private static void Start_Send_File_Based_Logs()
{
bool Data_Sent = false;
try
{
if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false)
{
for (int z = 0; z < Read_Local_Files.FileContents_From_FileReads.Count; ++z)
{
EventLog_SWELF.WRITE_EventLog_From_SWELF_Search(Read_Local_Files.FileContents_From_FileReads.ElementAt(z));
Data_Sent = Log_Network_Forwarder.SEND_Logs(Read_Local_Files.FileContents_From_FileReads.ElementAt(z));
if (Data_Sent == true && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location) && Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[15]))
{
File.Delete(Read_Local_Files.FileContents_From_FileReads.ElementAt(z));
File.Create(Read_Local_Files.FileContents_From_FileReads.ElementAt(z)).Close();
}
}
}
}
catch (Exception e)//network resource unavailable. Dont send data and try again next run. No logs will be queued by app only re read
{
Settings.Log_Storage_Location_Unavailable(" Start_Send_File_Based_Logs() " + e.Message.ToString());
}
}
internal static void READ_Local_Log_Dirs()
{
try
{
List <string> DirPaths = File_Operation.READ_File_In_List(File_Operation.GET_DirToMonitor_Path()).ToList();
for (int z = 0; z < DirPaths.Count; ++z)
{
if (Directory.Exists(DirPaths.ElementAt(z)))
{
if (DirPaths.ElementAt(z).ToLower().Contains("powershell") || DirPaths.ElementAt(z).ToLower().Contains("iis"))
{
READ_Local_Log_Dirs_for_Powershell_or_IIS(DirPaths.ElementAt(z));
}
else
{
string[] FilePaths = Directory.GetFiles(DirPaths.ElementAt(z));
for (int x = 0; x < FilePaths.Length - 1; ++x)
{
if (File_Operation.CHECK_if_File_Exists(FilePaths.ElementAt(x)) && (FilePaths.ElementAt(x).Contains(".txt") || FilePaths.ElementAt(x).Contains(".log")))
{
string FileContent = File_Operation.READ_AllText(FilePaths.ElementAt(x));
File.Delete(FilePaths.ElementAt(x));
FileContents_From_FileReads.Add(FileContent);
}
}
}
}
}
}
catch (Exception e)
{
Error_Operation.Log_Error("READ_Local_Log_Dirs() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
}
internal static bool CHECK_File_Encrypted(string FilePath)
{
try
{
FileInfo fi = new FileInfo(FilePath);
string Check = File.ReadAllText(FilePath);
if ((Check.Any(s => Crypto_Operation.Common_Encrypted_Chars.Contains(s)) && Check.Any(s => s >= 128)) && fi.Attributes.HasFlag(FileAttributes.Encrypted))
{
return(true);//File Encrypted
}
else
{
if ((Check.Any(s => Crypto_Operation.Common_Encrypted_Chars.Contains(s)) && Check.Any(s => s >= 128)) && fi.Attributes.HasFlag(FileAttributes.Encrypted) == false)
{
File.Encrypt(FilePath);
return(true);//File needed encrypted attrib and was encrypted
}
else
{
return(false);//File not encrypted
}
}
}
catch (Exception e)
{
bool FileExists = File_Operation.CHECK_if_File_Exists(FilePath);
if (FileExists == true && e.Message.Contains("Access to the path") && e.Message.Contains("denied"))
{
//File_Operation.DELETE_File(FilePath);
}
Error_Operation.Log_Error("CHECK_File_Encrypted()", e.Message.ToString() + ". Is file on disk check=" + FileExists.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Verbose);
return(false);//File NOT Encrypted
}
}
internal static void WRITE_Errors_To_Log(string MethodInCode, string msg, LogSeverity LogSeverity, EventID eventID = 0)
{
ErrorLogging_Level();
if (Logging_Level_To_Report >= (int)LogSeverity)
{
string err_msg = "DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SourceComputer=" + Settings.ComputerName + " Severity=" + Severity_Levels[(int)LogSeverity] + " MethodInCode=" + MethodInCode + " Message=" + msg + "\n";
if (File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
{
File.AppendAllText(Settings.GET_ErrorLog_Location, err_msg);
}
else
{
File.Create(Settings.GET_ErrorLog_Location).Close();
File.AppendAllText(Settings.GET_ErrorLog_Location, err_msg);
}
if (LogSeverity == LogSeverity.Informataion)
{
EventLog_SWELF.WRITE_Info_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.Verbose)
{
EventLog_SWELF.WRITE_Verbose_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.Warning)
{
EventLog_SWELF.WRITE_Warning_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.FailureAudit)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.Critical)
{
EventLog_SWELF.WRITE_ERROR_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else
{
