public static string GetXml(IDMEFMessage alertMessage)
{
XmlSerializer xmlSerializer = new XmlSerializer(alertMessage.GetType());
using (StringWriter textWriter = new StringWriter())
{
xmlSerializer.Serialize(textWriter, alertMessage);
return(textWriter.ToString());
}
//using (MemoryStream memStm = new MemoryStream())
//{
// DataContractSerializer serializer = new DataContractSerializer(typeof(IDMEFMessage));
// serializer.WriteObject(memStm, alertMessage);
// memStm.Seek(0, SeekOrigin.Begin);
// using (var streamReader = new StreamReader(memStm))
// {
// string result = streamReader.ReadToEnd();
// return result;
// }
//}
}
public static IDMEFMessage CreateAltertMessageFromRawPacket(Packet packet)
{
IDMEFMessage idmefMessage = new IDMEFMessage();
idmefMessage.Items = new object[1];
//this is an IDMEF alert
Alert alertMessage = new Idmef.Alert();
//build the alert message
alertMessage.CreateTime = CreateTimestamp(DateTime.Now);
// add more alert stuff here
//add the alert to the message
idmefMessage.Items[0] = alertMessage;
return(idmefMessage);
}
/// <summary>
/// this method checks a DoS attack on a webserver
/// </summary>
/// <param name="webServerAddress"></param>
/// <param name="threshold"></param>
/// <param name="analysisWindow"></param>
/// <returns></returns>
public bool CheckForWebServerDosAttack(string webServerAddress, int threshold, int?analysisWindow)
{
bool alertRaised = false;
//fetch the data to base the decision from the appropriate agent
int totalEvents = SensorEventAgent.GetTotalEvents(webServerAddress, 80, analysisWindow);
if (totalEvents > threshold)
{
foreach (IAlertReport alertReport in ReportMethods)
{
IDMEFMessage alertMessage = IdmefMessageMapper.CreateWebDoSAlert(webServerAddress, analyserId.ToString());
alertReport.ReportAltert(alertMessage, analyserId.ToString());
}
alertRaised = true;
}
return(alertRaised);
}
public static IDMEFMessage CreateWebDoSAlert(string webServerAddress, string analyzerId)
{
IDMEFMessage idmefMessage = new IDMEFMessage();
idmefMessage.Items = new object[1];
//this is an IDMEF alert
Alert alertMessage = new Alert();
//build the alert message
alertMessage.CreateTime = CreateTimestamp(DateTime.Now);
alertMessage.Analyzer = new Analyzer();
alertMessage.Analyzer.analyzerid = analyzerId;
//add the alert to the message
idmefMessage.Items[0] = alertMessage;
return(idmefMessage);
}
static void Main(string[] args)
{
IDMEFMessage message = new IDMEFMessage();
IDMEFMessage
}
static void Main(string[] args)
{
IDMEFMessage message = new IDMEFMessage();
IDMEFMessage
}
public void ReportAltert(IDMEFMessage alertMessage, string analyzerId)
{
string altertMessageAsXml = IdmefMessageMapper.GetXml(alertMessage);
AnalyserAlertDbAgent.InsertAlert(_connectionString, analyzerId, altertMessageAsXml);
}
public void ReportAltert(IDMEFMessage alertMessage, string sensorId)
{
Console.WriteLine("Alert declared " + alertMessage.version + " by sensor " + sensorId);
}
