public void CreateLockTest() { long currentMaxId = GetMaxLocksId(); Lock l = new Lock(); l.IpAddress = "10.20.1.1"; l.LockDate = DateTime.Now; l.UnlockDate = DateTime.Now.AddDays(1); l.Port = 0; l.Status = Lock.LOCK_STATUS_HARDLOCK; l.NumberOfSoftLocks = 2; l.TriggerIncident = 100; l.Id = Locks.CreateLock(l); Assert.AreEqual(currentMaxId + 1, l.Id); }
void Service_AttackDetected(object sender, INotificationEventArgs notificationEventArgs) { try { if (notificationEventArgs == null) { if (IddsConfig.Instance.IsDebug) { // the following error should just be thrown when running in debug mode. throw new ApplicationException("Operation not supported. EventArgs must be passed as NotificationEventArgs"); } else { // otherwise write to the log file WindowsLogManager.Instance.WriteEntry("Plugin error: the lock delegate was called, but notificationEventArgs must not be null!", EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_INVALID_FUNCTION_CALL, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN); return; } } SecurityAgent reportingAgent = SecurityAgents.Instance.FindByName((sender as IAgentPlugin).Configuration.AgentName); long incidentId; if (IddsConfig.IsValidIpAddress(notificationEventArgs.IpAddress)) { Statistics.Instance.IncreaseFailedLoginStatistics(reportingAgent); System.Net.IPAddress ipAddress; if (System.Net.IPAddress.TryParse(notificationEventArgs.IpAddress, out ipAddress) && IddsConfig.Instance.IsIpAddressLocal(ipAddress)) { incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress, IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_LOCAL, false); } else if (IddsConfig.Instance.UseSafeNetworkList && IddsConfig.Instance.IsInSafeNetwork(notificationEventArgs.IpAddress)) { incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress, IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_SAFE, false); } else { incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress, IntrusionLog.STATUS_INTRUSION_ATTEMPT, false); try { if (!Locks.LockExists(notificationEventArgs.IpAddress)) { LockType lockType = reportingAgent.GetCurrentLockType(notificationEventArgs.IpAddress); switch (lockType) { case LockType.SoftLockRequested: //IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, // notificationEventArgs.IpAddress, IntrusionLog.STATUS_SOFT_LOCK_REQUESTED, false); LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddMinutes(IddsConfig.Instance.GetSoftLockMinutes(reportingAgent)), incidentId, Lock.LOCK_STATUS_SOFTLOCK, 0, notificationEventArgs.IpAddress), LockType.SoftLock, reportingAgent); break; case LockType.SoftLock: // already locked, ignore break; case LockType.HardLockRequested: //IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, // notificationEventArgs.IpAddress, IntrusionLog.STATUS_HARD_LOCK_REQUESTED, false); LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddHours(IddsConfig.Instance.GetHardLockHours(reportingAgent)), incidentId, Lock.LOCK_STATUS_HARDLOCK, 0, notificationEventArgs.IpAddress), LockType.HardLock, reportingAgent); break; } } } catch (Exception ex) { WindowsLogManager.Instance.WriteEntry(String.Format("Unrecoverable error: {0}", ex.Message), EventLogEntryType.FailureAudit, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR, Globals.CYBERARMS_LOG_CATEGORY_RUNTIME); // OnClientIpAddressSoftLocked(new Lock( new Client(notificationEventArgs.IpAddress), ex); } } } else { return; } } catch (Exception ex) { WindowsLogManager.Instance.WriteEntry(String.Format("AttackDetected delegate invocation of {0} caused a problem. \r\nDetails:\r\n{1}", (sender != null ? sender.GetType().Name : "unknown"), ex.Message), EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN); } }