private void ParseRegex(Regex regex, string text, bool successful, string timestampFormat)
{
List <IPAddressLogEvent> events = new();
IPAddressEventType type = (successful ? IPAddressEventType.SuccessfulLogin : IPAddressEventType.FailedLogin);
foreach (IPAddressLogEvent info in IPBanService.GetIPAddressEventsFromRegex(regex, text, timestampFormat, type, dns))
{
info.Source ??= Source; // apply default source only if we don't already have a source
if (info.FailedLoginThreshold <= 0)
{
info.FailedLoginThreshold = FailedLoginThreshold;
}
if (successful)
{
info.LogLevel = SuccessfulLogLevel;
}
else
{
info.LogLevel = FailedLogLevel;
}
events.Add(info);
Logger.Debug("Log file found match, ip: {0}, user: {1}, source: {2}, count: {3}, type: {4}",
info.IPAddress, info.UserName, info.Source, info.Count, info.Type);
}
loginHandler.AddIPAddressLogEvents(events);
}
/// <summary>
/// Create a test IPBanService
/// </summary>
/// <param name="directory">Root directory</param>
/// <param name="configFileName">Config file name</param>
/// <param name="defaultBannedIPAddressHandlerUrl">Url for banned ip handling or null to not handle banned ip</param>
/// <param name="configFileModifier">Change config file (param are file text, returns new file text)</param>
/// <returns>Service</returns>
public static T CreateAndStartIPBanTestService <T>(string directory = null, string configFileName = null, string defaultBannedIPAddressHandlerUrl = null,
Func <string, string> configFileModifier = null) where T : IPBanService
{
DefaultHttpRequestMaker.DisableLiveRequests = true;
// cleanup any db, set or tbl files
foreach (string file in Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.set")
.Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.tbl"))
.Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.set6"))
.Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.tbl6"))
.Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.sqlite"))
.Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.sqlite-wal"))
.Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.sqlite-shm"))
.Union(Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*-journal")))
{
ExtensionMethods.FileDeleteWithRetry(file, 1000);
}
if (string.IsNullOrWhiteSpace(directory))
{
directory = Path.GetDirectoryName(IPBanAssembly.Location);
}
if (string.IsNullOrWhiteSpace(configFileName))
{
configFileName = IPBanService.ConfigFileName;
}
string configFilePath = Path.Combine(directory, configFileName);
string configFileText = File.ReadAllText(configFilePath);
configFilePath += ".tmp";
if (configFileModifier != null)
{
configFileText = configFileModifier(configFileText);
}
ExtensionMethods.FileWriteAllTextWithRetry(configFilePath, configFileText);
T service = IPBanService.CreateService <T>() as T;
service.ExternalIPAddressLookup = LocalMachineExternalIPAddressLookupTest.Instance;
service.ConfigFilePath = configFilePath;
service.MultiThreaded = false;
service.ManualCycle = true;
if (defaultBannedIPAddressHandlerUrl is null)
{
service.BannedIPAddressHandler = NullBannedIPAddressHandler.Instance;
}
else
{
service.BannedIPAddressHandler = new DefaultBannedIPAddressHandler {
BaseUrl = defaultBannedIPAddressHandlerUrl
};
}
service.Version = "1.1.1.1";
service.StartAsync().Sync();
service.DB.Truncate(true);
service.Firewall.Truncate();
return(service);
}
/// <summary>
/// Dispose of an IPBanService created with CreateAndStartIPBanTestService
/// </summary>
/// <param name="service">Service to dispose</param>
public static void DisposeIPBanTestService(IPBanService service)
{
if (service != null)
{
service.Firewall.Truncate();
service.RunCycle().Sync();
service.Dispose();
IPBanService.UtcNow = default;
}
}
/// <summary>
/// Dispose of an IPBanService created with CreateAndStartIPBanTestService
/// </summary>
/// <param name="service">Service to dispose</param>
public static void DisposeIPBanTestService(IPBanService service)
{
if (service != null)
{
if (File.Exists(Path.Combine(AppContext.BaseDirectory, "nlog.config")))
{
File.Delete(Path.Combine(AppContext.BaseDirectory, "nlog.config"));
}
service.Firewall.Truncate();
service.RunCycleAsync().Sync();
service.IPBanDelegate = null;
service.Dispose();
NLog.Time.TimeSource.Current = new NLog.Time.AccurateUtcTimeSource();
