private bool PingFile(WatchedFile file, FileStream fs)
{
const int maxCountBeforeNewline = 1024;
int b;
long lastNewlinePos = -1;
long end = Math.Min(file.LastLength, fs.Length);
int countBeforeNewline = 0;
fs.Position = file.LastPosition;
IPBanLog.Info("Processing watched file {0}, len = {1}, pos = {2}", file.FileName, file.LastLength, file.LastPosition);
while (fs.Position < end && countBeforeNewline++ != maxCountBeforeNewline)
{
// read until last \n is found
b = fs.ReadByte();
if (b == '\n')
{
lastNewlinePos = fs.Position - 1;
countBeforeNewline = 0;
}
}
if (countBeforeNewline == maxCountBeforeNewline)
{
throw new InvalidOperationException($"Log file '{fileMask}' may not be a plain text new line delimited file");
}
if (lastNewlinePos > -1)
{
try
{
// we could read line by line by going one byte at a time, but the hope here is that by taking
// advantage of stream reader and binary reader read bytes we can get some improved cpu usage
// at the expense of having to store all the bytes in memory for a small time
fs.Position = file.LastPosition;
byte[] bytes = new BinaryReader(fs).ReadBytes((int)(lastNewlinePos - fs.Position));
using (StreamReader reader = new StreamReader(new MemoryStream(bytes), Encoding.UTF8))
{
string line;
while ((line = reader.ReadLine()) != null)
{
line = line.Trim();
if (!OnProcessLine(line) || (ProcessLine != null && !ProcessLine(line)))
{
break;
}
}
}
}
finally
{
// set file position for next ping
fs.Position = file.LastPosition = ++lastNewlinePos;
}
}
return(maxFileSize > 0 && fs.Length > maxFileSize);
}
/// <summary>
/// Easy way to execute processes. Timeout to complete is 30 seconds.
/// </summary>
/// <param name="program">Program to run</param>
/// <param name="args">Arguments</param>
/// <param name="allowedExitCode">Allowed exit codes, if empty not checked, otherwise a mismatch will throw an exception.</param>
public static void StartProcessAndWait(string program, string args, params int[] allowedExitCode)
{
IPBanLog.Info($"Executing process {program} {args}...");
var p = new Process
{
StartInfo = new ProcessStartInfo(program, args)
{
CreateNoWindow = true,
UseShellExecute = false,
WindowStyle = ProcessWindowStyle.Hidden,
Verb = "runas"
}
};
p.Start();
if (!p.WaitForExit(30000))
{
p.Kill();
}
if (allowedExitCode.Length != 0 && Array.IndexOf(allowedExitCode, p.ExitCode) < 0)
{
throw new ApplicationException($"Program {program} {args}: failed with exit code {p.ExitCode}");
}
}
/// <summary>
/// Process event viewer XML
/// </summary>
/// <param name="xml">XML</param>
public void ProcessEventViewerXml(string xml)
{
IPBanLog.Info("Processing event viewer xml: {0}", xml);
XmlDocument doc = ParseXml(xml);
IPAddressLogInfo info = ExtractEventViewerXml(doc);
if (info != null && info.FoundMatch && AddFailedLoginForEventViewerXml(info, doc))
{
IPBanLog.Info("Event viewer found: {0}, {1}, {2}", info.IPAddress, info.Source, info.UserName);
}
}
private IPAddressLogInfo ExtractEventViewerXml(XmlDocument doc)
{
XmlNode keywordsNode = doc.SelectSingleNode("//Keywords");
string keywordsText = keywordsNode.InnerText;
if (keywordsText.StartsWith("0x"))
{
keywordsText = keywordsText.Substring(2);
}
ulong keywordsULONG = ulong.Parse(keywordsText, NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture);
IPAddressLogInfo info = null;
if (keywordsNode != null)
{
// we must match on keywords
foreach (ExpressionsToBlockGroup group in service.Config.WindowsEventViewerGetGroupsMatchingKeywords(keywordsULONG))
{
foreach (ExpressionToBlock expression in group.Expressions)
{
// find all the nodes, try and get an ip from any of them, all must match
XmlNodeList nodes = doc.SelectNodes(expression.XPath);
if (nodes.Count == 0)
{
IPBanLog.Info("No nodes found for xpath {0}", expression.XPath);
info = null;
break;
}
// if there is a regex, it must match
if (string.IsNullOrWhiteSpace(expression.Regex))
{
// count as a match, do not modify the ip address if it was already set
IPBanLog.Info("No regex, so counting as a match");
}
else
{
info = null;
// try and find an ip from any of the nodes
foreach (XmlNode node in nodes)
{
// if we get a match, stop checking nodes
info = IPBanService.GetIPAddressInfoFromRegex(service.DnsLookup, expression.RegexObject, node.InnerText);
if (info.FoundMatch)
{
break;
}
}
if (info != null && !info.FoundMatch)
{
// match fail, null out ip, we have to match ALL the nodes or we get null ip and do not ban
IPBanLog.Info("Regex {0} did not match any nodes with xpath {1}", expression.Regex, expression.XPath);
info = null;
break;
}
}
}
if (info != null && info.FoundMatch && info.IPAddress != null)
{
info.Source = info.Source ?? group.Source;
break;
}
info = null; // set null for next attempt
}
}
return(info);
}
private bool PingFile(WatchedFile file, FileStream fs)
{
const int maxCountBeforeNewline = 1024;
int b;
long lastNewlinePos = -1;
byte[] bytes;
long end = Math.Min(file.LastLength, fs.Length);
int countBeforeNewline = 0;
fs.Position = file.LastPosition;
IPBanLog.Info("Processing watched file {0}, len = {1}, pos = {2}", file.FileName, file.LastLength, file.LastPosition);
while (fs.Position < end && countBeforeNewline++ != maxCountBeforeNewline)
{
// read until last \n is found
b = fs.ReadByte();
if (b == '\n')
{
lastNewlinePos = fs.Position - 1;
countBeforeNewline = 0;
}
}
if (countBeforeNewline == maxCountBeforeNewline)
{
throw new InvalidOperationException("Log file " + this.fileMask + " may not be a plain text new line delimited file");
}
if (lastNewlinePos > -1)
{
// set file position ready for the next read right after the newline
fs.Position = file.LastPosition;
bytes = new BinaryReader(fs).ReadBytes((int)(lastNewlinePos - fs.Position));
// set position for next ping
file.LastPosition = lastNewlinePos + 1;
// read text and run regex to find ip addresses to ban
string subString = Encoding.UTF8.GetString(bytes);
string[] lines = subString.Split('\n');
bool foundOne = false;
// find ip and user name from all lines
foreach (string line in lines)
{
string trimmedLine = line.Trim();
IPBanLog.Debug("Parsing log file line {0}...", trimmedLine);
IPAddressLogInfo info = IPBanService.GetIPAddressInfoFromRegex(dns, Regex, trimmedLine);
if (info.FoundMatch)
{
info.Source = info.Source ?? Source;
IPBanLog.Debug("Log file found match, ip: {0}, user: {1}, source: {2}, count: {3}", info.IPAddress, info.UserName, info.Source, info.Count);
failedLogin.AddFailedLogin(info);
foundOne = true;
}
else
{
IPBanLog.Debug("No match for line {0}", line);
}
}
if (foundOne)
{
// signal that we have found ip addresses
ipEvent.Set();
}
}
return(maxFileSize > 0 && fs.Length > maxFileSize);
}
