//For other famlies (non INET) that are required more investigation - send event with raw data (hex string) private ConnectionsPayload CreateNonInetConnPayloadFromAuditEvent(LinuxAddressFamily family, AuditEvent auditEvent) { ConnectionsPayload connectionPayload = CreateConnPayloadFromAuditEvent(auditEvent); string hexStringSaddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress); connectionPayload.ExtraDetails = new Dictionary <string, string> { { "familyName", family.ToString() }, { "saddr", hexStringSaddr } }; return(connectionPayload); }
private ConnectionsPayload CreateConnPayloadFromAuditEvent(AuditEvent auditEvent) { ConnectionsPayload payload = new ConnectionsPayload(); payload.Direction = GetConnectionDirection(); payload.Protocol = EProtocol.Tcp.ToString(); payload.Executable = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable), Encoding.UTF8); payload.CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessTitle), Encoding.UTF8); payload.ProcessId = UInt32.Parse(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)); payload.UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId); return(payload); }
public void ConnectionCreate() { var payload = new ConnectionsPayload { RemotePort = "23", RemoteAddress = "192.168.0.1", ProcessId = 2, LocalPort = "8080", UserId = "111", CommandLine = "c:\\dir\\app.exe", Direction = ConnectionsPayload.ConnectionDirection.In, Executable = "app.exe", LocalAddress = "::ffff:c000:0280", Protocol = "tcp" }; var obj = new ConnectionCreate(EventPriority.Low, payload, DateTime.UtcNow); obj.ValidateSchema(); }
private ConnectionsPayload CreateInetConnPayloadFromAuditEvent(AuditEvent auditEvent) { ConnectionsPayload connectionPayload = null; string hexStringSaddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress); try { ConnectionSaddr saddr = ConnectionSaddr.ParseSaddrToInetConnection(hexStringSaddr); if (!ConnectionSaddr.IsLocalIp(saddr.Ip)) //we don't send local connections { connectionPayload = CreateConnPayloadFromAuditEvent(auditEvent); connectionPayload.RemoteAddress = saddr.Ip; connectionPayload.RemotePort = saddr.Port.ToString(); } } catch (Exception e) { SimpleLogger.Error($"Failed to parse saddr {hexStringSaddr}", exception: e); connectionPayload = null; } return(connectionPayload); }
private IEvent GetConnectionCreationEvent(Dictionary <string, string> ev) { DateTime eventTime = DateTime.Parse(ev[TimeGeneratedFieldName]); ConnectionDirection direction = GetEventPropertyFromMessage(ev[MessageFieldName], DirectionFieldName) == "Outbound" ? ConnectionDirection.Out : ConnectionDirection.In; int protocolNumber = Int32.Parse(GetEventPropertyFromMessage(ev[MessageFieldName], ProtocolFieldName)); FirewallRuleProtocol protocol = (FirewallRuleProtocol)protocolNumber; var payload = new ConnectionsPayload { Executable = GetEventPropertyFromMessage(ev[MessageFieldName], ApplicationNameFieldName), ProcessId = UInt32.Parse(GetEventPropertyFromMessage(ev[MessageFieldName], ProcessIdFieldName)), CommandLine = null, UserId = null, RemoteAddress = direction == ConnectionDirection.In ? GetEventPropertyFromMessage(ev[MessageFieldName], SourceAddressFieldName) : GetEventPropertyFromMessage(ev[MessageFieldName], DestinationAddressFieldName), RemotePort = direction == ConnectionDirection.In ? GetEventPropertyFromMessage(ev[MessageFieldName], SourcePortFieldName) : GetEventPropertyFromMessage(ev[MessageFieldName], DestinationPortFieldName), LocalAddress = direction == ConnectionDirection.Out ? GetEventPropertyFromMessage(ev[MessageFieldName], SourceAddressFieldName) : GetEventPropertyFromMessage(ev[MessageFieldName], DestinationAddressFieldName), LocalPort = direction == ConnectionDirection.Out ? GetEventPropertyFromMessage(ev[MessageFieldName], SourcePortFieldName) : GetEventPropertyFromMessage(ev[MessageFieldName], DestinationPortFieldName), Protocol = protocol.ToString(), Direction = direction }; return(new ConnectionCreate(Priority, payload, eventTime)); }
/// <summary> /// This function recieve an event from the audit log file /// It filters out connections that are not relevant for security (e.g. local connects) /// It then returns "ConnectionCreate" event type that represent a succefull open connection from/to the internet /// </summary> /// <param name="auditEvent">A log event from the the audit event</param> /// <returns>A device event based on the input</returns> private IEvent CreateEventFromAuditRecord(AuditEvent auditEvent) { ConnectionsPayload connectionPayload = null; ConnectionCreate retConnection = null; string saddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress, throwIfNotExist: false); if (!string.IsNullOrEmpty(saddr)) { //Check the address family of the connection - extract from the saddr LinuxAddressFamily family = ConnectionSaddr.ExtractFamilyFromSaddr(saddr); //According to the family type we create/don't create the event if (!family.IsToIgnore()) //irelevant connections - don't create events { if (ConnectionSaddr.IsInetFamliy(family)) //internet connections - create correlated event { connectionPayload = CreateInetConnPayloadFromAuditEvent(auditEvent); } else //For other famlies (non INET) that are required more investigation - send event with raw data (hex string) { connectionPayload = CreateNonInetConnPayloadFromAuditEvent(family, auditEvent); } } } else { SimpleLogger.Debug($"{nameof(GetType)}: Saddr is null or empty, dropping event"); } if (connectionPayload != null) { retConnection = new ConnectionCreate(Priority, connectionPayload, auditEvent.TimeUTC); } return(retConnection); }