private void AddNetwork()
{
smartLabelInvalidNetwork.Visible = false;
try {
string ipnet = IddsConfig.ConvertStringToIpAddressNetwork(textBoxAddNetwork.Text);
if (EditExisting)
{
listBoxSafeNetworks.Items.Remove(listBoxSafeNetworks.SelectedItem);
}
listBoxSafeNetworks.Items.Add(new IddsConfig.CSafeNetwork(ipnet.Split('/')[0], ipnet.Split('/')[1]));
HideNetworkPanel();
listBoxSafeNetworks.Focus();
} catch (Exception ex) {
smartLabelInvalidNetwork.Text = ex.Message;
smartLabelInvalidNetwork.Visible = true;
}
}
internal void AddRule(string name, int port, NET_FW_IP_PROTOCOL_ protocol, NetFwTypeLib.NET_FW_RULE_DIRECTION_ direction,
NetFwTypeLib.NET_FW_SCOPE_ scope, NetFwTypeLib.NET_FW_ACTION_ action, string remoteAddress)
{
bool ruleExists = false;
string ipAddress;
string ruleName = GetRuleName(name, port);
INetFwRule rule = GetRule(ruleName);
if (rule != null)
{
ruleExists = true;
}
else
{
try {
rule = (INetFwRule)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FWRule", true));
} catch (Exception x) {
throw x;
}
}
if (IddsConfig.IsValidIpAddress(remoteAddress))
{
ipAddress = remoteAddress;
}
else
{
throw new ArgumentOutOfRangeException("IP address must be given in IP version 4 or IP version 6 format!");
}
// ipAddress = String.Format("{0}/255.255.255.255", ipAddress);
if (!ruleExists)
{
rule.Action = action;
rule.Grouping = Globals.CYBERARMS_WINDOWS_IDS_GROUP_NAME;
rule.Protocol = (int)NET_FW_IP_PROTOCOL_.NET_FW_IP_PROTOCOL_TCP;
rule.Description = Globals.CYBERARMS_WINDOWS_IDS_GROUP_NAME + " rule";
rule.Direction = direction;
rule.Enabled = true;
if (port > 0)
{
rule.LocalPorts = port.ToString();
}
rule.Name = ruleName;
rule.RemoteAddresses = ipAddress;
// rule.RemotePorts = "";
firewallPolicyManager.Rules.Add(rule);
}
else
{
rule.Enabled = true;
if (rule.RemoteAddresses.Trim().Equals("*"))
{
rule.RemoteAddresses = ipAddress;
}
else
{
rule.RemoteAddresses = String.Format("{0},{1}", rule.RemoteAddresses, ipAddress);
}
}
}
void Service_AttackDetected(object sender, INotificationEventArgs notificationEventArgs)
{
try
{
if (notificationEventArgs == null)
{
if (IddsConfig.Instance.IsDebug)
{
// the following error should just be thrown when running in debug mode.
throw new ApplicationException("Operation not supported. EventArgs must be passed as NotificationEventArgs");
}
else
{
// otherwise write to the log file
WindowsLogManager.Instance.WriteEntry("Plugin error: the lock delegate was called, but notificationEventArgs must not be null!",
EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_INVALID_FUNCTION_CALL, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN);
return;
}
}
SecurityAgent reportingAgent = SecurityAgents.Instance.FindByName((sender as IAgentPlugin).Configuration.AgentName);
long incidentId;
if (IddsConfig.IsValidIpAddress(notificationEventArgs.IpAddress))
{
Statistics.Instance.IncreaseFailedLoginStatistics(reportingAgent);
System.Net.IPAddress ipAddress;
if (System.Net.IPAddress.TryParse(notificationEventArgs.IpAddress, out ipAddress) && IddsConfig.Instance.IsIpAddressLocal(ipAddress))
{
incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_LOCAL, false);
}
else if (IddsConfig.Instance.UseSafeNetworkList && IddsConfig.Instance.IsInSafeNetwork(notificationEventArgs.IpAddress))
{
incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
IntrusionLog.STATUS_INTRUSION_ATTEMPT_FROM_SAFE, false);
}
else
{
incidentId = IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id, notificationEventArgs.IpAddress,
IntrusionLog.STATUS_INTRUSION_ATTEMPT, false);
try
{
if (!Locks.LockExists(notificationEventArgs.IpAddress))
{
LockType lockType = reportingAgent.GetCurrentLockType(notificationEventArgs.IpAddress);
switch (lockType)
{
case LockType.SoftLockRequested:
//IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id,
// notificationEventArgs.IpAddress, IntrusionLog.STATUS_SOFT_LOCK_REQUESTED, false);
LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddMinutes(IddsConfig.Instance.GetSoftLockMinutes(reportingAgent)), incidentId, Lock.LOCK_STATUS_SOFTLOCK, 0, notificationEventArgs.IpAddress), LockType.SoftLock, reportingAgent);
break;
case LockType.SoftLock:
// already locked, ignore
break;
case LockType.HardLockRequested:
//IntrusionLog.AddEntry(notificationEventArgs.CreateDate, reportingAgent.Id,
// notificationEventArgs.IpAddress, IntrusionLog.STATUS_HARD_LOCK_REQUESTED, false);
LockDownIp(Locks.CreateLock(DateTime.Now, DateTime.Now.AddHours(IddsConfig.Instance.GetHardLockHours(reportingAgent)), incidentId, Lock.LOCK_STATUS_HARDLOCK, 0, notificationEventArgs.IpAddress), LockType.HardLock, reportingAgent);
break;
}
}
}
catch (Exception ex)
{
WindowsLogManager.Instance.WriteEntry(String.Format("Unrecoverable error: {0}",
ex.Message), EventLogEntryType.FailureAudit, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR,
Globals.CYBERARMS_LOG_CATEGORY_RUNTIME);
// OnClientIpAddressSoftLocked(new Lock( new Client(notificationEventArgs.IpAddress), ex);
}
}
}
else
{
return;
}
}
catch (Exception ex)
{
WindowsLogManager.Instance.WriteEntry(String.Format("AttackDetected delegate invocation of {0} caused a problem. \r\nDetails:\r\n{1}", (sender != null ? sender.GetType().Name : "unknown"), ex.Message),
EventLogEntryType.Error, Globals.CYBERARMS_EVENT_ID_PLUGIN_ERROR, Globals.CYBERARMS_LOG_CATEGORY_PLUGIN);
}
}
