コード例 #1
0
        void Service_ClientIpAddressSoftLocked(object sender, EventArgs e)
        {
            ClientOperationInformation op = (ClientOperationInformation)sender;

            IntrusionLog.AddEntry(DateTime.Now, op.AgentId, op.IpAddress, IntrusionLog.STATUS_SOFT_LOCKED, false);
            SendInfoMail(sender, LockType.SoftLock);
        }
コード例 #2
0
        void Service_ClientIpAddressUnlocked(object sender, EventArgs e)
        {
            ClientOperationInformation op = (ClientOperationInformation)sender;

            if (op.HasError)
            {
                IntrusionLog.AddEntry(DateTime.Now, IntrusionLog.GetSystemId(), op.IpAddress, IntrusionLog.STATUS_UNLOCK_ERROR, false);
            }
            else
            {
                IntrusionLog.AddEntry(DateTime.Now, IntrusionLog.GetSystemId(), op.IpAddress, IntrusionLog.STATUS_UNLOCKED, false);
            }
            SendInfoMail(sender, LockType.None);
        }
コード例 #3
0
        void Service_AttackDetected(object sender, INotificationEventArgs notificationEventArgs)
        {
            try
            {
                if (notificationEventArgs == null)
                {
                    if (IddsConfig.Instance.IsDebug)
                    {
                        // the following error should just be thrown when running in debug mode.
                        throw new ApplicationException("Operation not supported. EventArgs must be passed as NotificationEventArgs");
                    }
                    else
                    {
                        // otherwise write to the log file
                        WindowsLogManager.Instance.WriteEntry("Plugin error: the lock delegate was called, but notificationEventArgs must not be null!",
                                                              EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_INVALID_FUNCTION_CALL, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN);
                        return;
                    }
                }
                SecurityAgent reportingAgent = SecurityAgents.Instance.FindByName((sender as IAgentPlugin).Configuration.AgentName);
                long          incidentId;
                if (IddsConfig.IsValidIpAddress(notificationEventArgs.IpAddress))
                {
                    Statistics.Instance.IncreaseFailedLoginStatistics(reportingAgent);
                    System.Net.IPAddress ipAddress;
                    if (System.Net.IPAddress.TryParse(notificationEventArgs.IpAddress, out ipAddress) && IddsConfig.Instance.IsIpAddressLocal(ipAddress))
                    {
                        incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
                                                           IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_LOCAL, false);
                    }
                    else if (IddsConfig.Instance.UseSafeNetworkList && IddsConfig.Instance.IsInSafeNetwork(notificationEventArgs.IpAddress))
                    {
                        incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
                                                           IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_SAFE, false);
                    }
                    else
                    {
                        incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
                                                           IntrusionLog.STATUS_INTRUSION_ATTEMPT, false);

                        try
                        {
                            if (!Locks.LockExists(notificationEventArgs.IpAddress))
                            {
                                LockType lockType = reportingAgent.GetCurrentLockType(notificationEventArgs.IpAddress);
                                switch (lockType)
                                {
                                case LockType.SoftLockRequested:
                                    //IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id,
                                    //    notificationEventArgs.IpAddress, IntrusionLog.STATUS_SOFT_LOCK_REQUESTED, false);
                                    LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddMinutes(IddsConfig.Instance.GetSoftLockMinutes(reportingAgent)), incidentId, Lock.LOCK_STATUS_SOFTLOCK, 0, notificationEventArgs.IpAddress), LockType.SoftLock, reportingAgent);
                                    break;

                                case LockType.SoftLock:
                                    // already locked, ignore
                                    break;

                                case LockType.HardLockRequested:
                                    //IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id,
                                    //    notificationEventArgs.IpAddress, IntrusionLog.STATUS_HARD_LOCK_REQUESTED, false);
                                    LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddHours(IddsConfig.Instance.GetHardLockHours(reportingAgent)), incidentId, Lock.LOCK_STATUS_HARDLOCK, 0, notificationEventArgs.IpAddress), LockType.HardLock, reportingAgent);
                                    break;
                                }
                            }
                        }
                        catch (Exception ex)
                        {
                            WindowsLogManager.Instance.WriteEntry(String.Format("Unrecoverable error: {0}",
                                                                                ex.Message), EventLogEntryType.FailureAudit, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR,
                                                                  Globals.CYBERARMS_LOG_CATEGORY_RUNTIME);
                            // OnClientIpAddressSoftLocked(new Lock( new Client(notificationEventArgs.IpAddress), ex);
                        }
                    }
                }
                else
                {
                    return;
                }
            }
            catch (Exception ex)
            {
                WindowsLogManager.Instance.WriteEntry(String.Format("AttackDetected delegate invocation of {0} caused a problem. \r\nDetails:\r\n{1}", (sender != null ? sender.GetType().Name : "unknown"), ex.Message),
                                                      EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN);
            }
        }