexed_LogsSources() ", e.Message.ToString() + Searchs.Count, e.StackTrace.ToString(), Error_Operation.LogSeverity.Critical); } }
private static void RUN_Thread_EventLogIDPLacekeepers() { Reg_Operation.READ_ALL_SWELF_Reg_Keys(); CHECK_if_all_Search_Terms_have_Indexed_LogsSources(); ++ThreadsDone_Setup; }
private static void RUN_Setup_AppConfig() { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))//use reg { READ_and_Parse_Console_App_Config_Contents(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)); } else if (File_Operation.CHECK_if_File_Exists(GET_AppConfigFile_Path))//no reg, look for file { READ_and_Parse_Console_App_Config_Contents(File_Operation.READ_AllText(GET_AppConfigFile_Path)); File_Operation.DELETE_File(GET_AppConfigFile_Path); } else//no file, no reg, Create Default then load it into the reg to use later { File_Operation.VERIFY_AppConfig_Default_Files_Ready(); READ_and_Parse_Console_App_Config_Contents(File_Operation.READ_AllText(GET_AppConfigFile_Path)); Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, File_Operation.READ_AllText(GET_AppConfigFile_Path)); } //Check for CENTRAL CONFIG's, if yes check for update, update if needed. //Appconfig if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[7]))//arg for central app config { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents) == false) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, ""); } if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[7]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)) == false) { if (Web_Operation.Connection_Successful) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[7]].ToString())); Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config ConsoleAppConfig_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed); } } } //Searchterms if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[6]))//arg for central search config { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.SearchTerms_File_Contents) == false) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, ""); } if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[6]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents)) == false) { if (Web_Operation.Connection_Successful) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[6]].ToString())); Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed); } } } //Whitelist if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[9]))//arg for central search config { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents) == false) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, ""); } if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[9]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents)) == false) { if (Web_Operation.Connection_Successful) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[9]].ToString())); Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config WhiteList_SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed); } } } //Powershell plugin if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[8]))//arg for central search config { if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents) == false) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, ""); } if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[8]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents)) == false) { if (Web_Operation.Connection_Successful) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[8]].ToString())); Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config PLUGIN_SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed); } } } Log_Forwarders_HostNames = GET_LogCollector_Locations();//GatherLog Collector Locations ++ThreadsDone_Setup; if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[16])) { Logging_Level_To_Report = "verbose"; } }