private bool PingFile(WatchedFile file, FileStream fs)
{
const int maxCountBeforeNewline = 1024;
int b;
long lastNewlinePos = -1;
byte[] bytes;
long end = Math.Min(file.LastLength, fs.Length);
int countBeforeNewline = 0;
fs.Position = file.LastPosition;
IPBanLog.Write(LogLevel.Info, "Processing watched file {0}, len = {1}, pos = {2}", file.FileName, file.LastLength, file.LastPosition);
while (fs.Position < end && countBeforeNewline++ != maxCountBeforeNewline)
{
// read until last \n is found
b = fs.ReadByte();
if (b == '\n')
{
lastNewlinePos = fs.Position - 1;
countBeforeNewline = 0;
}
}
if (countBeforeNewline == maxCountBeforeNewline)
{
throw new InvalidOperationException("Log file " + this.fileMask + " may not be a plain text new line delimited file");
}
if (lastNewlinePos > -1)
{
// set file position ready for the next read right after the newline
fs.Position = file.LastPosition;
bytes = new BinaryReader(fs).ReadBytes((int)(lastNewlinePos - fs.Position));
// set position for next ping
file.LastPosition = lastNewlinePos + 1;
// read text and run regex to find ip addresses to ban
string subString = Encoding.UTF8.GetString(bytes);
string[] lines = subString.Split('\n');
string ipAddress = null;
string userName = null;
bool foundOne = false;
// find ip and user name from all lines
foreach (string line in lines)
{
IPBanLog.Write(LogLevel.Debug, "Parsing log file line {0}...", line);
bool foundMatch = IPBanService.GetIPAddressAndUserNameFromRegex(Regex, line.Trim(), ref ipAddress, ref userName);
if (foundMatch)
{
IPBanLog.Write(LogLevel.Debug, "Found match, ip: {0}, user: {1}", ipAddress, userName);
service.AddFailedLogin(ipAddress, Source, userName);
foundOne = true;
}
else
{
IPBanLog.Write(LogLevel.Debug, "No match!");
}
}
if (foundOne)
{
// signal that we have found ip addresses
ipEvent.Set();
}
}
return(maxFileSize > 0 && fs.Length > maxFileSize);
}
private void ExtractEventViewerXml(XmlDocument doc, out string ipAddress, out string source, out string userName)
{
XmlNode keywordsNode = doc.SelectSingleNode("//Keywords");
string keywordsText = keywordsNode.InnerText;
if (keywordsText.StartsWith("0x"))
{
keywordsText = keywordsText.Substring(2);
}
ulong keywordsULONG = ulong.Parse(keywordsText, NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture);
ipAddress = source = userName = null;
if (keywordsNode != null)
{
// we must match on keywords
foreach (ExpressionsToBlockGroup group in service.Config.WindowsEventViewerGetGroupsMatchingKeywords(keywordsULONG))
{
foreach (ExpressionToBlock expression in group.Expressions)
{
// find all the nodes, try and get an ip from any of them, all must match
XmlNodeList nodes = doc.SelectNodes(expression.XPath);
if (nodes.Count == 0)
{
IPBanLog.Write(LogLevel.Information, "No nodes found for xpath {0}", expression.XPath);
ipAddress = null;
break;
}
// if there is a regex, it must match
if (string.IsNullOrWhiteSpace(expression.Regex))
{
// count as a match, do not modify the ip address if it was already set
IPBanLog.Write(LogLevel.Information, "No regex, so counting as a match");
}
else
{
bool foundMatch = false;
// try and find an ip from any of the nodes
foreach (XmlNode node in nodes)
{
// if we get a match, stop checking nodes
if ((foundMatch = IPBanService.GetIPAddressAndUserNameFromRegex(expression.RegexObject, node.InnerText, ref ipAddress, ref userName)))
{
break;
}
}
if (!foundMatch)
{
// match fail, null out ip, we have to match ALL the nodes or we get null ip and do not ban
IPBanLog.Write(LogLevel.Information, "Regex {0} did not match any nodes with xpath {1}", expression.Regex, expression.XPath);
ipAddress = null;
break;
}
}
}
if (ipAddress != null)
{
source = group.Source;
break;
}
ipAddress = source = userName = null; // set null for the next node attempt
}
}
}