EventLog_SWELF.WRITE_Verbose_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
File_Operation.CHECK_File_Size(Settings.GET_ErrorLog_Location);
}
}
internal static string Run_PS_Script(String PowershellSciptLocation, string PowershellSciptArgs = "")
{
if (File_Operation.CHECK_if_File_Exists(PowershellSciptLocation))
{
ScriptContents = File_Operation.READ_AllText(PowershellSciptLocation);
if (CallAntimalwareScanInterface(Get_SHA256(PowershellSciptLocation), ScriptContents) < 32768)
{
powershellSciptLocation = PowershellSciptLocation;
powershellSciptArgs = PowershellSciptArgs;
ProcessStartInfo startInfo = new ProcessStartInfo("powershell", "-ExecutionPolicy Bypass .\\" + Path.GetFileName(PowershellSciptLocation));
startInfo.WorkingDirectory = Path.GetDirectoryName(PowershellSciptLocation);
startInfo.RedirectStandardOutput = true;
startInfo.RedirectStandardError = true;
startInfo.LoadUserProfile = true;
startInfo.UseShellExecute = false;
startInfo.CreateNoWindow = true;
Process process = new Process();
process.StartInfo = startInfo;
process.Start();
string output = process.StandardOutput.ReadToEnd();
if (string.IsNullOrEmpty(output))
{
output += "\nPS Plugin ERROR: " + process.StandardError.ReadToEnd();
}
if (string.IsNullOrEmpty(ScriptContents) == false || string.IsNullOrWhiteSpace(ScriptContents) == false)
{
Settings.WhiteList_Search_Terms_Unparsed.Add(ScriptContents + "~" + "microsoft-windows-powershell/operational" + "~");
Settings.WhiteList_Search_Terms_Unparsed.Add(ScriptContents + "~" + "windows powershell" + "~");
}
return(output);
}
else
{
Error_Operation.Log_Error("Run_PS_Script() POSSIBLE MALWARE DETECTED", "Script located at " + powershellSciptLocation + " SHA256=" + Get_SHA256(PowershellSciptLocation) + ". Script is Malware according to AMSI. SWELF converted the contents to Base64 1 time for the purpose of the log size. Malware Script Contents = " + Base64Encode(ScriptContents), "", Error_Operation.LogSeverity.Critical);
return("POSSIBLE MALWARE DETECTED - Script located at " + powershellSciptLocation + " SHA256=" + Get_SHA256(PowershellSciptLocation) + ". Script is Malware according to AMSI. SWELF converted the contents to Base64 1 time for the purpose of the log size. Malware Script Contents = " + Base64Encode(ScriptContents));
}
}
else
{
Error_Operation.Log_Error("Run_PS_Script()", PowershellSciptLocation + " is not a valid file on " + Settings.ComputerName, "", Error_Operation.LogSeverity.Warning);
return(PowershellSciptLocation + " is not a valid file on " + Settings.ComputerName);
}
}
private static void RUN_Thread_Whitelist_SearchFile()
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents))//use reg
{
READ_WhiteList_Search_Terms_File(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents));
}
else if (File_Operation.CHECK_if_File_Exists(GET_WhiteList_SearchTermsFile_Path))//no reg, look for file
{
READ_WhiteList_Search_Terms_File(File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path));
File_Operation.DELETE_File(GET_WhiteList_SearchTermsFile_Path);
}
else//no file, no reg, Create Default then load it into the reg to use later
{
File_Operation.VERIFY_Search_Default_Files_Ready();
READ_WhiteList_Search_Terms_File(File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path));
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path));
}
++ThreadsDone_Setup;
}
internal static string Hash(string Value)
{
var sha256 = SHA256.Create();
try
{
if (File_Operation.CHECK_if_File_Exists(Value) && (File_Operation.CHECK_File_Encrypted(Value)))
{
return(BitConverter.ToString(sha256.ComputeHash(CONVERT_To_ASCII_Bytes(Decrypt_File_Contents(Value, false)))));
}
else
{
return(BitConverter.ToString(sha256.ComputeHash(CONVERT_To_ASCII_Bytes(Value))));
}
}
catch (Exception e)
{
return(BitConverter.ToString(sha256.ComputeHash(CONVERT_To_ASCII_Bytes(Value))));
}
}
private static void RUN_Thread_Plugins()
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents))//use reg
{
READ_Powershell_SearchTerms(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents));
}
else if (File_Operation.CHECK_if_File_Exists(Settings.GET_SearchTermsFile_PLUGIN_Path))//no reg, look for file
{
READ_Powershell_SearchTerms(File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path));
File_Operation.DELETE_File(GET_SearchTermsFile_PLUGIN_Path);
