public void ConnectionCreate() { var payload = new ConnectionsPayload { RemotePort = "23", RemoteAddress = "192.168.0.1", ProcessId = 2, LocalPort = "8080", UserId = "111", CommandLine = "c:\\dir\\app.exe", Direction = ConnectionsPayload.ConnectionDirection.In, Executable = "app.exe", LocalAddress = "::ffff:c000:0280", Protocol = "tcp" }; var obj = new ConnectionCreate(EventPriority.Low, payload, DateTime.UtcNow); obj.ValidateSchema(); }
/// <summary> /// This function recieve an event from the audit log file /// It filters out connections that are not relevant for security (e.g. local connects) /// It then returns "ConnectionCreate" event type that represent a succefull open connection from/to the internet /// </summary> /// <param name="auditEvent">A log event from the the audit event</param> /// <returns>A device event based on the input</returns> private IEvent CreateEventFromAuditRecord(AuditEvent auditEvent) { ConnectionsPayload connectionPayload = null; ConnectionCreate retConnection = null; string saddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress, throwIfNotExist: false); if (!string.IsNullOrEmpty(saddr)) { //Check the address family of the connection - extract from the saddr LinuxAddressFamily family = ConnectionSaddr.ExtractFamilyFromSaddr(saddr); //According to the family type we create/don't create the event if (!family.IsToIgnore()) //irelevant connections - don't create events { if (ConnectionSaddr.IsInetFamliy(family)) //internet connections - create correlated event { connectionPayload = CreateInetConnPayloadFromAuditEvent(auditEvent); } else //For other famlies (non INET) that are required more investigation - send event with raw data (hex string) { connectionPayload = CreateNonInetConnPayloadFromAuditEvent(family, auditEvent); } } } else { SimpleLogger.Debug($"{nameof(GetType)}: Saddr is null or empty, dropping event"); } if (connectionPayload != null) { retConnection = new ConnectionCreate(Priority, connectionPayload, auditEvent.TimeUTC); } return(retConnection); }