private void onEventLogMessage(EventLogMessage obj)
{
// IP of the AuditFailure log should be stored on offset 19
if (obj.ReplacementStrings.Length < 20)
{
return;
}
var ip = obj.ReplacementStrings[19];
if (!IPAddress.TryParse(ip, out var ipAddress))
{
return;
}
var eventArg = new RDPEventArgs(ip);
OnAuditFailure?.Invoke(this, new RDPEventArgs(ip));
if (!eventArg.IsCancel)
{
// add the IP to our limit counter
_auditFailureCounter.Count(ip);
}
}
private void onAuditFailureLimitReached(string ip)
{
var ipAddress = IPAddress.Parse(ip);
if (ipAddress.IsInRange(_settings.Whitelist))
{
// IP is whitelisted
return;
}
var eventArg = new RDPEventArgs(ip);
OnIPBlocked?.Invoke(this, eventArg);
if (!eventArg.IsCancel)
{
_firewallBlock.Add(ip);
}
}
private static void onAuditFailureEvent(object sender, RDPEventArgs e)
{
//e.IsCancel = true;
Debug.WriteLine($"Audit Failure ({e.IP})");
}
private static void onIPBlockedEvent(object sender, RDPEventArgs e)
{
//e.IsCancel = true;
Debug.WriteLine($"IP Blocked ({e.IP})");
}