}
else//no file, no reg, Create Default then load it into the reg to use later
{
File_Operation.VERIFY_Search_Default_Files_Ready();
File_Operation.GET_Plugin_Scripts_Ready();
READ_Powershell_SearchTerms(File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path));
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path));
}
++ThreadsDone_Setup;
}
private static void WRITE_Errors_To_Log(string msg, LogSeverity LogSeverity, EventID eventID = 0)
{
if (File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
{
File.AppendAllText(Settings.GET_ErrorLog_Location, msg);
}
else
{
File.Create(Settings.GET_ErrorLog_Location).Close();
File.AppendAllText(Settings.GET_ErrorLog_Location, msg);
}
File_Operation.CHECK_File_Size(Settings.GET_ErrorLog_Location);
if (LogSeverity == LogSeverity.Informataion)
{
EventLog_SWELF.WRITE_Info_EventLog(msg, eventID);
}
else if (LogSeverity == LogSeverity.Verbose)
{
EventLog_SWELF.WRITE_Verbose_EventLog(msg, eventID);
}
else if (LogSeverity == LogSeverity.Warning)
{
EventLog_SWELF.WRITE_Warning_EventLog(msg, eventID);
}
else if (LogSeverity == LogSeverity.FailureAudit)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog(msg, eventID);
}
else if (LogSeverity == LogSeverity.Critical)
{
EventLog_SWELF.WRITE_ERROR_EventLog(msg, eventID);
}
else
{
EventLog_SWELF.WRITE_Verbose_EventLog(msg, eventID);
}
}
private static void Write_HashFile_IPsFile()
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[12]))
{
try
{
if (File_Operation.CHECK_if_File_Exists(Settings.Hashs_File_Path))
{
File_Operation.CHECK_File_Size(Settings.Hashs_File_Path, .0002);
Settings.Hashs_From_EVT_Logs.AddRange(File_Operation.READ_File_In_List(Settings.Hashs_File_Path).Distinct().ToList());
Settings.Hashs_From_EVT_Logs = Settings.Hashs_From_EVT_Logs.Distinct().ToList();
}
File_Operation.Write_Hash_Output(Settings.Hashs_From_EVT_Logs.Distinct().ToList());
}
catch (Exception e)
{
Error_Operation.Log_Error("Write_HashFile_IPsFile()", Settings.SWELF_AppConfig_Args[12] + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
}
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11]))
{
try
{
if (File_Operation.CHECK_if_File_Exists(Settings.IPs_File_Path))
{
File_Operation.CHECK_File_Size(Settings.IPs_File_Path, .0002);
Settings.IP_List_EVT_Logs.AddRange(File_Operation.READ_File_In_List(Settings.IPs_File_Path).Distinct().ToList());
Settings.IP_List_EVT_Logs = Settings.IP_List_EVT_Logs.Distinct().ToList();
}
}
catch (Exception e)
{
Error_Operation.Log_Error("Write_HashFile_IPsFile()", Settings.SWELF_AppConfig_Args[11] + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
File_Operation.Write_IP_Output(Settings.IP_List_EVT_Logs.Distinct().ToList());
}
}
internal static void SEND_Errors_To_Central_Location()
{
try
{
string[] Errors = File.ReadAllLines(Settings.GET_ErrorLog_Location);
if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false)
{
for (int x = 0; x < Errors.Length; ++x)
{
Settings.Logs_Sent_to_ALL_Collectors = Log_Network_Forwarder.SEND_Logs(Errors[x], Settings.GET_ErrorLog_Location, true);
}
if (Settings.Logs_Sent_to_ALL_Collectors && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location) || Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[15]))
{
File_Operation.DELETE_File(Settings.GET_ErrorLog_Location);
File.Create(Settings.GET_ErrorLog_Location).Close();
}
}
}
catch (Exception e)
{
Settings.Log_Storage_Location_Unavailable("SEND_Errors_To_Central_Location() " + e.Message.ToString());
}
}
private static void Start_Live_Process()
{
if (Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin())
{
if (Program_Start_Args.ElementAt(0).ToLower().Equals("-dissolve") && Settings.CHECK_If_EventLog_Exsits(Settings.SWELF_EventLog_Name) == false && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
{
Settings.CMDLine_Dissolve = true;
}
Start_Setup();
Thread PS_Plugins_Thread = new Thread(() => Start_Run_Plugins());
PS_Plugins_Thread.IsBackground = true;
PS_Plugins_Thread.Priority = ThreadPriority.Lowest;
PS_Plugins_Thread.Start();
Thread READ_Local_LogFiles_Thread = new Thread(() => READ_Local_LogFiles());
READ_Local_LogFiles_Thread.IsBackground = true;
READ_Local_LogFiles_Thread.Priority = ThreadPriority.Lowest;
READ_Local_LogFiles_Thread.Start();
