public ActionResult StartMonitoring(string RunId, string Directory) { if (RunId != null) { if (DatabaseManager.GetRun(RunId) != null) { return(Json(GUI_ERROR.UNIQUE_ID)); } DatabaseManager.InsertRun(RunId, new Dictionary <RESULT_TYPE, bool>() { { RESULT_TYPE.FILEMONITOR, true } }); MonitorCommandOptions opts = new MonitorCommandOptions { RunId = RunId, EnableFileSystemMonitor = true, MonitoredDirectories = Directory, FilterLocation = "filters.json" }; AttackSurfaceAnalyzerClient.ClearMonitors(); return(Json((int)AttackSurfaceAnalyzerClient.RunGuiMonitorCommand(opts))); } return(Json(-1)); }
public FileSystemMonitor(MonitorCommandOptions opts, Action <FileMonitorObject> changeHandler) { options = opts ?? new MonitorCommandOptions(); this.changeHandler = changeHandler ?? throw new NullReferenceException(nameof(changeHandler)); fsc = new FileSystemCollector(new CollectorOptions() { DownloadCloud = false, GatherHashes = options.GatherHashes, }); foreach (var dir in options?.MonitoredDirectories.Any() is true ? options.MonitoredDirectories : fsc.Roots.ToList()) { foreach (var filter in defaultFiltersList) { var watcher = new FileSystemWatcher(); watcher.Path = dir; watcher.NotifyFilter = filter; watcher.IncludeSubdirectories = true; // Changed, Created and Deleted can share a handler, because they throw the same type of event watcher.Changed += GetFunctionForFilterType(filter); watcher.Created += GetFunctionForFilterType(filter); watcher.Deleted += GetFunctionForFilterType(filter); // Renamed needs a different handler because it throws a different kind of event watcher.Renamed += GetRenamedFunctionForFilterType(filter); watchers.Add(watcher); } } }
public ActionResult StartMonitoring(string RunId, string Directory) { if (RunId != null) { if (DatabaseManager.GetRun(RunId) != null) { return(Json(ASA_ERROR.UNIQUE_ID)); } var run = new AsaRun(RunId: RunId, Timestamp: DateTime.Now, Version: AsaHelpers.GetVersionString(), Platform: AsaHelpers.GetPlatform(), new List <RESULT_TYPE>() { RESULT_TYPE.FILEMONITOR }, RUN_TYPE.MONITOR); DatabaseManager.InsertRun(run); MonitorCommandOptions opts = new MonitorCommandOptions { RunId = RunId, EnableFileSystemMonitor = true, MonitoredDirectories = Directory, Verbose = Logger.Verbose, Debug = Logger.Debug, Quiet = Logger.Quiet }; AttackSurfaceAnalyzerClient.ClearMonitors(); return(Json((int)AttackSurfaceAnalyzerClient.RunGuiMonitorCommand(opts))); } return(Json(-1)); }
public static ASA_ERROR RunGuiMonitorCommand(MonitorCommandOptions opts) { if (opts is null) { return(ASA_ERROR.NO_COLLECTORS); } if (opts.EnableFileSystemMonitor) { List <string> directories = new List <string>(); var parts = opts.MonitoredDirectories?.Split(',') ?? Array.Empty <string>(); foreach (string part in parts) { directories.Add(part); } foreach (string dir in directories) { try { FileSystemMonitor newMon = new FileSystemMonitor(opts.RunId ?? DateTime.Now.ToString("o", CultureInfo.InvariantCulture), dir, opts.InterrogateChanges); monitors.Add(newMon); } catch (ArgumentException) { Log.Warning("{1}: {0}", dir, Strings.Get("InvalidPath")); return(ASA_ERROR.INVALID_PATH); } } } if (monitors.Count == 0) { Log.Warning(Strings.Get("Err_NoMonitors")); } foreach (var c in monitors) { c.StartRun(); } return(ASA_ERROR.NONE); }
