private void ParseAuditOperations2(ref Rec rec, AuditInfo audit, StringBuilder buffer, StringBuilder domainBuffer, StringBuilder userBuffer, ref int sentItems) { try { if (string.IsNullOrEmpty(rec.Description)) return; using (var reader = new StringReader(rec.Description)) { string line; var state = -1; var mask = 0; var values = new string[9]; while (true) { using (Benchmark("ParseAuditOperations2 ReadLine")) { line = reader.ReadLine(); } if (line == null) break; Match m; switch (state) { case -1: m = RegLine.Match(line); if (m.Success) { state = m.Groups[1].Success ? 2 : 3; /* for (state = 1; state < m.Groups.Count && !m.Groups[state].Success; ++state) { } if (state == m.Groups.Count) state = -1; else ++state; * */ } break; default: m = ((Regex)RegExps[state][0]).Match(line); if (m.Success) { //WriteLine(line); var i = 1; var ms = 1; while (i < m.Groups.Count) { if (m.Groups[i].Success) { values[i / 2] = m.Groups[i + 1].Value; mask |= ms; break; } i += 2; ms <<= 1; } if (mask == ((int)RegExps[state][1])) { var username = string.IsNullOrEmpty(values[1]) || string.IsNullOrEmpty(values[2]) ? UserWithDomain(values[0], buffer, domainBuffer, userBuffer) : values[1] + "\\" + values[2]; AuditLogonEnv2 env; lock (_handles2) { if (!_handles2.TryGetValue(values[3], out env)) { env = new AuditLogonEnv2(values[3]); _handles2[env.LogonId] = env; } } if (state == 3) { using (Benchmark("ParseAuditOperations2 DeleteHandle2")) { AuditDeleteHandle2(ref rec, env, username, values[0], values[4], values[5], ref sentItems); } } else if (audit.ObjectType == "File") { //Console.WriteLine(rec.Description); //var ln = Console.ReadLine(); //if (ln.Equals("d")) // DEBUG_BREAK = true; //else if (ln.Equals("q")) // DEBUG_BREAK = false; using (Benchmark("ParseAuditOperations2 AuditObjectRequestHandle2")) { AuditObjectRequestHandle2(ref rec, env, values[3], username, values[0], values[5], values[6], values[8], values[4], values[7], ref sentItems); } } return; } } break; } } } } catch (Exception e) { L.Log(LogType.FILE, LogLevel.ERROR, "Error while parsing audit operations:" + e); } }
public EventLogFileAuditRecorder() { _handles2["00000"] = new AuditLogonEnv2("00000"); _handles2["00000"].ProcessLastAudit["-----"] = new AuditHandle2("12313", "-----", "test"); cleanupTimer = new Timer { AutoReset = false, Interval = 60000 }; cleanupTimer.Elapsed += new ElapsedEventHandler(cleanupTimer_Elapsed); cleanupTimer.Start(); enc = Encoding.UTF8; }
private void AuditObjectRequestHandle2(ref Rec rec, AuditLogonEnv2 env, string logonId, string username, string userSid, string handleId, string processId, string processName, string objectName, string accessMask, ref int sentItems) { if (!string.IsNullOrEmpty(objectName)) { var kernel = RegKernelPath.Match(objectName); if (kernel.Success) objectName = QueryDosPath(kernel.Groups[1].Value, kernel.Groups[2].Value); } var access = (AccessMask)GetPid(accessMask); //if ((access & NewFileDirMask) == NewFileDirMask) //{ // SendData(ref rec, "NEW", (access & AccessMask.AppendOrAddSubDir) == AccessMask.None ? "Directory" : "File", // objectName, userSid, username, processName, // GetPid(processId), accessMask, string.Empty); // sentItems++; // return; //} AuditHandle2 handle; lock (env) { if ((access & AccessMask.Synchronize) == AccessMask.Synchronize) { if (env.ProcessLastAudit.TryGetValue(processId, out handle)) env.ProcessLastAudit.Remove(processId); else handle = null; if ((access & (AccessMask.WriteOrAddFile | AccessMask.AppendOrAddSubDir)) != AccessMask.None) { if (handle != null) { if (handle.Name == objectName) { //handle.AccessType |= access; env.ProcessLastAudit[processId] = handle; ++sentItems; return; } if (handle.Name.StartsWith(objectName)) { if (handle.Name.Length > objectName.Length) { if (objectName[objectName.Length - 1] == Path.DirectorySeparatorChar || handle.Name[objectName.Length] == Path.DirectorySeparatorChar) { SendData(ref rec, "RENAME", (access & AccessMask.AppendOrAddSubDir) == AccessMask.None ? "Directory" : "File", handle.Name, userSid, username, processName, GetPid(processId), accessMask, objectName); sentItems++; return; } } } SendData(ref rec, "MOVE", string.Empty, handle.Name, userSid, username, processName, GetPid(processId), accessMask, objectName); sentItems++; } else { SendData(ref rec, "NEW", (access & AccessMask.AppendOrAddSubDir) == AccessMask.None ? "Directory" : "File", objectName, userSid, username, processName, GetPid(processId), accessMask, string.Empty); sentItems++; } } else if ((access & AccessMask.Delete) == AccessMask.Delete) { if (handle == null) handle = new AuditHandle2(handleId, processId, processName); handle.AccessType = access; handle.LogonId = logonId; handle.Name = objectName; handle.Owner = user; handle.OwnerSid = userSid; env.ProcessLastAudit[processId] = handle; ++sentItems; } } else if ((access & AccessMask.Delete) == AccessMask.Delete) { env.ProcessLastAudit.Remove(processId); SendData(ref rec, "DELETED", string.Empty, objectName, userSid, username, processName, GetPid(processId), accessMask, string.Empty); sentItems++; } } }
private void AuditDeleteHandle2(ref Rec rec, AuditLogonEnv2 env, string user, string userSid, string handleId, string processId, ref int sentItems) { AuditHandle2 handle; lock (env) { if (env.ProcessLastAudit.TryGetValue(processId, out handle) && handle.HandleId == handleId) { env.ProcessLastAudit.Remove(processId); SendData(ref rec, "DELETED", string.Empty, handle.Name, userSid, user, handle.ProcessName, GetPid(processId), string.Format("{0:X}", handle.AccessType), string.Empty); sentItems++; } } }