protected FirewallEvent ReadFirewallEvent(EventRecord record)
{
try
{
var PropertyValues = ((EventLogRecord)record).GetPropertyValues(eventPropertySelector);
FirewallEvent args = new FirewallEvent();
args.ProcessId = (int)(UInt64)PropertyValues[(int)EventProperties.ProcessID];
string fileName = PropertyValues[(int)EventProperties.ProcessFileName].ToString();
args.ProcessFileName = fileName.Equals("System", StringComparison.OrdinalIgnoreCase) ? "System" : MiscFunc.parsePath(fileName);
args.Action = FirewallRule.Actions.Undefined;
switch ((UInt16)PropertyValues[(int)EventProperties.EventID])
{
case (UInt16)EventIDs.Blocked: args.Action = FirewallRule.Actions.Block; break;
case (UInt16)EventIDs.Allowed: args.Action = FirewallRule.Actions.Allow; break;
default: return(null);
}
args.Protocol = (UInt32)PropertyValues[(int)EventProperties.Protocol];
args.Direction = FirewallRule.Directions.Unknown;
if (PropertyValues[(int)EventProperties.Direction].ToString() == "%%14592")
{
args.Direction = FirewallRule.Directions.Inbound;
args.LocalAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.DestAddress].ToString());
args.LocalPort = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.DestPort].ToString());
args.RemoteAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.SourceAddress].ToString());
args.RemotePort = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.SourcePort].ToString());
}
else if (PropertyValues[(int)EventProperties.Direction].ToString() == "%%14593")
{
args.Direction = FirewallRule.Directions.Outboun;
args.LocalAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.SourceAddress].ToString());
args.LocalPort = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.SourcePort].ToString());
args.RemoteAddress = IPAddress.Parse(PropertyValues[(int)EventProperties.DestAddress].ToString());
args.RemotePort = (UInt16)MiscFunc.parseInt(PropertyValues[(int)EventProperties.DestPort].ToString());
}
else
{
return(null); // todo log error
}
args.TimeStamp = record.TimeCreated != null ? (DateTime)record.TimeCreated : DateTime.Now;
// for debug only
//if(!FirewallRule.MatchAddress(args.RemoteAddress, "LocalSubnet") && !NetFunc.IsMultiCast(args.RemoteAddress))
// AppLog.Debug("Firewall Event: {0}({1}) -> {2}", args.ProcessFileName, args.ProcessId, args.RemoteAddress);
return(args);
}
catch (Exception err)
{
AppLog.Exception(err);
}
return(null);
}
public FirewallRule.Actions LookupRuleAction(FirewallEvent FwEvent, NetworkMonitor.AdapterInfo NicInfo)
{
int BlockRules = 0;
int AllowRules = 0;
foreach (FirewallRuleEx rule in Rules.Values)
{
if (!rule.Enabled)
{
continue;
}
if (rule.Direction != FwEvent.Direction)
{
continue;
}
if (rule.Protocol != (int)NetFunc.KnownProtocols.Any && FwEvent.Protocol != rule.Protocol)
{
continue;
}
if (((int)NicInfo.Profile & rule.Profile) == 0)
{
continue;
}
if (rule.Interface != (int)FirewallRule.Interfaces.All && (int)NicInfo.Type != rule.Interface)
{
continue;
}
if (!FirewallManager.MatchEndpoint(rule.RemoteAddresses, rule.RemotePorts, FwEvent.RemoteAddress, FwEvent.RemotePort, NicInfo))
{
continue;
}
if (!FirewallManager.MatchEndpoint(rule.LocalAddresses, rule.LocalPorts, FwEvent.RemoteAddress, FwEvent.RemotePort, NicInfo))
{
continue;
}
rule.HitCount++;
if (rule.Action == FirewallRule.Actions.Allow)
{
AllowRules++;
}
else if (rule.Action == FirewallRule.Actions.Block)
{
BlockRules++;
}
}
// Note: block rules take precedence
if (BlockRules > 0)
{
return(FirewallRule.Actions.Block);
}
if (AllowRules > 0)
{
return(FirewallRule.Actions.Allow);
}
return(FirewallRule.Actions.Undefined);
}
public FirewallRule.Actions LookupRuleAction(FirewallEvent FwEvent, NetworkMonitor.AdapterInfo NicInfo)
{
// Note: FwProfile should have only one bit set, but just in case we can haldnel more than one, but not accurately
int BlockRules = 0;
int AllowRules = 0;
for (int i = 0; i < FwProfiles.Length; i++)
{
if (((int)NicInfo.Profile & (int)FwProfiles[i]) == 0)
{
continue;
}
switch (FwEvent.Direction)
{
case FirewallRule.Directions.Inbound:
if (GetBlockAllInboundTraffic(FwProfiles[i]))
{
BlockRules++;
}
else
{
switch (GetDefaultInboundAction(FwProfiles[i]))
{
case FirewallRule.Actions.Allow: AllowRules++; break;
case FirewallRule.Actions.Block: BlockRules++; break;
}
}
break;
case FirewallRule.Directions.Outbound:
switch (GetDefaultOutboundAction(FwProfiles[i]))
{
case FirewallRule.Actions.Allow: AllowRules++; break;
case FirewallRule.Actions.Block: BlockRules++; break;
}
break;
}
}
// Note: block rules take precedence
if (BlockRules > 0)
{
return(FirewallRule.Actions.Block);
}
if (AllowRules > 0)
{
return(FirewallRule.Actions.Allow);
}
return(FirewallRule.Actions.Undefined);
}
private void OnConnection(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord == null)
{
return;
}
FirewallEvent args = ReadFirewallEvent(arg.EventRecord);
if (args != null)
{
FirewallEvent?.Invoke(this, args);
}
}
public List <FirewallEvent> LoadLog() // Note: this call takes some time to complete
{
List <FirewallEvent> Events = new List <FirewallEvent>();
EventLogReader logReader = new EventLogReader(new EventLogQuery("Security", PathType.LogName, GetQuery()));
for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
{
FirewallEvent args = ReadFirewallEvent(eventdetail);
if (args != null)
{
Events.Add(args);
}
}
return(Events);
}
public LogEntry(FirewallEvent Event, ProgramID progID)
{
guid = Guid.NewGuid();
FwEvent = Event;
ProgID = progID;
if (NetFunc.IsLocalHost(FwEvent.RemoteAddress))
{
Realm = Realms.LocalHost;
}
else if (NetFunc.IsMultiCast(FwEvent.RemoteAddress))
{
Realm = Realms.MultiCast;
}
else if (FirewallManager.MatchAddress(FwEvent.RemoteAddress, FirewallRule.AddrKeywordLocalSubnet))
{
Realm = Realms.LocalArea;
}
else
{
Realm = Realms.Internet;
}
}
public LogEntry(FirewallEvent Event, ProgramID progID)
{
guid = Guid.NewGuid();
FwEvent = Event;
ProgID = progID;
}