public ActionResult StartMonitoring(string RunId, string Directory, string Extension) { if (RunId != null) { using (var cmd = new SqliteCommand(INSERT_RUN, DatabaseManager.Connection, DatabaseManager.Transaction)) { cmd.Parameters.AddWithValue("@run_id", RunId.Trim()); cmd.Parameters.AddWithValue("@file_system", true); cmd.Parameters.AddWithValue("@ports", false); cmd.Parameters.AddWithValue("@users", false); cmd.Parameters.AddWithValue("@services", false); cmd.Parameters.AddWithValue("@registry", false); cmd.Parameters.AddWithValue("@certificates", false); cmd.Parameters.AddWithValue("@firewall", false); cmd.Parameters.AddWithValue("@comobjects", false); cmd.Parameters.AddWithValue("@type", "monitor"); cmd.Parameters.AddWithValue("@timestamp", DateTime.Now.ToString("o", CultureInfo.InvariantCulture)); cmd.Parameters.AddWithValue("@version", AsaHelpers.GetVersionString()); cmd.Parameters.AddWithValue("@platform", AsaHelpers.GetPlatformString()); try { cmd.ExecuteNonQuery(); DatabaseManager.Commit(); } catch (SqliteException e) { Log.Warning(e.StackTrace); Log.Warning(e.Message); return(Json((int)GUI_ERROR.UNIQUE_ID)); } } MonitorCommandOptions opts = new MonitorCommandOptions { RunId = RunId, EnableFileSystemMonitor = true, MonitoredDirectories = Directory, FilterLocation = "filters.json" }; AttackSurfaceAnalyzerClient.ClearMonitors(); return(Json((int)AttackSurfaceAnalyzerClient.RunGuiMonitorCommand(opts))); } return(Json(-1)); }
public ActionResult StartMonitoring(string RunId, string Directory, string Extension) { using (var cmd = new SqliteCommand(INSERT_RUN, DatabaseManager.Connection, DatabaseManager.Transaction)) { cmd.Parameters.AddWithValue("@run_id", RunId.Trim()); cmd.Parameters.AddWithValue("@file_system", true); cmd.Parameters.AddWithValue("@ports", false); cmd.Parameters.AddWithValue("@users", false); cmd.Parameters.AddWithValue("@services", false); cmd.Parameters.AddWithValue("@registry", false); cmd.Parameters.AddWithValue("@certificates", false); cmd.Parameters.AddWithValue("@type", "monitor"); cmd.Parameters.AddWithValue("@timestamp", DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss")); cmd.Parameters.AddWithValue("@version", Helpers.GetVersionString()); try { cmd.ExecuteNonQuery(); DatabaseManager.Commit(); } catch (Exception e) { Log.Warning(e.StackTrace); Log.Warning(e.Message); return(Json((int)ERRORS.UNIQUE_ID)); } } MonitorCommandOptions opts = new MonitorCommandOptions { RunId = RunId, EnableFileSystemMonitor = true, MonitoredDirectories = Directory, FilterLocation = "filters.json" }; AttackSurfaceAnalyzerCLI.ClearMonitors(); return(Json((int)AttackSurfaceAnalyzerCLI.RunGuiMonitorCommand(opts))); }
public FileSystemMonitor(MonitorCommandOptions opts, Action <FileMonitorObject> changeHandler) { options = opts ?? new MonitorCommandOptions(); #pragma warning disable CA1303 // Do not pass literals as localized parameters this.changeHandler = changeHandler ?? throw new NullReferenceException(nameof(changeHandler)); #pragma warning restore CA1303 // This string doesn't need to be localized, it is the name of the variable fsc = new FileSystemCollector(new CollectorOptions() { DownloadCloud = false, GatherHashes = options.GatherHashes, }); foreach (var dir in options?.MonitoredDirectories?.Any() is true ? options.MonitoredDirectories : fsc.Roots.ToArray()) { foreach (var filter in defaultFiltersList) { var watcher = new FileSystemWatcher(); watcher.Path = dir; watcher.NotifyFilter = filter; watcher.IncludeSubdirectories = true; // Changed, Created and Deleted can share a handler, because they throw the same // type of event watcher.Changed += GetFunctionForFilterType(filter); watcher.Created += GetFunctionForFilterType(filter); watcher.Deleted += GetFunctionForFilterType(filter); // Renamed needs a different handler because it throws a different kind of event watcher.Renamed += GetRenamedFunctionForFilterType(filter); watchers.Add(watcher); } } }
public static ASA_ERROR RunGuiMonitorCommand(MonitorCommandOptions opts) { if (opts is null) { return(ASA_ERROR.NO_COLLECTORS); } if (opts.EnableFileSystemMonitor) { monitors.Add(new FileSystemMonitor(opts, x => DatabaseManager.Write(x, opts.RunId))); } if (monitors.Count == 0) { Log.Warning(Strings.Get("Err_NoMonitors")); } foreach (var c in monitors) { c.StartRun(); } return(ASA_ERROR.NONE); }
