//For other famlies (non INET) that are required more investigation - send event with raw data (hex string)
private ConnectionsPayload CreateNonInetConnPayloadFromAuditEvent(LinuxAddressFamily family, AuditEvent auditEvent)
{
ConnectionsPayload connectionPayload = CreateConnPayloadFromAuditEvent(auditEvent);
string hexStringSaddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress);
connectionPayload.ExtraDetails = new Dictionary <string, string>
{
{ "familyName", family.ToString() },
{ "saddr", hexStringSaddr }
};
return(connectionPayload);
}
private ConnectionsPayload CreateConnPayloadFromAuditEvent(AuditEvent auditEvent)
{
ConnectionsPayload payload = new ConnectionsPayload();
payload.Direction = GetConnectionDirection();
payload.Protocol = EProtocol.Tcp.ToString();
payload.Executable = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable), Encoding.UTF8);
payload.CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessTitle), Encoding.UTF8);
payload.ProcessId = UInt32.Parse(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId));
payload.UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId);
return(payload);
}
public void ConnectionCreate()
{
var payload = new ConnectionsPayload
{
RemotePort = "23",
RemoteAddress = "192.168.0.1",
ProcessId = 2,
LocalPort = "8080",
UserId = "111",
CommandLine = "c:\\dir\\app.exe",
Direction = ConnectionsPayload.ConnectionDirection.In,
Executable = "app.exe",
LocalAddress = "::ffff:c000:0280",
Protocol = "tcp"
};
var obj = new ConnectionCreate(EventPriority.Low, payload, DateTime.UtcNow);
obj.ValidateSchema();
}
private ConnectionsPayload CreateInetConnPayloadFromAuditEvent(AuditEvent auditEvent)
{
ConnectionsPayload connectionPayload = null;
string hexStringSaddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress);
try
{
ConnectionSaddr saddr = ConnectionSaddr.ParseSaddrToInetConnection(hexStringSaddr);
if (!ConnectionSaddr.IsLocalIp(saddr.Ip)) //we don't send local connections
{
connectionPayload = CreateConnPayloadFromAuditEvent(auditEvent);
connectionPayload.RemoteAddress = saddr.Ip;
connectionPayload.RemotePort = saddr.Port.ToString();
}
}
catch (Exception e)
{
SimpleLogger.Error($"Failed to parse saddr {hexStringSaddr}", exception: e);
connectionPayload = null;
}
return(connectionPayload);
}
private IEvent GetConnectionCreationEvent(Dictionary <string, string> ev)
{
DateTime eventTime = DateTime.Parse(ev[TimeGeneratedFieldName]);
ConnectionDirection direction = GetEventPropertyFromMessage(ev[MessageFieldName], DirectionFieldName) == "Outbound" ? ConnectionDirection.Out : ConnectionDirection.In;
int protocolNumber = Int32.Parse(GetEventPropertyFromMessage(ev[MessageFieldName], ProtocolFieldName));
FirewallRuleProtocol protocol = (FirewallRuleProtocol)protocolNumber;
var payload = new ConnectionsPayload
{
Executable = GetEventPropertyFromMessage(ev[MessageFieldName], ApplicationNameFieldName),
ProcessId = UInt32.Parse(GetEventPropertyFromMessage(ev[MessageFieldName], ProcessIdFieldName)),
CommandLine = null,
UserId = null,
RemoteAddress = direction == ConnectionDirection.In ? GetEventPropertyFromMessage(ev[MessageFieldName], SourceAddressFieldName) : GetEventPropertyFromMessage(ev[MessageFieldName], DestinationAddressFieldName),
RemotePort = direction == ConnectionDirection.In ? GetEventPropertyFromMessage(ev[MessageFieldName], SourcePortFieldName) : GetEventPropertyFromMessage(ev[MessageFieldName], DestinationPortFieldName),
LocalAddress = direction == ConnectionDirection.Out ? GetEventPropertyFromMessage(ev[MessageFieldName], SourceAddressFieldName) : GetEventPropertyFromMessage(ev[MessageFieldName], DestinationAddressFieldName),
LocalPort = direction == ConnectionDirection.Out ? GetEventPropertyFromMessage(ev[MessageFieldName], SourcePortFieldName) : GetEventPropertyFromMessage(ev[MessageFieldName], DestinationPortFieldName),
Protocol = protocol.ToString(),
Direction = direction
};
return(new ConnectionCreate(Priority, payload, eventTime));
}
/// <summary>
/// This function recieve an event from the audit log file
/// It filters out connections that are not relevant for security (e.g. local connects)
/// It then returns "ConnectionCreate" event type that represent a succefull open connection from/to the internet
/// </summary>
/// <param name="auditEvent">A log event from the the audit event</param>
/// <returns>A device event based on the input</returns>
private IEvent CreateEventFromAuditRecord(AuditEvent auditEvent)
{
ConnectionsPayload connectionPayload = null;
ConnectionCreate retConnection = null;
string saddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress, throwIfNotExist: false);
if (!string.IsNullOrEmpty(saddr))
{
//Check the address family of the connection - extract from the saddr
LinuxAddressFamily family = ConnectionSaddr.ExtractFamilyFromSaddr(saddr);
//According to the family type we create/don't create the event
if (!family.IsToIgnore()) //irelevant connections - don't create events
{
if (ConnectionSaddr.IsInetFamliy(family)) //internet connections - create correlated event
{
connectionPayload = CreateInetConnPayloadFromAuditEvent(auditEvent);
}
else //For other famlies (non INET) that are required more investigation - send event with raw data (hex string)
{
connectionPayload = CreateNonInetConnPayloadFromAuditEvent(family, auditEvent);
}
}
}
else
{
SimpleLogger.Debug($"{nameof(GetType)}: Saddr is null or empty, dropping event");
}
if (connectionPayload != null)
{
retConnection = new ConnectionCreate(Priority, connectionPayload, auditEvent.TimeUTC);
}
return(retConnection);
}
