public void ConnectionCreate()
{
var payload = new ConnectionsPayload
{
RemotePort = "23",
RemoteAddress = "192.168.0.1",
ProcessId = 2,
LocalPort = "8080",
UserId = "111",
CommandLine = "c:\\dir\\app.exe",
Direction = ConnectionsPayload.ConnectionDirection.In,
Executable = "app.exe",
LocalAddress = "::ffff:c000:0280",
Protocol = "tcp"
};
var obj = new ConnectionCreate(EventPriority.Low, payload, DateTime.UtcNow);
obj.ValidateSchema();
}
/// <summary>
/// This function recieve an event from the audit log file
/// It filters out connections that are not relevant for security (e.g. local connects)
/// It then returns "ConnectionCreate" event type that represent a succefull open connection from/to the internet
/// </summary>
/// <param name="auditEvent">A log event from the the audit event</param>
/// <returns>A device event based on the input</returns>
private IEvent CreateEventFromAuditRecord(AuditEvent auditEvent)
{
ConnectionsPayload connectionPayload = null;
ConnectionCreate retConnection = null;
string saddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress, throwIfNotExist: false);
if (!string.IsNullOrEmpty(saddr))
{
//Check the address family of the connection - extract from the saddr
LinuxAddressFamily family = ConnectionSaddr.ExtractFamilyFromSaddr(saddr);
//According to the family type we create/don't create the event
if (!family.IsToIgnore()) //irelevant connections - don't create events
{
if (ConnectionSaddr.IsInetFamliy(family)) //internet connections - create correlated event
{
connectionPayload = CreateInetConnPayloadFromAuditEvent(auditEvent);
}
else //For other famlies (non INET) that are required more investigation - send event with raw data (hex string)
{
connectionPayload = CreateNonInetConnPayloadFromAuditEvent(family, auditEvent);
}
}
}
else
{
SimpleLogger.Debug($"{nameof(GetType)}: Saddr is null or empty, dropping event");
}
if (connectionPayload != null)
{
retConnection = new ConnectionCreate(Priority, connectionPayload, auditEvent.TimeUTC);
}
return(retConnection);
}