private static int RunMonitorCommand(MonitorCommandOptions opts) { #if DEBUG Logger.Setup(true, opts.Verbose); #else Logger.Setup(opts.Debug, opts.Verbose); #endif AdminOrQuit(); SetupOrDie(opts.DatabaseFilename); AsaTelemetry.Setup(); Dictionary <string, string> StartEvent = new Dictionary <string, string>(); StartEvent.Add("Files", opts.EnableFileSystemMonitor.ToString(CultureInfo.InvariantCulture)); StartEvent.Add("Admin", AsaHelpers.IsAdmin().ToString(CultureInfo.InvariantCulture)); AsaTelemetry.TrackEvent("Begin monitoring", StartEvent); CheckFirstRun(); if (opts.RunId is string) { opts.RunId = opts.RunId.Trim(); } else { opts.RunId = DateTime.Now.ToString("o", CultureInfo.InvariantCulture); } if (opts.Overwrite) { DatabaseManager.DeleteRun(opts.RunId); } else { if (DatabaseManager.GetRun(opts.RunId) != null) { Log.Error(Strings.Get("Err_RunIdAlreadyUsed")); return((int)ASA_ERROR.UNIQUE_ID); } } var run = new AsaRun(RunId: opts.RunId, Timestamp: DateTime.Now, Version: AsaHelpers.GetVersionString(), Platform: AsaHelpers.GetPlatform(), new List <RESULT_TYPE>() { RESULT_TYPE.FILEMONITOR }, RUN_TYPE.MONITOR); DatabaseManager.InsertRun(run); int returnValue = 0; if (opts.EnableFileSystemMonitor) { List <String> directories = new List <string>(); if (opts.MonitoredDirectories != null) { var parts = opts.MonitoredDirectories.Split(','); foreach (String part in parts) { directories.Add(part); } } else { if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) { directories.Add("/"); } if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { directories.Add("C:\\"); } if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) { directories.Add("/"); } } List <NotifyFilters> filterOptions = new List <NotifyFilters> { NotifyFilters.Attributes, NotifyFilters.CreationTime, NotifyFilters.DirectoryName, NotifyFilters.FileName, NotifyFilters.LastAccess, NotifyFilters.LastWrite, NotifyFilters.Security, NotifyFilters.Size }; foreach (String dir in directories) { if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) { var newMon = new FileSystemMonitor(opts.RunId, dir, false); monitors.Add(newMon); } else { foreach (NotifyFilters filter in filterOptions) { Log.Information("Adding Path {0} Filter Type {1}", dir, filter.ToString()); var newMon = new FileSystemMonitor(opts.RunId, dir, false, filter); monitors.Add(newMon); } } } } //if (opts.EnableRegistryMonitor) //{ //var monitor = new RegistryMonitor(); //monitors.Add(monitor); //} if (monitors.Count == 0) { Log.Warning(Strings.Get("Err_NoMonitors")); returnValue = (int)ASA_ERROR.NO_COLLECTORS; } using var exitEvent = new ManualResetEvent(false); // If duration is set, we use the secondary timer. if (opts.Duration > 0) { Log.Information("{0} {1} {2}.", Strings.Get("MonitorStartedFor"), opts.Duration, Strings.Get("Minutes")); using var aTimer = new System.Timers.Timer { Interval = opts.Duration * 60 * 1000, //lgtm [cs/loss-of-precision] AutoReset = false, }; aTimer.Elapsed += (source, e) => { exitEvent.Set(); }; // Start the timer aTimer.Enabled = true; } foreach (FileSystemMonitor c in monitors) { Log.Information(Strings.Get("Begin"), c.GetType().Name); try { c.StartRun(); } catch (Exception ex) { Log.Error(Strings.Get("Err_CollectingFrom"), c.GetType().Name, ex.Message, ex.StackTrace); returnValue = 1; } } // Set up the event to capture CTRL+C Console.CancelKeyPress += (sender, eventArgs) => { eventArgs.Cancel = true; exitEvent.Set(); }; Console.Write(Strings.Get("MonitoringPressC")); // Write a spinner and wait until CTRL+C WriteSpinner(exitEvent); Log.Information(""); foreach (var c in monitors) { Log.Information(Strings.Get("End"), c.GetType().Name); try { c.StopRun(); if (c is FileSystemMonitor) { ((FileSystemMonitor)c).Dispose(); } } catch (Exception ex) { Log.Error(ex, " {0}: {1}", c.GetType().Name, ex.Message, Strings.Get("Err_Stopping")); } } DatabaseManager.Commit(); return(returnValue); }