IPBanService.UtcNow = default;
}
}
private bool ParseRegex(Regex regex, string line, bool notifyOnly)
{
if (regex != null)
{
IPAddressLogEvent info = IPBanService.GetIPAddressInfoFromRegex(dns, regex, line);
if (info.FoundMatch)
{
info.Type = (notifyOnly ? IPAddressEventType.SuccessfulLogin : IPAddressEventType.FailedLogin);
info.Source = info.Source ?? Source;
IPBanLog.Debug("Log file found match, ip: {0}, user: {1}, source: {2}, count: {3}, type: {4}",
info.IPAddress, info.UserName, info.Source, info.Count, info.Type);
loginHandler.AddIPAddressLogEvents(new IPAddressLogEvent[] { info });
return(true);
}
}
return(false);
}
/// <summary>
/// Create a test IPBanService
/// </summary>
/// <param name="directory">Root directory</param>
/// <param name="configFileName">Config file name</param>
/// <param name="defaultBannedIPAddressHandlerUrl">Url for banned ip handling or null to not handle banned ip</param>
/// <param name="configFileModifier">Change config file (param are file text, returns new file text)</param>
/// <returns>Service</returns>
public static T CreateAndStartIPBanTestService <T>(string directory = null, string configFileName = null, string defaultBannedIPAddressHandlerUrl = null,
Func <string, string> configFileModifier = null) where T : IPBanService
{
ExtensionMethods.RemoveDatabaseFiles();
DefaultHttpRequestMaker.DisableLiveRequests = true;
if (string.IsNullOrWhiteSpace(directory))
{
directory = Path.GetDirectoryName(IPBanAssembly.Location);
}
if (string.IsNullOrWhiteSpace(configFileName))
{
configFileName = IPBanConfig.DefaultFileName;
}
string configFilePath = Path.Combine(directory, configFileName);
string configFileText = File.ReadAllText(configFilePath);
configFilePath += ".tmp";
if (configFileModifier != null)
{
configFileText = configFileModifier(configFileText);
}
ExtensionMethods.FileWriteAllTextWithRetry(configFilePath, configFileText);
T service = IPBanService.CreateService <T>() as T;
service.ExternalIPAddressLookup = LocalMachineExternalIPAddressLookupTest.Instance;
service.ConfigFilePath = configFilePath;
service.MultiThreaded = false;
service.ManualCycle = true;
service.DnsList = null; // too slow for tests, turn off
if (defaultBannedIPAddressHandlerUrl is null)
{
service.BannedIPAddressHandler = NullBannedIPAddressHandler.Instance;
}
else
{
service.BannedIPAddressHandler = new DefaultBannedIPAddressHandler {
BaseUrl = defaultBannedIPAddressHandlerUrl
};
}
service.Version = "1.1.1.1";
service.RunAsync(CancellationToken.None).Sync();
service.RunCycle().Sync();
service.DB.Truncate(true);
service.Firewall.Truncate();
return(service);
}
/// <summary>
/// Start typed ipban service
/// </summary>
/// <typeparam name="T">Type of ipban service</typeparam>
/// <param name="args">Args</param>
/// <param name="started">Started callback</param>
/// <returns>Task</returns>
public static async Task MainService <T>(string[] args, Action started = null) where T : IPBanService
{
T service = IPBanService.CreateService <T>();
await MainService(args, async (_args) =>
{
// kick off start in background thread, make sure service starts up in a timely manner
await service.StartAsync();
started?.Invoke();
// wait for service to end
await service.WaitAsync(Timeout.Infinite);
}, () =>
{
// stop the service, will cause any WaitAsync to exit
service.Stop();
});
}
/// <summary>
/// Create a test IPBanService
/// </summary>
/// <param name="directory">Root directory</param>
/// <param name="configFileName">Config file name</param>
/// <param name="defaultBannedIPAddressHandlerUrl">Url for banned ip handling or null to not handle banned ip</param>
/// <param name="configFileModifier">Change config file (param are file text, returns new file text)</param>
/// <returns>Service</returns>
public static T CreateAndStartIPBanTestService <T>(string directory = null, string configFileName = null, string defaultBannedIPAddressHandlerUrl = null,
Func <string, string> configFileModifier = null) where T : IPBanService
{
NLog.Time.TimeSource.Current = new TestTimeSource();
string defaultNLogConfig = $@"<?xml version=""1.0""?>
<nlog xmlns=""http://www.nlog-project.org/schemas/NLog.xsd"" xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" throwExceptions=""false"" internalLogToConsole=""false"" internalLogToConsoleError=""false"" internalLogLevel=""Trace"">