while (Settings.PS_PluginDone != true && !READ_Local_LogFiles_Thread.IsAlive && !READ_Local_LogFiles_Thread.IsAlive)
{
Thread.Sleep(10000);
}
PS_Plugins_Thread.Abort();
READ_Local_LogFiles_Thread.Abort();
Start_Read_Search_Write_Forward_EventLogs();
Start_Send_File_Based_Logs();
Write_HashFile_IPsFile();
}
else
{
Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin()", "FAILED Sec_Checks.Pre_Run_Sec_Checks() SWELF not running as local admin.", "");
}
if (Settings.CMDLine_Dissolve)
{
Settings.Dissolve();
}
Error_Operation.WRITE_Stored_Errors();
}
internal static bool VERIFY_Central_File_Config_Hash(string HTTP_File_Path, string Local_File_Path)
{
string HTTPFileHash;
string LocalFileHash;
try
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(HTTP_File_Path);
request.AllowAutoRedirect = false;
request.UnsafeAuthenticatedConnectionSharing = false;
request.Timeout = 150000;
ServicePointManager.Expect100Continue = true;
ServicePointManager.CheckCertificateRevocationList = false;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;
using (CustomWebClient response = new CustomWebClient())
{
//string Web_Config_File_Contents = response.DownloadString(HTTP_File_Path);
if (Settings.Central_Config_Hashs.ContainsKey(HTTP_File_Path) == true)//determine if we use cache version
{
HTTPFileHash = Settings.Central_Config_Hashs[HTTP_File_Path];
}
else//no cache version get from network
{
Central_Config_File_Web_Cache = Crypto_Operation.CONVERT_To_String_From_Bytes(response.DownloadData(HTTP_File_Path), 2);//get file has from Network
using (var sha256 = SHA256.Create())
{
HTTPFileHash = BitConverter.ToString(sha256.ComputeHash(Encoding.UTF8.GetBytes(Central_Config_File_Web_Cache)));
}
if (Settings.Central_Config_Hashs.ContainsKey(HTTP_File_Path) == false)
{
Settings.Central_Config_Hashs.Add(HTTP_File_Path, HTTPFileHash);
}
}
using (var sha2562 = SHA256.Create())//Get local file hash
{
if (File_Operation.CHECK_if_File_Exists(Local_File_Path) == false)
{
return(false);//no local file
}
else
{
LocalFileHash = BitConverter.ToString(sha2562.ComputeHash(Encoding.UTF8.GetBytes(File_Operation.READ_AllText(Local_File_Path))));
}
}
if (HTTPFileHash == LocalFileHash)
{
return(true);
}
else
{
return(false);
}
}
}
catch (Exception e)
{
Error_Operation.WRITE_Errors_To_Log("VERIFY_Central_File_Config_Hash()", e.Message.ToString() + " " + HTTP_File_Path + " " + Local_File_Path, Error_Operation.LogSeverity.Informataion);//log change
return(false);
}
finally
{
Wclient.Dispose();
}
}
private static void RUN_Setup_AppConfig()
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))//use reg
{
READ_and_Parse_Console_App_Config_Contents(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents));
}
else if (File_Operation.CHECK_if_File_Exists(GET_AppConfigFile_Path))//no reg, look for file
{
READ_and_Parse_Console_App_Config_Contents(File_Operation.READ_AllText(GET_AppConfigFile_Path));
File_Operation.DELETE_File(GET_AppConfigFile_Path);
}
else//no file, no reg, Create Default then load it into the reg to use later
{
File_Operation.VERIFY_AppConfig_Default_Files_Ready();
READ_and_Parse_Console_App_Config_Contents(File_Operation.READ_AllText(GET_AppConfigFile_Path));
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, File_Operation.READ_AllText(GET_AppConfigFile_Path));
}
//Check for CENTRAL CONFIG's, if yes check for update, update if needed.
//Appconfig
if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[7]))//arg for central app config
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents) == false)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, "");
}
if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[7]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)) == false)
{
if (Web_Operation.Connection_Successful)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[7]].ToString()));
Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config ConsoleAppConfig_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed);
}
}
}
//Searchterms
if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[6]))//arg for central search config
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.SearchTerms_File_Contents) == false)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, "");
}
