示例#1
0
        protected FirewallEvent ReadFirewallEvent(EventRecord record)
        {
            try
            {
                var PropertyValues = ((EventLogRecord)record).GetPropertyValues(eventPropertySelector);

                FirewallEvent args = new FirewallEvent();

                args.ProcessId = (int)(UInt64)PropertyValues[(int)EventProperties.ProcessID];
                string fileName = PropertyValues[(int)EventProperties.ProcessFileName].ToString();
                args.ProcessFileName = fileName.Equals("System", StringComparison.OrdinalIgnoreCase) ? "System" : MiscFunc.parsePath(fileName);

                args.Action = FirewallRule.Actions.Undefined;

                switch ((UInt16)PropertyValues[(int)EventProperties.EventID])
                {
                case (UInt16)EventIDs.Blocked: args.Action = FirewallRule.Actions.Block; break;

                case (UInt16)EventIDs.Allowed: args.Action = FirewallRule.Actions.Allow; break;

                default: return(null);
                }

                args.Protocol  = (UInt32)PropertyValues[(int)EventProperties.Protocol];
                args.Direction = FirewallRule.Directions.Unknown;
                if (PropertyValues[(int)EventProperties.Direction].ToString() == "%%14592")
                {
                    args.Direction     = FirewallRule.Directions.Inbound;
                    args.LocalAddress  = IPAddress.Parse(PropertyValues[(int)EventProperties.DestAddress].ToString());
                    args.LocalPort     = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.DestPort].ToString());
                    args.RemoteAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.SourceAddress].ToString());
                    args.RemotePort    = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.SourcePort].ToString());
                }
                else if (PropertyValues[(int)EventProperties.Direction].ToString() == "%%14593")
                {
                    args.Direction     = FirewallRule.Directions.Outboun;
                    args.LocalAddress  = IPAddress.Parse(PropertyValues[(int)EventProperties.SourceAddress].ToString());
                    args.LocalPort     = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.SourcePort].ToString());
                    args.RemoteAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.DestAddress].ToString());
                    args.RemotePort    = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.DestPort].ToString());
                }
                else
                {
                    return(null); // todo log error
                }
                args.TimeStamp = record.TimeCreated != null ? (DateTime)record.TimeCreated : DateTime.Now;

                // for debug only
                //if(!FirewallRule.MatchAddress(args.RemoteAddress, "LocalSubnet") && !NetFunc.IsMultiCast(args.RemoteAddress))
                //    AppLog.Debug("Firewall Event: {0}({1}) -> {2}", args.ProcessFileName, args.ProcessId, args.RemoteAddress);

                return(args);
            }
            catch (Exception err)
            {
                AppLog.Exception(err);
            }
            return(null);
        }
示例#2
0
文件: Program.cs 项目: safino9/priv10
        public FirewallRule.Actions LookupRuleAction(FirewallEvent FwEvent, NetworkMonitor.AdapterInfo NicInfo)
        {
            int BlockRules = 0;
            int AllowRules = 0;

            foreach (FirewallRuleEx rule in Rules.Values)
            {
                if (!rule.Enabled)
                {
                    continue;
                }
                if (rule.Direction != FwEvent.Direction)
                {
                    continue;
                }
                if (rule.Protocol != (int)NetFunc.KnownProtocols.Any && FwEvent.Protocol != rule.Protocol)
                {
                    continue;
                }
                if (((int)NicInfo.Profile & rule.Profile) == 0)
                {
                    continue;
                }
                if (rule.Interface != (int)FirewallRule.Interfaces.All && (int)NicInfo.Type != rule.Interface)
                {
                    continue;
                }
                if (!FirewallManager.MatchEndpoint(rule.RemoteAddresses, rule.RemotePorts, FwEvent.RemoteAddress, FwEvent.RemotePort, NicInfo))
                {
                    continue;
                }
                if (!FirewallManager.MatchEndpoint(rule.LocalAddresses, rule.LocalPorts, FwEvent.RemoteAddress, FwEvent.RemotePort, NicInfo))
                {
                    continue;
                }

                rule.HitCount++;

                if (rule.Action == FirewallRule.Actions.Allow)
                {
                    AllowRules++;
                }
                else if (rule.Action == FirewallRule.Actions.Block)
                {
                    BlockRules++;
                }
            }

