private bool AddFailedLoginForEventViewerXml(IPAddressLogEvent info, XmlDocument doc)
{
if (string.IsNullOrWhiteSpace(info.IPAddress))
{
return(false);
}
else if (string.IsNullOrWhiteSpace(info.Source))
{
XmlNode sourceNode = doc.SelectSingleNode("//Source");
if (sourceNode != null)
{
info.Source = sourceNode.InnerText.Trim();
}
}
if (string.IsNullOrWhiteSpace(info.UserName))
{
XmlNode userNameNode = doc.SelectSingleNode("//Data[@Name='TargetUserName']");
if (userNameNode == null)
{
userNameNode = doc.SelectSingleNode("//TargetUserName");
}
if (userNameNode != null)
{
info.UserName = userNameNode.InnerText.Trim();
}
}
return(true);
}
private bool ParseRegex(Regex regex, string line, bool notifyOnly)
{
if (regex != null)
{
IPAddressLogEvent info = IPBanService.GetIPAddressInfoFromRegex(dns, regex, line);
if (info.FoundMatch)
{
info.Type = (notifyOnly ? IPAddressEventType.SuccessfulLogin : IPAddressEventType.FailedLogin);
info.Source = info.Source ?? Source;
IPBanLog.Debug("Log file found match, ip: {0}, user: {1}, source: {2}, count: {3}, type: {4}",
info.IPAddress, info.UserName, info.Source, info.Count, info.Type);
loginHandler.AddIPAddressLogEvents(new IPAddressLogEvent[] { info });
return(true);
}
}
return(false);
}
/// <summary>
/// Process event viewer XML
/// </summary>
/// <param name="xml">XML</param>
public void ProcessEventViewerXml(string xml)
{
IPBanLog.Debug("Processing event viewer xml: {0}", xml);
XmlDocument doc = ParseXml(xml);
IPAddressLogEvent info = ExtractEventViewerXml(doc);
if (info != null && info.FoundMatch && (info.Type == IPAddressEventType.FailedLogin || info.Type == IPAddressEventType.SuccessfulLogin))
{
if (!FindSourceAndUserNameForInfo(info, doc))
{
// bad ip address
return;
}
service.AddIPAddressLogEvents(new IPAddressLogEvent[] { info });
IPBanLog.Debug("Event viewer found: {0}, {1}, {2}, {4}", info.IPAddress, info.Source, info.UserName, info.Type);
}
}
/// <summary>
/// Process event viewer XML
/// </summary>
/// <param name="xml">XML</param>
public void ProcessEventViewerXml(string xml)
{
IPBanLog.Debug("Processing event viewer xml: {0}", xml);
XmlDocument doc = ParseXml(xml);
IPAddressLogEvent info = ExtractEventViewerXml(doc);
if (info != null && info.FoundMatch)
{
if (info.Type == IPAddressEventType.FailedLogin && !AddFailedLoginForEventViewerXml(info, doc))
{
// if fail to add the failed login (bad ip, etc.) exit out
return;
}
System.Diagnostics.Debug.Assert(info.Type == IPAddressEventType.FailedLogin || info.Type == IPAddressEventType.SuccessfulLogin);
service.AddIPAddressLogEvents(new IPAddressLogEvent[] { info });
IPBanLog.Debug("Event viewer found: {0}, {1}, {2}, {4}", info.IPAddress, info.Source, info.UserName, info.Type);
}
}
private IPAddressLogEvent ExtractEventViewerXml(XmlDocument doc)
{
XmlNode keywordsNode = doc.SelectSingleNode("//Keywords");
string keywordsText = keywordsNode.InnerText;
if (keywordsText.StartsWith("0x"))
{
keywordsText = keywordsText.Substring(2);
}
ulong keywordsULONG = ulong.Parse(keywordsText, NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture);
IPAddressLogEvent info = null;
bool foundNotifyOnly = false;
if (keywordsNode != null)
{
// we must match on keywords
foreach (EventViewerExpressionGroup group in service.Config.WindowsEventViewerGetGroupsMatchingKeywords(keywordsULONG))
{
foreach (EventViewerExpression expression in group.Expressions)
{
// find all the nodes, try and get an ip from any of them, all must match
XmlNodeList nodes = doc.SelectNodes(expression.XPath);
if (nodes.Count == 0)
{
IPBanLog.Debug("No nodes found for xpath {0}", expression.XPath);
info = null;
break;
}
// if there is a regex, it must match
if (string.IsNullOrWhiteSpace(expression.Regex))
{
// count as a match, do not modify the ip address if it was already set
IPBanLog.Debug("No regex, so counting as a match");
}
else
{
info = null;
// try and find an ip from any of the nodes
foreach (XmlNode node in nodes)
{
// if we get a match, stop checking nodes
info = IPBanService.GetIPAddressInfoFromRegex(service.DnsLookup, expression.RegexObject, node.InnerText);
if (info.FoundMatch)
{
if (group.NotifyOnly)
{
foundNotifyOnly = true;
}
else if (foundNotifyOnly)
{
throw new InvalidDataException("Conflicting expressions in event viewer, both failed and success logins matched keywords " + group.Keywords);
}
break;
}
}
if (info != null && !info.FoundMatch)
{
// match fail, null out ip, we have to match ALL the nodes or we get null ip and do not ban
IPBanLog.Debug("Regex {0} did not match any nodes with xpath {1}", expression.Regex, expression.XPath);
info = null;
foundNotifyOnly = false;
break;
}
}
}
if (info != null && info.FoundMatch && info.IPAddress != null)
{
info.Source = info.Source ?? group.Source;
break;
}
info = null; // set null for next attempt
}
}
if (info != null)
{
info.Type = (foundNotifyOnly ? IPAddressEventType.SuccessfulLogin : IPAddressEventType.FailedLogin);
}
return(info);
}
