void Service_ClientIpAddressSoftLocked(object sender, EventArgs e) { ClientOperationInformation op = (ClientOperationInformation)sender; IntrusionLog.AddEntry(DateTime.Now, op.AgentId, op.IpAddress, IntrusionLog.STATUS_SOFT_LOCKED, false); SendInfoMail(sender, LockType.SoftLock); }
void Service_ClientIpAddressUnlocked(object sender, EventArgs e) { ClientOperationInformation op = (ClientOperationInformation)sender; if (op.HasError) { IntrusionLog.AddEntry(DateTime.Now, IntrusionLog.GetSystemId(), op.IpAddress, IntrusionLog.STATUS_UNLOCK_ERROR, false); } else { IntrusionLog.AddEntry(DateTime.Now, IntrusionLog.GetSystemId(), op.IpAddress, IntrusionLog.STATUS_UNLOCKED, false); } SendInfoMail(sender, LockType.None); }
public void ReadIntervalTest() { prepareIntrusionLog(); IDataReader rdr = IntrusionLog.ReadInterval(new TimeSpan(0, 24, 0, 0, 0)); if (rdr.FieldCount != 6) { Assert.Fail("Field count changed!"); } while (rdr.Read()) { System.Diagnostics.Debug.Print("Log Id {0} ({1}): {2}", rdr["Id"], rdr["IncidentTime"], rdr["ClientIP"]); } }
void OnClientIpAddressUnlocked(Lock lockItem, Exception ex) { if (ClientIpAddressUnlocked != null) { ClientOperationInformation op = new ClientOperationInformation(); op.IpAddress = lockItem.IpAddress; op.Exception = ex; op.AgentId = IntrusionLog.GetSystemId(); if (ex != null) { op.HasError = true; op.Message = "Error while unlocking " + lockItem.IpAddress + ":\r\n" + ex.Message; } else { op.Message = "Client with IP address " + lockItem.IpAddress + " was unlocked"; } ClientIpAddressUnlocked(op, EventArgs.Empty); } }
static void Main(string[] args) { string path = System.Reflection.Assembly.GetExecutingAssembly().Location; path = path.Substring(0, path.LastIndexOf('\\') + 1); // Console.WriteLine("Directory: {0}", path); if (args.Length == 0 || args[0].ToLower() == "help") { ShowUsage(); return; } try { Database.Instance.Configure(path); IddsConfig.Instance.ApplicationPath = path; switch (args[0].ToLower()) { case "islicensed": Console.WriteLine(@"Cyberarms IDDS does not require licensing anymore. Please visit https://cyberarms.net for support options!"); break; case "manualreport": if (args.Length < 2) { Console.WriteLine("Please enter output filename as parameter."); return; } string report = ReportGenerator.Instance.GetReport(String.Format("Manual report, {0:MM/dd/yyyy}", DateTime.Now), String.Format("Manually created report for system {0}.{1}", System.Net.Dns.GetHostName(), System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName), "" , DateTime.Now.AddMonths(-1), DateTime.Now); try { StreamWriter sw = System.IO.File.CreateText(args[1]); sw.Write(report); sw.Close(); } catch (Exception ex) { Console.WriteLine(ex.Message); } break; case "exportcsv": if (args.Length < 2) { Console.WriteLine("Please enter output filename as parameter."); return; } int lastSquenceNumber = 0; if (args.Length > 2) { if (!int.TryParse(args[2], out lastSquenceNumber)) { Console.WriteLine("Please enter last sequence number as parameter."); } } try { StreamWriter swexport = System.IO.File.CreateText(args[1]); System.Data.IDataReader rdr = IntrusionLog.ReadDifferential(lastSquenceNumber); swexport.WriteLine("Sequence Number;Date and Time;Security Agent;IP Address;Status"); while (rdr.Read()) { swexport.WriteLine("{0};{1};{2};{3};{4}", rdr[0].ToString(), rdr[1].ToString(), SecurityAgents.Instance.GetDisplayName(rdr[2].ToString()), rdr[3].ToString(), IntrusionLog.GetStatusName(int.Parse(rdr[4].ToString()))); } swexport.Flush(); swexport.Close(); rdr.Close(); } catch (Exception ex) { Console.WriteLine(ex.Message); } break; default: ShowUsage(); break; } } catch (Exception ex) { Console.WriteLine(ex); } }
void logReader_Tick(object sender, EventArgs e) { DateTime metering = DateTime.Now; if (!IsUpdating && Database.Instance.IsConfigured) { IsUpdating = true; if (CurrentMenu == labelMenuSecurityLog && IntrusionLog.HasUpdates(LastLogId)) { IDataReader rdr = IntrusionLog.ReadDifferential(LastLogId); int maxLogId = LastLogId; while (rdr.Read()) { int action = int.Parse(rdr["Action"].ToString()); string agentId = Shared.Db.DbValueConverter.ToString(rdr["AgentId"]); PanelSecurityLog.AddLogEntry(int.Parse(rdr["id"].ToString()), action, agentId, IntrusionLog.GetStatusIcon(action), IntrusionLog.GetStatusClass(action), DateTime.Parse(rdr["IncidentTime"].ToString()), rdr["ClientIP"].ToString(), GetLogMessage(agentId, action)); if (Convert.ToInt32(rdr["Id"]) > maxLogId) { maxLogId = Convert.ToInt32(rdr["Id"]); } } rdr.Close(); rdr.Dispose(); if (maxLogId > LastLogId) { LastLogId = maxLogId; } } if (CurrentMenu == labelMenuCurrentLocks && Locks.HasUpdates(LastLockUpdate)) { LastLockUpdate = DateTime.Now; PanelCurrentLocks.Clear(); IDataReader locksReader = Locks.ReadLocks(); while (locksReader.Read()) { DateTime lockDate; DateTime unlockDate; DateTime.TryParse(locksReader["LockDate"].ToString(), out lockDate); DateTime.TryParse(locksReader["UnlockDate"].ToString(), out unlockDate); PanelCurrentLocks.Add(int.Parse(locksReader["LockId"].ToString()), global::Cyberarms.IntrusionDetection.Admin.Properties.Resources.logIcon_softLock, LockStatusAdapter.GetLockStatusName(int.Parse(locksReader["Status"].ToString())), locksReader["ClientIp"].ToString(), locksReader["DisplayName"].ToString(), lockDate, unlockDate, IntrusionDetection.Shared.Db.DbValueConverter.ToInt(locksReader["Status"])); } locksReader.Close(); locksReader.Dispose(); } if (CurrentMenu == labelMenuHome) { Dashboard.SetUnsuccessfulLogins(Locks.ReadUnsuccessfulLoginAttempts(DateTime.Now.AddDays(-30))); foreach (SecurityAgent agent in SecurityAgents.Instance) { agent.UpdateStatistics(); } } if (CurrentMenu == labelMenuHome || CurrentMenu == labelMenuCurrentLocks) { int softLocks = Locks.ReadCurrentSoftLocks(); int hardLocks = Locks.ReadCurrentHardLocks(); PanelCurrentLocks.SetSoftLocks(softLocks); PanelCurrentLocks.SetHardLocks(hardLocks); Dashboard.SetHardLocks(hardLocks); Dashboard.SetSoftLocks(softLocks); } if (!IsInitialized || (CurrentMenu == labelMenuHome || CurrentMenu == labelMenuSecurityLog)) { // ?? } } IsInitialized = true; IsUpdating = false; System.Diagnostics.Debug.Print(DateTime.Now.Subtract(metering).TotalMilliseconds.ToString()); }
void Service_AttackDetected(object sender, INotificationEventArgs notificationEventArgs) { try { if (notificationEventArgs == null) { if (IddsConfig.Instance.IsDebug) { // the following error should just be thrown when running in debug mode. throw new ApplicationException("Operation not supported. EventArgs must be passed as NotificationEventArgs"); } else { // otherwise write to the log file WindowsLogManager.Instance.WriteEntry("Plugin error: the lock delegate was called, but notificationEventArgs must not be null!", EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_INVALID_FUNCTION_CALL, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN); return; } } SecurityAgent reportingAgent = SecurityAgents.Instance.FindByName((sender as IAgentPlugin).Configuration.AgentName); long incidentId; if (IddsConfig.IsValidIpAddress(notificationEventArgs.IpAddress)) { Statistics.Instance.IncreaseFailedLoginStatistics(reportingAgent); System.Net.IPAddress ipAddress; if (System.Net.IPAddress.TryParse(notificationEventArgs.IpAddress, out ipAddress) && IddsConfig.Instance.IsIpAddressLocal(ipAddress)) { incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress, IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_LOCAL, false); } else if (IddsConfig.Instance.UseSafeNetworkList && IddsConfig.Instance.IsInSafeNetwork(notificationEventArgs.IpAddress)) { incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress, IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_SAFE, false); } else { incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress, IntrusionLog.STATUS_INTRUSION_ATTEMPT, false); try { if (!Locks.LockExists(notificationEventArgs.IpAddress)) { LockType lockType = reportingAgent.GetCurrentLockType(notificationEventArgs.IpAddress); switch (lockType) { case LockType.SoftLockRequested: //IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, // notificationEventArgs.IpAddress, IntrusionLog.STATUS_SOFT_LOCK_REQUESTED, false); LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddMinutes(IddsConfig.Instance.GetSoftLockMinutes(reportingAgent)), incidentId, Lock.LOCK_STATUS_SOFTLOCK, 0, notificationEventArgs.IpAddress), LockType.SoftLock, reportingAgent); break; case LockType.SoftLock: // already locked, ignore break; case LockType.HardLockRequested: //IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, // notificationEventArgs.IpAddress, IntrusionLog.STATUS_HARD_LOCK_REQUESTED, false); LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddHours(IddsConfig.Instance.GetHardLockHours(reportingAgent)), incidentId, Lock.LOCK_STATUS_HARDLOCK, 0, notificationEventArgs.IpAddress), LockType.HardLock, reportingAgent); break; } } } catch (Exception ex) { WindowsLogManager.Instance.WriteEntry(String.Format("Unrecoverable error: {0}", ex.Message), EventLogEntryType.FailureAudit, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR, Globals.CYBERARMS_LOG_CATEGORY_RUNTIME); // OnClientIpAddressSoftLocked(new Lock( new Client(notificationEventArgs.IpAddress), ex); } } } else { return; } } catch (Exception ex) { WindowsLogManager.Instance.WriteEntry(String.Format("AttackDetected delegate invocation of {0} caused a problem. \r\nDetails:\r\n{1}", (sender != null ? sender.GetType().Name : "unknown"), ex.Message), EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN); } }