/// <summary>
/// Updates all controls contents according to the currently selected blocked connection
/// </summary>
private void showConn()
{
var activeConn = (CurrentConn)lstConnections.SelectedItem;
if (FirewallHelper.getProtocolAsString(activeConn.Protocol) == "Unknown") //FIXME: No string comparison, please!
{
OptionsView.IsProtocolChecked = false;
}
else
{
//On by default. Also: needed to be able to specify port!
OptionsView.IsProtocolChecked = true;
}
OptionsView.IsTargetPortEnabled = FirewallHelper.IsIPProtocol(activeConn.Protocol);
OptionsView.IsTargetPortChecked = FirewallHelper.IsIPProtocol(activeConn.Protocol);
OptionsView.IsLocalPortChecked = (activeConn.LocalPortArray.Count == 1 && activeConn.LocalPortArray[0] != 0 && activeConn.LocalPortArray[0] < IPHelper.GetMaxUserPort());
if (!String.IsNullOrEmpty(activeConn.CurrentService))
{
OptionsView.IsService = true;
OptionsView.IsServiceMultiple = false;
OptionsView.IsServiceRuleChecked = true;
OptionsView.SingleServiceName = activeConn.CurrentServiceDesc;
}
else if (activeConn.PossibleServices != null && activeConn.PossibleServices.Length > 0)
{
OptionsView.IsService = true;
if (activeConn.PossibleServices.Length > 1)
{
OptionsView.IsServiceMultiple = true;
OptionsView.SingleServiceName = "";
}
else
{
OptionsView.IsServiceMultiple = false;
OptionsView.SingleServiceName = activeConn.PossibleServicesDesc.FirstOrDefault();
}
OptionsView.IsServiceRuleChecked = false; //If we're unsure, let's choose the safe option. There are executables out there that run services but also open connections outside of those services. A false positive in such a case would create a rule that doesn't work.
}
else
{
OptionsView.IsService = false;
OptionsView.IsServiceMultiple = false;
OptionsView.IsServiceRuleChecked = false;
OptionsView.SingleServiceName = "";
}
OptionsView.IsAppEnabled = !String.IsNullOrEmpty(activeConn.CurrentAppPkgId);
NotifyPropertyChanged("OptionsView");
}
private void initEventLog()
{
// small re-write because it got stuck going through all event logs when it found no matching event e.g. 5157
try
{
using (EventLog securityLog = new EventLog("security"))
{
// TODO: utilize EventLog#EnableRaisingEvents after initialization instead of timer
//securityLog.EnableRaisingEvents = true;
//securityLog.EntryWritten += (sender, args) => _logEntries.Add(createEventLogEntry(args.Entry));
int slCount = securityLog.Entries.Count - 1;
int eventsStored = 0;
bool isAppending = _logEntries.Any();
DateTime lastDateNew = lastDate;
for (int i = slCount; i > 0 && eventsStored < MaxEventsToLoad; i--)
{
EventLogEntry entry = securityLog.Entries[i];
if (lastDate != DateTime.MinValue && entry.TimeWritten <= lastDate)
{
break;
}
// Note: instanceId == eventID
if (FirewallHelper.isEventInstanceIdAccepted(entry.InstanceId))
{
LogEntryViewModel lastEntry = _logEntries.Count > 0 ? _logEntries.Last() : null;
try
{
int pid = int.Parse(getReplacementString(entry, 0));
bool canBeIgnored = lastEntry != null &&
lastEntry.Pid == pid &&
lastEntry.Timestamp.Second == entry.TimeGenerated.Second &&
lastEntry.Timestamp.Minute == entry.TimeGenerated.Minute &&
lastEntry.TargetIP == getReplacementString(entry, 5) &&
lastEntry.TargetPort == getReplacementString(entry, 6);
if (!canBeIgnored)
{
string friendlyPath = getReplacementString(entry, 1) == "-" ? "System" : FileHelper.GetFriendlyPath(getReplacementString(entry, 1));