<targets>
<target name=""logfile"" xsi:type=""File"" fileName=""${{basedir}}/logfile.txt"" encoding=""UTF-8""/>
<target name=""console"" xsi:type=""Console""/>
</targets>
<rules>
<logger name=""*"" minlevel=""Debug"" writeTo=""logfile""/>
<logger name=""*"" minlevel=""Debug"" writeTo=""console""/>
</rules>
</nlog>";
File.WriteAllText(Path.Combine(AppContext.BaseDirectory, "nlog.config"), defaultNLogConfig);
string logFilePath = Path.Combine(AppContext.BaseDirectory, "logfile.txt");
if (File.Exists(logFilePath))
{
File.Delete(logFilePath);
}
ExtensionMethods.RemoveDatabaseFiles();
DefaultHttpRequestMaker.DisableLiveRequests = true;
if (string.IsNullOrWhiteSpace(directory))
{
directory = AppContext.BaseDirectory;
}
if (string.IsNullOrWhiteSpace(configFileName))
{
configFileName = IPBanConfig.DefaultFileName;
}
string configFilePath = Path.Combine(directory, configFileName);
string configFileText = File.ReadAllText(configFilePath);
configFilePath += ".tmp";
if (configFileModifier != null)
{
configFileText = configFileModifier(configFileText);
}
ExtensionMethods.FileWriteAllTextWithRetry(configFilePath, configFileText);
T service = IPBanService.CreateService <T>() as T;
service.ExternalIPAddressLookup = LocalMachineExternalIPAddressLookupTest.Instance;
service.ConfigFilePath = configFilePath;
service.MultiThreaded = false;
service.ManualCycle = true;
service.DnsList = null; // too slow for tests, turn off
if (defaultBannedIPAddressHandlerUrl is null)
{
service.BannedIPAddressHandler = NullBannedIPAddressHandler.Instance;
}
else
{
service.BannedIPAddressHandler = new DefaultBannedIPAddressHandler {
BaseUrl = defaultBannedIPAddressHandlerUrl
};
}
service.Version = "1.1.1.1";
service.RunAsync(CancellationToken.None).Sync();
service.RunCycleAsync().Sync();
service.DB.Truncate(true);
service.Firewall.Truncate();
return(service);
}
private IPAddressLogEvent ExtractEventViewerXml(XmlDocument doc)
{
XmlNode keywordsNode = doc.SelectSingleNode("//Keywords");
string keywordsText = keywordsNode.InnerText;
if (keywordsText.StartsWith("0x"))
{
keywordsText = keywordsText.Substring(2);
}
ulong keywordsULONG = ulong.Parse(keywordsText, NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture);
IPAddressLogEvent info = null;
bool foundNotifyOnly = false;
if (keywordsNode != null)
{
// we must match on keywords
foreach (EventViewerExpressionGroup group in service.Config.WindowsEventViewerGetGroupsMatchingKeywords(keywordsULONG))
{
string userName = null;
string source = null;
foreach (EventViewerExpression expression in group.Expressions)
{
// find all the nodes, try and get an ip from any of them, all must match
XmlNodeList nodes = doc.SelectNodes(expression.XPath);
if (nodes.Count == 0)
{
Logger.Debug("No nodes found for xpath {0}", expression.XPath);
info = null;
break;
}
// if there is a regex, it must match
if (string.IsNullOrWhiteSpace(expression.Regex))
{
// count as a match, do not modify the ip address if it was already set
Logger.Debug("No regex, so counting as a match");
}
else
{
info = null;
// try and find an ip from any of the nodes
foreach (XmlNode node in nodes)
{
// if we get a match, stop checking nodes
info = IPBanService.GetIPAddressInfoFromRegex(service.DnsLookup, expression.RegexObject, node.InnerText);
if (info.FoundMatch)
{
if (group.NotifyOnly)
{
foundNotifyOnly = true;
}
else if (foundNotifyOnly)
{
throw new InvalidDataException("Conflicting expressions in event viewer, both failed and success logins matched keywords " + group.Keywords);
}
userName = (userName ?? info.UserName);
source = (source ?? info.Source);
break;
}
}
if (info != null && !info.FoundMatch)
{
// match fail, null out ip, we have to match ALL the nodes or we get null ip and do not ban
Logger.Debug("Regex {0} did not match any nodes with xpath {1}", expression.Regex, expression.XPath);
info = null;
foundNotifyOnly = false;
break;
}
}
}
if (info != null && info.FoundMatch && info.IPAddress != null)
{
info.UserName = (info.UserName ?? userName);
info.Source = info.Source ?? source ?? group.Source;
break;
}
info = null; // set null for next attempt
}
}
if (info != null)
{
info.Type = (foundNotifyOnly ? IPAddressEventType.SuccessfulLogin : IPAddressEventType.FailedLogin);
}
return(info);
}
