void agent_AttackDetected(object sender, INotificationEventArgs data)
{
if (this.AttackDetected != null)
{
this.AttackDetected(sender, data);
}
}
/// <summary>
/// Is used to invoke all event listener delegates
/// </summary>
/// <param name="sender">The agent itself</param>
/// <param name="data">Notification arguments</param>
protected void OnAttackDetected(object sender, INotificationEventArgs data)
{
if (AttackDetected != null)
{
try {
AttackDetected(this, data);
} catch (Exception ex) {
// throw ex;
System.Diagnostics.EventLog.WriteEntry("Cyberarms.IntrusionDetection.Api.Plugin.AgentPlugin", ex.Message);
}
}
}
static void watcher_AttackDetected(object sender, INotificationEventArgs data)
{
SqlFailedLoginWatcher watcher = (SqlFailedLoginWatcher)sender;
Console.WriteLine("{0}: {1}", data.EventMessage, data.IpAddress);
}
void Service_AttackDetected(object sender, INotificationEventArgs notificationEventArgs)
{
try
{
if (notificationEventArgs == null)
{
if (IddsConfig.Instance.IsDebug)
{
// the following error should just be thrown when running in debug mode.
throw new ApplicationException("Operation not supported. EventArgs must be passed as NotificationEventArgs");
}
else
{
// otherwise write to the log file
WindowsLogManager.Instance.WriteEntry("Plugin error: the lock delegate was called, but notificationEventArgs must not be null!",
EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_INVALID_FUNCTION_CALL, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN);
return;
}
}
SecurityAgent reportingAgent = SecurityAgents.Instance.FindByName((sender as IAgentPlugin).Configuration.AgentName);
long incidentId;
if (IddsConfig.IsValidIpAddress(notificationEventArgs.IpAddress))
{
Statistics.Instance.IncreaseFailedLoginStatistics(reportingAgent);
System.Net.IPAddress ipAddress;
if (System.Net.IPAddress.TryParse(notificationEventArgs.IpAddress, out ipAddress) && IddsConfig.Instance.IsIpAddressLocal(ipAddress))
{
incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_LOCAL, false);
}
else if (IddsConfig.Instance.UseSafeNetworkList && IddsConfig.Instance.IsInSafeNetwork(notificationEventArgs.IpAddress))
{
incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_SAFE, false);
}
else
{
incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
IntrusionLog.STATUS_INTRUSION_ATTEMPT, false);
try
{
if (!Locks.LockExists(notificationEventArgs.IpAddress))
{
LockType lockType = reportingAgent.GetCurrentLockType(notificationEventArgs.IpAddress);
switch (lockType)
{
case LockType.SoftLockRequested:
//IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id,
// notificationEventArgs.IpAddress, IntrusionLog.STATUS_SOFT_LOCK_REQUESTED, false);
LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddMinutes(IddsConfig.Instance.GetSoftLockMinutes(reportingAgent)), incidentId, Lock.LOCK_STATUS_SOFTLOCK, 0, notificationEventArgs.IpAddress), LockType.SoftLock, reportingAgent);
break;
case LockType.SoftLock:
// already locked, ignore
break;
case LockType.HardLockRequested:
//IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id,
// notificationEventArgs.IpAddress, IntrusionLog.STATUS_HARD_LOCK_REQUESTED, false);
LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddHours(IddsConfig.Instance.GetHardLockHours(reportingAgent)), incidentId, Lock.LOCK_STATUS_HARDLOCK, 0, notificationEventArgs.IpAddress), LockType.HardLock, reportingAgent);
break;
}
}
}
catch (Exception ex)
{
WindowsLogManager.Instance.WriteEntry(String.Format("Unrecoverable error: {0}",
ex.Message), EventLogEntryType.FailureAudit, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR,
Globals.CYBERARMS_LOG_CATEGORY_RUNTIME);
// OnClientIpAddressSoftLocked(new Lock( new Client(notificationEventArgs.IpAddress), ex);
}
}
}
else
{
return;
}
}
catch (Exception ex)
{
WindowsLogManager.Instance.WriteEntry(String.Format("AttackDetected delegate invocation of {0} caused a problem. \r\nDetails:\r\n{1}", (sender != null ? sender.GetType().Name : "unknown"), ex.Message),
EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN);
}
}