string fileName = System.IO.Path.GetFileName(friendlyPath);
string direction = getReplacementString(entry, 2) == @"%%14593" ? "Out" : "In";
// try to get the servicename from pid (works only if service is running)
string serviceName = services.ContainsKey(pid) ? services[pid].Name : "-";
var le = new LogEntryViewModel()
{
Pid = pid,
Timestamp = entry.TimeGenerated,
Icon = IconHelper.GetIcon(getReplacementString(entry, 1)),
Path = getReplacementString(entry, 1) == "-" ? "System" : getReplacementString(entry, 1),
FriendlyPath = friendlyPath,
ServiceName = serviceName,
FileName = fileName,
TargetIP = getReplacementString(entry, 5),
TargetPort = getReplacementString(entry, 6),
Protocol = FirewallHelper.getProtocolAsString(int.Parse(getReplacementString(entry, 7))),
Direction = direction,
FilterId = getReplacementString(entry, 8),
Reason = FirewallHelper.getEventInstanceIdAsString(entry.InstanceId),
Reason_Info = entry.Message,
};
le.ReasonColor = le.Reason.StartsWith("Block") ? Brushes.OrangeRed : Brushes.Blue;
le.DirectionColor = le.Direction.StartsWith("In") ? Brushes.OrangeRed : Brushes.Black;
_logEntries.Add(le);
eventsStored++;
}
}
catch (Exception ex)
{
LogHelper.Error("Cannot parse eventlog entry: eventID=" + entry.InstanceId.ToString(), ex);
}
}
}
ICollectionView dataView = CollectionViewSource.GetDefaultView(gridLog.ItemsSource);
if (dataView.SortDescriptions.Count < 1)
{
dataView.SortDescriptions.Add(new SortDescription("Timestamp", ListSortDirection.Descending));
}
// Trim the list
while (_logEntries.Count > MaxEventsToLoad)
{
_logEntries.RemoveAt(0);
}
// Set the cut-off point for the next time this function gets called.
lastDate = lastDateNew;
}
}
catch (Exception e)
{
LogHelper.Error("Unable to load the event log", e);
}
}
private void initEventLog()
{
try
{
using (EventLog securityLog = new EventLog("security"))
{
int i = securityLog.Entries.Count - 1;
int cpt = MaxEventsToLoad;
bool isAppending = _logEntries.Any();
DateTime lastDateNew = DateTime.MinValue;
int indexNew = 0;
while (i >= 0)
{
EventLogEntry entry = securityLog.Entries[i];
i--;
if (lastDate != DateTime.MinValue && entry.TimeWritten <= lastDate && (entry.Index == lastIndex || lastIndex == -1))
{
break;
}
if (lastDateNew == DateTime.MinValue)
{
// Store where we start processing entries.
lastDateNew = entry.TimeWritten;
indexNew = entry.Index;
}
if (entry.InstanceId == 5157 && entry.EntryType == EventLogEntryType.FailureAudit)
{
cpt--;
var le = new LogEntryViewModel()
{
Timestamp = entry.TimeGenerated,
Icon = IconHelper.GetIcon(entry.ReplacementStrings[1]),
FriendlyPath = FileHelper.GetFriendlyPath(entry.ReplacementStrings[1]),
TargetIP = entry.ReplacementStrings[5],
TargetPort = entry.ReplacementStrings[6],
Protocol = FirewallHelper.getProtocolAsString(int.Parse(entry.ReplacementStrings[7]))
};
if (isAppending)
{
_logEntries.Insert(MaxEventsToLoad - (cpt + 1), le);
}
else
{
_logEntries.Add(le);
}
if (cpt == 0)
{
// We've loaded the maximum number of entries.
break;
}
}
}
// Trim the list
while (_logEntries.Count > MaxEventsToLoad)
{
_logEntries.RemoveAt(_logEntries.Count - 1);
}
// Set the cut-off point for the next time this function gets called.
lastDate = lastDateNew;
lastIndex = indexNew;
}
}
catch (Exception e)
{
LogHelper.Error("Unable to load the event log", e);
}
}
