/// <summary> /// Updates all controls contents according to the currently selected blocked connection /// </summary> private void showConn() { var activeConn = (CurrentConn)lstConnections.SelectedItem; if (FirewallHelper.getProtocolAsString(activeConn.Protocol) == "Unknown") //FIXME: No string comparison, please! { OptionsView.IsProtocolChecked = false; } else { //On by default. Also: needed to be able to specify port! OptionsView.IsProtocolChecked = true; } OptionsView.IsTargetPortEnabled = FirewallHelper.IsIPProtocol(activeConn.Protocol); OptionsView.IsTargetPortChecked = FirewallHelper.IsIPProtocol(activeConn.Protocol); OptionsView.IsLocalPortChecked = (activeConn.LocalPortArray.Count == 1 && activeConn.LocalPortArray[0] != 0 && activeConn.LocalPortArray[0] < IPHelper.GetMaxUserPort()); if (!String.IsNullOrEmpty(activeConn.CurrentService)) { OptionsView.IsService = true; OptionsView.IsServiceMultiple = false; OptionsView.IsServiceRuleChecked = true; OptionsView.SingleServiceName = activeConn.CurrentServiceDesc; } else if (activeConn.PossibleServices != null && activeConn.PossibleServices.Length > 0) { OptionsView.IsService = true; if (activeConn.PossibleServices.Length > 1) { OptionsView.IsServiceMultiple = true; OptionsView.SingleServiceName = ""; } else { OptionsView.IsServiceMultiple = false; OptionsView.SingleServiceName = activeConn.PossibleServicesDesc.FirstOrDefault(); } OptionsView.IsServiceRuleChecked = false; //If we're unsure, let's choose the safe option. There are executables out there that run services but also open connections outside of those services. A false positive in such a case would create a rule that doesn't work. } else { OptionsView.IsService = false; OptionsView.IsServiceMultiple = false; OptionsView.IsServiceRuleChecked = false; OptionsView.SingleServiceName = ""; } OptionsView.IsAppEnabled = !String.IsNullOrEmpty(activeConn.CurrentAppPkgId); NotifyPropertyChanged("OptionsView"); }
private void initEventLog() { // small re-write because it got stuck going through all event logs when it found no matching event e.g. 5157 try { using (EventLog securityLog = new EventLog("security")) { // TODO: utilize EventLog#EnableRaisingEvents after initialization instead of timer //securityLog.EnableRaisingEvents = true; //securityLog.EntryWritten += (sender, args) => _logEntries.Add(createEventLogEntry(args.Entry)); int slCount = securityLog.Entries.Count - 1; int eventsStored = 0; bool isAppending = _logEntries.Any(); DateTime lastDateNew = lastDate; for (int i = slCount; i > 0 && eventsStored < MaxEventsToLoad; i--) { EventLogEntry entry = securityLog.Entries[i]; if (lastDate != DateTime.MinValue && entry.TimeWritten <= lastDate) { break; } // Note: instanceId == eventID if (FirewallHelper.isEventInstanceIdAccepted(entry.InstanceId)) { LogEntryViewModel lastEntry = _logEntries.Count > 0 ? _logEntries.Last() : null; try { int pid = int.Parse(getReplacementString(entry, 0)); bool canBeIgnored = lastEntry != null && lastEntry.Pid == pid && lastEntry.Timestamp.Second == entry.TimeGenerated.Second && lastEntry.Timestamp.Minute == entry.TimeGenerated.Minute && lastEntry.TargetIP == getReplacementString(entry, 5) && lastEntry.TargetPort == getReplacementString(entry, 6); if (!canBeIgnored) { string friendlyPath = getReplacementString(entry, 1) == "-" ? "System" : FileHelper.GetFriendlyPath(getReplacementString(entry, 1)); string fileName = System.IO.Path.GetFileName(friendlyPath); string direction = getReplacementString(entry, 2) == @"%%14593" ? "Out" : "In"; // try to get the servicename from pid (works only if service is running) string serviceName = services.ContainsKey(pid) ? services[pid].Name : "-"; var le = new LogEntryViewModel() { Pid = pid, Timestamp = entry.TimeGenerated, Icon = IconHelper.GetIcon(getReplacementString(entry, 1)), Path = getReplacementString(entry, 1) == "-" ? "System" : getReplacementString(entry, 1), FriendlyPath = friendlyPath, ServiceName = serviceName, FileName = fileName, TargetIP = getReplacementString(entry, 5), TargetPort = getReplacementString(entry, 6), Protocol = FirewallHelper.getProtocolAsString(int.Parse(getReplacementString(entry, 7))), Direction = direction, FilterId = getReplacementString(entry, 8), Reason = FirewallHelper.getEventInstanceIdAsString(entry.InstanceId), Reason_Info = entry.Message, }; le.ReasonColor = le.Reason.StartsWith("Block") ? Brushes.OrangeRed : Brushes.Blue; le.DirectionColor = le.Direction.StartsWith("In") ? Brushes.OrangeRed : Brushes.Black; _logEntries.Add(le); eventsStored++; } } catch (Exception ex) { LogHelper.Error("Cannot parse eventlog entry: eventID=" + entry.InstanceId.ToString(), ex); } } } ICollectionView dataView = CollectionViewSource.GetDefaultView(gridLog.ItemsSource); if (dataView.SortDescriptions.Count < 1) { dataView.SortDescriptions.Add(new SortDescription("Timestamp", ListSortDirection.Descending)); } // Trim the list while (_logEntries.Count > MaxEventsToLoad) { _logEntries.RemoveAt(0); } // Set the cut-off point for the next time this function gets called. lastDate = lastDateNew; } } catch (Exception e) { LogHelper.Error("Unable to load the event log", e); } }
private void initEventLog() { try { using (EventLog securityLog = new EventLog("security")) { int i = securityLog.Entries.Count - 1; int cpt = MaxEventsToLoad; bool isAppending = _logEntries.Any(); DateTime lastDateNew = DateTime.MinValue; int indexNew = 0; while (i >= 0) { EventLogEntry entry = securityLog.Entries[i]; i--; if (lastDate != DateTime.MinValue && entry.TimeWritten <= lastDate && (entry.Index == lastIndex || lastIndex == -1)) { break; } if (lastDateNew == DateTime.MinValue) { // Store where we start processing entries. lastDateNew = entry.TimeWritten; indexNew = entry.Index; } if (entry.InstanceId == 5157 && entry.EntryType == EventLogEntryType.FailureAudit) { cpt--; var le = new LogEntryViewModel() { Timestamp = entry.TimeGenerated, Icon = IconHelper.GetIcon(entry.ReplacementStrings[1]), FriendlyPath = FileHelper.GetFriendlyPath(entry.ReplacementStrings[1]), TargetIP = entry.ReplacementStrings[5], TargetPort = entry.ReplacementStrings[6], Protocol = FirewallHelper.getProtocolAsString(int.Parse(entry.ReplacementStrings[7])) }; if (isAppending) { _logEntries.Insert(MaxEventsToLoad - (cpt + 1), le); } else { _logEntries.Add(le); } if (cpt == 0) { // We've loaded the maximum number of entries. break; } } } // Trim the list while (_logEntries.Count > MaxEventsToLoad) { _logEntries.RemoveAt(_logEntries.Count - 1); } // Set the cut-off point for the next time this function gets called. lastDate = lastDateNew; lastIndex = indexNew; } } catch (Exception e) { LogHelper.Error("Unable to load the event log", e); } }