private void OnConnection(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord == null)
{
return;
}
try
{
int processId = MiscFunc.parseInt(arg.EventRecord.Properties[0].Value.ToString());
string path = arg.EventRecord.Properties[1].Value.ToString();
Actions action = Actions.Undefined;
if (arg.EventRecord.Id == (int)EventIDs.Blocked)
{
action = Actions.Block;
}
else if (arg.EventRecord.Id == (int)EventIDs.Allowed)
{
action = Actions.Allow;
}
string direction_str = arg.EventRecord.Properties[2].Value.ToString();
Directions direction = Directions.Unknown;
if (direction_str == "%%14592")
{
direction = Directions.Inbound;
}
else if (direction_str == "%%14593")
{
direction = Directions.Outboun;
}
string src_ip = arg.EventRecord.Properties[3].Value.ToString();
int src_port = MiscFunc.parseInt(arg.EventRecord.Properties[4].Value.ToString());
string dest_ip = arg.EventRecord.Properties[5].Value.ToString();
int dest_port = MiscFunc.parseInt(arg.EventRecord.Properties[6].Value.ToString());
int protocol = MiscFunc.parseInt(arg.EventRecord.Properties[7].Value.ToString());
ProgramList.ID id = GetIDforEntry(path, processId);
if (id == null)
{
return;
}
Program.LogEntry entry = new Program.LogEntry(id, action, direction, src_ip, src_port, dest_ip, dest_port, protocol, processId, DateTime.Now);
entry.Profile = GetCurrentProfiles();
App.engine.LogActivity(entry);
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
}
}
public void NotifyActivity(Guid guid, Program.LogEntry entry, ProgramID progID, List <String> services = null, bool update = false)
{
List <byte[]> args = new List <byte[]>();
args.Add(PutGuid(guid));
args.Add(PutLogEntry(entry));
args.Add(PutProgID(progID));
args.Add(PutStrList(services));
args.Add(PutBool(update));
SendPushNotification("ActivityNotification", args);
}
public void NotifyActivity(Guid guid, Program.LogEntry entry, ProgramID progID, List <String> services = null, bool update = false)
{
Priv10Engine.FwEventArgs args = new Priv10Engine.FwEventArgs()
{
guid = guid,
entry = entry,
progID = progID,
services = services,
update = update
};
SendPushNotification("ActivityNotification", args);
}
/*public bool ApplyTweak(Tweak tweak)
* {
* return Tweaks.ApplyTweak(tweak);
* }
*
* public bool TestTweak(Tweak tweak)
* {
* return Tweaks.TestTweak(tweak);
* }
*
* public bool UndoTweak(Tweak tweak)
* {
* return Tweaks.UndoTweak(tweak);
* }*/
public void LogActivity(Program.LogEntry entry, bool fromLog = false)
{
// Threading note: this function is called from other a service thread watching the security log
mDispatcher.BeginInvoke(new Action(() => {
// Threading note: here we are in the engine thread
Program prog = App.engine.programs.GetProgram(entry.mID, true);
prog.LogActivity(entry, fromLog);
if (App.host != null && !fromLog) // dont norify activitis form the log
{
App.host.NotifyActivity(prog.guid, entry);
}
}));
}
public void LoadLog()
{
EventLog eventLog = new EventLog("Security");
try
{
//for (int i = eventLog.Entries.Count-1; i > 0; i--)
foreach (EventLogEntry logEntry in eventLog.Entries)
{
//EventLogEntry entry = eventLog.Entries[i];
if (logEntry.InstanceId != (long)EventIDs.Allowed && logEntry.InstanceId != (long)EventIDs.Blocked)
{
continue;
}
string[] ReplacementStrings = logEntry.ReplacementStrings;
string direction_str = ReplacementStrings[2];
Directions direction = Directions.Unknown;
if (direction_str == "%%14592")
{
direction = Directions.Inbound;
}
else if (direction_str == "%%14593")
{
direction = Directions.Outboun;
}
int processId = MiscFunc.parseInt(ReplacementStrings[0]);
string path = ReplacementStrings[1];
ProgramList.ID id = GetIDforEntry(path, processId);
if (id == null)
{
return;
}
Actions action = Actions.Undefined;
if (logEntry.InstanceId == (int)EventIDs.Blocked)
{
action = Actions.Block;
}
else if (logEntry.InstanceId == (int)EventIDs.Allowed)
{
action = Actions.Allow;
}
string src_ip = ReplacementStrings[3];
int src_port = MiscFunc.parseInt(ReplacementStrings[4]);
string dest_ip = ReplacementStrings[5];
int dest_port = MiscFunc.parseInt(ReplacementStrings[6]);
int protocol = MiscFunc.parseInt(ReplacementStrings[7]);
Program.LogEntry entry = new Program.LogEntry(id, action, direction, src_ip, src_port, dest_ip, dest_port, protocol, processId, logEntry.TimeGenerated);
App.engine.LogActivity(entry, true);
}
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
}
eventLog.Dispose();
}
protected byte[] PutLogEntry(Program.LogEntry entry)
{
return(PutXmlObj(entry));
}