if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[6]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents)) == false)
{
if (Web_Operation.Connection_Successful)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[6]].ToString()));
Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed);
}
}
}
//Whitelist
if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[9]))//arg for central search config
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents) == false)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, "");
}
if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[9]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents)) == false)
{
if (Web_Operation.Connection_Successful)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[9]].ToString()));
Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config WhiteList_SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed);
}
}
}
//Powershell plugin
if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[8]))//arg for central search config
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents) == false)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, "");
}
if (Web_Operation.VERIFY_Central_Reg_Config_Hash(AppConfig_File_Args[SWELF_AppConfig_Args[8]], Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents)) == false)
{
if (Web_Operation.Connection_Successful)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[8]].ToString()));
Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config PLUGIN_SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed);
}
}
}
Log_Forwarders_HostNames = GET_LogCollector_Locations();//GatherLog Collector Locations
++ThreadsDone_Setup;
if (AppConfig_File_Args.ContainsKey(SWELF_AppConfig_Args[16]))
{
Logging_Level_To_Report = "verbose";
}
}
internal static void Main(string[] args)
{
Process.GetCurrentProcess().PriorityClass = ProcessPriorityClass.BelowNormal;
Program_Start_Args = Environment.GetCommandLineArgs().ToList();
string[] Program_Start_Args_Array = Environment.GetCommandLineArgs().Skip(1).ToArray();
if (Program_Start_Args.Count > 1)
{
if (Program_Start_Args.Count >= 3 && Program_Start_Args.ElementAt(1).ToLower() == "-c")
{
if (Program_Start_Args.Count < 3)
{
Program_Start_Args.Add(Settings.GET_AppConfigFile_Path);
}
//TODO make sure config file passed in is one of the correct file (by location and parsability) then update that reg key, then delete the file once read in
if (File_Operation.CHECK_if_File_Exists(Program_Start_Args.ElementAt(2).ToLower()))
{
if (File_Operation.CHECK_if_File_Exists(Program_Start_Args.ElementAt(2).ToLower()))
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, File_Operation.READ_AllText(Program_Start_Args.ElementAt(2).ToLower()));
Error_Operation.Log_Error("MAIN()", "Config update. ConsoleAppConfig_Contents reg key from file " + Program_Start_Args.ElementAt(2).ToLower(), "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed);
}
else if (File_Operation.CHECK_if_File_Exists(Settings.GET_AppConfigFile_Path))
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, File_Operation.READ_AllText(Settings.GET_AppConfigFile_Path));
Error_Operation.Log_Error("MAIN()", "Config update. ConsoleAppConfig_Contents reg key from file " + Settings.GET_AppConfigFile_Path, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed);
}
if (File_Operation.CHECK_if_File_Exists(Settings.GET_SearchTermsFile_Path))
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, File_Operation.READ_AllText(Settings.GET_SearchTermsFile_Path));
Error_Operation.Log_Error("MAIN()", "Config update. SearchTerms_File_Contents reg key from file " + Settings.GET_SearchTermsFile_Path, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed);
}
if (File_Operation.CHECK_if_File_Exists(Settings.GET_WhiteList_SearchTermsFile_Path))
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, File_Operation.READ_AllText(Settings.GET_WhiteList_SearchTermsFile_Path));
Error_Operation.Log_Error("MAIN()", "Config update. WhiteList_SearchTerms_File_Contents reg key from file " + Settings.GET_WhiteList_SearchTermsFile_Path, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed);
}
Start_Process_Live_Method();
//TODO add option for password in config file to allow updates this way
//if no password allow update??
