コード例 #1
0
        protected FirewallEvent ReadFirewallEvent(EventRecord record)
        {
            try
            {
                var PropertyValues = ((EventLogRecord)record).GetPropertyValues(eventPropertySelector);

                FirewallEvent args = new FirewallEvent();

                args.ProcessId = (int)(UInt64)PropertyValues[(int)EventProperties.ProcessID];
                string fileName = PropertyValues[(int)EventProperties.ProcessFileName].ToString();
                args.ProcessFileName = fileName.Equals("System", StringComparison.OrdinalIgnoreCase) ? "System" : NtUtilities.parsePath(fileName);

                args.Action = FirewallRule.Actions.Undefined;

                switch ((UInt16)PropertyValues[(int)EventProperties.EventID])
                {
                case (UInt16)EventIDs.Blocked: args.Action = FirewallRule.Actions.Block; break;

                case (UInt16)EventIDs.Allowed: args.Action = FirewallRule.Actions.Allow; break;

                default: return(null);
                }

                args.Protocol  = (UInt32)PropertyValues[(int)EventProperties.Protocol];
                args.Direction = FirewallRule.Directions.Unknown;
                if (PropertyValues[(int)EventProperties.Direction].ToString() == "%%14592")
                {
                    args.Direction     = FirewallRule.Directions.Inbound;
                    args.LocalAddress  = IPAddress.Parse(PropertyValues[(int)EventProperties.DestAddress].ToString());
                    args.LocalPort     = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.DestPort].ToString());
                    args.RemoteAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.SourceAddress].ToString());
                    args.RemotePort    = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.SourcePort].ToString());
                }
                else if (PropertyValues[(int)EventProperties.Direction].ToString() == "%%14593")
                {
                    args.Direction     = FirewallRule.Directions.Outbound;
                    args.LocalAddress  = IPAddress.Parse(PropertyValues[(int)EventProperties.SourceAddress].ToString());
                    args.LocalPort     = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.SourcePort].ToString());
                    args.RemoteAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.DestAddress].ToString());
                    args.RemotePort    = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.DestPort].ToString());
                }
                else
                {
                    return(null); // todo log error
                }
                args.TimeStamp = record.TimeCreated != null ? (DateTime)record.TimeCreated : DateTime.Now;

                // for debug only
                //if(!FirewallRule.MatchAddress(args.RemoteAddress, "LocalSubnet") && !NetFunc.IsMultiCast(args.RemoteAddress))
                //    AppLog.Debug("Firewall Event: {0}({1}) -> {2}", args.ProcessFileName, args.ProcessId, args.RemoteAddress);

                return(args);
            }
            catch (Exception err)
            {
                AppLog.Exception(err);
            }
            return(null);
        }
コード例 #2
0
        private void OnConnection(object obj, EventRecordWrittenEventArgs arg)
        {
            if (arg.EventRecord == null)
            {
                return;
            }

            FirewallEvent args = ReadFirewallEvent(arg.EventRecord);

            if (args != null)
            {
                FirewallEvent?.Invoke(this, args);
            }
        }
コード例 #3
0
        public List <FirewallEvent> LoadLog() // Note: this call takes some time to complete
        {
            List <FirewallEvent> Events = new List <FirewallEvent>();

            EventLogReader logReader = new EventLogReader(new EventLogQuery("Security", PathType.LogName, GetQuery()));

            for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
            {
                FirewallEvent args = ReadFirewallEvent(eventdetail);
                if (args != null)
                {
                    Events.Add(args);
                }
            }

            return(Events);
        }