protected FirewallEvent ReadFirewallEvent(EventRecord record)
{
try
{
var PropertyValues = ((EventLogRecord)record).GetPropertyValues(eventPropertySelector);
FirewallEvent args = new FirewallEvent();
args.ProcessId = (int)(UInt64)PropertyValues[(int)EventProperties.ProcessID];
string fileName = PropertyValues[(int)EventProperties.ProcessFileName].ToString();
args.ProcessFileName = fileName.Equals("System", StringComparison.OrdinalIgnoreCase) ? "System" : NtUtilities.parsePath(fileName);
args.Action = FirewallRule.Actions.Undefined;
switch ((UInt16)PropertyValues[(int)EventProperties.EventID])
{
case (UInt16)EventIDs.Blocked: args.Action = FirewallRule.Actions.Block; break;
case (UInt16)EventIDs.Allowed: args.Action = FirewallRule.Actions.Allow; break;
default: return(null);
}
args.Protocol = (UInt32)PropertyValues[(int)EventProperties.Protocol];
args.Direction = FirewallRule.Directions.Unknown;
if (PropertyValues[(int)EventProperties.Direction].ToString() == "%%14592")
{
args.Direction = FirewallRule.Directions.Inbound;
args.LocalAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.DestAddress].ToString());
args.LocalPort = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.DestPort].ToString());
args.RemoteAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.SourceAddress].ToString());
args.RemotePort = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.SourcePort].ToString());
}
else if (PropertyValues[(int)EventProperties.Direction].ToString() == "%%14593")
{
args.Direction = FirewallRule.Directions.Outbound;
args.LocalAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.SourceAddress].ToString());
args.LocalPort = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.SourcePort].ToString());
args.RemoteAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.DestAddress].ToString());
args.RemotePort = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.DestPort].ToString());
}
else
{
return(null); // todo log error
}
args.TimeStamp = record.TimeCreated != null ? (DateTime)record.TimeCreated : DateTime.Now;
// for debug only
//if(!FirewallRule.MatchAddress(args.RemoteAddress, "LocalSubnet") && !NetFunc.IsMultiCast(args.RemoteAddress))
// AppLog.Debug("Firewall Event: {0}({1}) -> {2}", args.ProcessFileName, args.ProcessId, args.RemoteAddress);
return(args);
}
catch (Exception err)
{
AppLog.Exception(err);
}
return(null);
}
private void OnConnection(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord == null)
{
return;
}
FirewallEvent args = ReadFirewallEvent(arg.EventRecord);
if (args != null)
{
FirewallEvent?.Invoke(this, args);
}
}
public List <FirewallEvent> LoadLog() // Note: this call takes some time to complete
{
List <FirewallEvent> Events = new List <FirewallEvent>();
EventLogReader logReader = new EventLogReader(new EventLogQuery("Security", PathType.LogName, GetQuery()));
for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
{
FirewallEvent args = ReadFirewallEvent(eventdetail);
if (args != null)
{
Events.Add(args);
}
}
return(Events);
}