            // Note: block rules take precedence
            if (BlockRules > 0)
            {
                return(FirewallRule.Actions.Block);
            }
            if (AllowRules > 0)
            {
                return(FirewallRule.Actions.Allow);
            }
            return(FirewallRule.Actions.Undefined);
        }
示例#3
0
        public FirewallRule.Actions LookupRuleAction(FirewallEvent FwEvent, NetworkMonitor.AdapterInfo NicInfo)
        {
            // Note: FwProfile should have only one bit set, but just in case we can haldnel more than one, but not accurately
            int BlockRules = 0;
            int AllowRules = 0;

            for (int i = 0; i < FwProfiles.Length; i++)
            {
                if (((int)NicInfo.Profile & (int)FwProfiles[i]) == 0)
                {
                    continue;
                }

                switch (FwEvent.Direction)
                {
                case FirewallRule.Directions.Inbound:
                    if (GetBlockAllInboundTraffic(FwProfiles[i]))
                    {
                        BlockRules++;
                    }
                    else
                    {
                        switch (GetDefaultInboundAction(FwProfiles[i]))
                        {
                        case FirewallRule.Actions.Allow: AllowRules++; break;

                        case FirewallRule.Actions.Block: BlockRules++; break;
                        }
                    }
                    break;

                case FirewallRule.Directions.Outbound:
                    switch (GetDefaultOutboundAction(FwProfiles[i]))
                    {
                    case FirewallRule.Actions.Allow: AllowRules++; break;

                    case FirewallRule.Actions.Block: BlockRules++; break;
                    }
                    break;
                }
            }

            // Note: block rules take precedence
            if (BlockRules > 0)
            {
                return(FirewallRule.Actions.Block);
            }
            if (AllowRules > 0)
            {
                return(FirewallRule.Actions.Allow);
            }
            return(FirewallRule.Actions.Undefined);
        }
示例#4
0
        private void OnConnection(object obj, EventRecordWrittenEventArgs arg)
        {
            if (arg.EventRecord == null)
            {
                return;
            }

            FirewallEvent args = ReadFirewallEvent(arg.EventRecord);

            if (args != null)
            {
                FirewallEvent?.Invoke(this, args);
            }
        }
示例#5
0
        public List <FirewallEvent> LoadLog() // Note: this call takes some time to complete
        {
            List <FirewallEvent> Events = new List <FirewallEvent>();

            EventLogReader logReader = new EventLogReader(new EventLogQuery("Security", PathType.LogName, GetQuery()));

            for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
            {
                FirewallEvent args = ReadFirewallEvent(eventdetail);
                if (args != null)
                {
                    Events.Add(args);
                }
            }

            return(Events);
        }
示例#6
0
文件: Program.cs 项目: safino9/priv10
            public LogEntry(FirewallEvent Event, ProgramID progID)
            {
                guid    = Guid.NewGuid();
                FwEvent = Event;
                ProgID  = progID;

                if (NetFunc.IsLocalHost(FwEvent.RemoteAddress))
                {
                    Realm = Realms.LocalHost;
                }
                else if (NetFunc.IsMultiCast(FwEvent.RemoteAddress))
                {
                    Realm = Realms.MultiCast;
                }
                else if (FirewallManager.MatchAddress(FwEvent.RemoteAddress, FirewallRule.AddrKeywordLocalSubnet))
                {
                    Realm = Realms.LocalArea;
                }
                else
                {
                    Realm = Realms.Internet;
                }
            }
示例#7
0
 public LogEntry(FirewallEvent Event, ProgramID progID)
 {
     guid    = Guid.NewGuid();
     FwEvent = Event;
     ProgID  = progID;
 }