//store password in reg
}
else
{
Settings.SHOW_Help_Menu();
Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "MAIN()", "The config file path doesnt exist for some reaosn, Also the app halted.", "");
}
}
else if (Program_Start_Args.Count < 2 && Program_Start_Args.Count > 1)
{
Settings.SHOW_Help_Menu();
}
else
{
Start_EVTX_Process();
}
}
else
{
try
{
Start_Process_Live_Method();
}
catch (Exception e)
{
Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Start_Live_Process()", e.Message.ToString() + ", Also the app halted.", e.StackTrace.ToString());
}
}
}
internal static bool VERIFY_Central_File_Config_Hash(string HTTP_File_Path, string Local_File_Path)
{
string HTTPFileHash;
string LocalFileHash;
try
{
ServicePointManager.Expect100Continue = true;
ServicePointManager.CheckCertificateRevocationList = false;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;
using (CustomWebClient response = new CustomWebClient())
{
//string Web_Config_File_Contents = response.DownloadString(HTTP_File_Path);
if (Settings.Central_Config_Hashs.ContainsKey(HTTP_File_Path) == true)//determine if we use cache version
{
HTTPFileHash = Settings.Central_Config_Hashs[HTTP_File_Path];
}
else//no cache version get from network
{
Uri uri = new Uri(HTTP_File_Path);
Central_Config_File_Web_Cache = Crypto_Operation.CONVERT_To_String_From_Bytes(response.DownloadData(uri), 2);//get file has from Network
using (var sha256 = SHA256.Create())
{
HTTPFileHash = BitConverter.ToString(sha256.ComputeHash(Encoding.UTF8.GetBytes(Central_Config_File_Web_Cache)));
}
if (Settings.Central_Config_Hashs.ContainsKey(HTTP_File_Path) == false)
{
Settings.Central_Config_Hashs.Add(HTTP_File_Path, HTTPFileHash);
}
}
using (var sha2562 = SHA256.Create())//Get local file hash
{
if (File_Operation.CHECK_if_File_Exists(Local_File_Path) == false)
{
return(false);//no local file
}
else
{
LocalFileHash = BitConverter.ToString(sha2562.ComputeHash(Encoding.UTF8.GetBytes(File_Operation.READ_AllText(Local_File_Path))));
}
}
if (HTTPFileHash == LocalFileHash)
{
return(true);
}
else
{
return(false);
}
}
}
catch (Exception e)
{
if ((!e.Message.Contains("The operation has timed out") || !e.Message.Contains("The remote name could not be resolved: ")) || (Settings.Logging_Level_To_Report.ToLower() == "informataion" || Settings.Logging_Level_To_Report.ToLower() == "verbose"))
{
Error_Operation.Log_Error("VERIFY_Central_File_Config_Hash()", e.Message.ToString() + " " + HTTP_File_Path + " " + Local_File_Path, e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
return(false);
}
finally
{
Wclient.Dispose();
}
}
