FireWallDiskManipulationEventArgs Class
Event arguments raised by the firewall when disk manipulations has been discovered
Namespace:
Walter.Web.FireWall.EventArgumentsAssembly: Walter.Web.FireWall (in Walter.Web.FireWall.dll)
Remarks
Examples
C#
private void MyFireWall_OnDiskManipulation(object sender, DiskManipulationEventArgs e) { foreach (var item in e.Violation.Talking) { if (item.tcpRecord.Scope == Walter.Net.Networking.CommunicationScopes.WAN) { (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant , "A file change with external communication was detected" , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress) , true); } else { (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant , "A file change with internal communication was detected" , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress) , true); } } e.Action = ApplicationCompromisedActions.ShutDown | ApplicationCompromisedActions.PersistOnReboot; } private string MakeEmailBody(Walter.Net.Networking.CommunicationScopes scope,string executingBinary, IPAddress remoteAddress) { private string MakeEmailBody(Walter.Net.Networking.CommunicationScope scope,string executingBinary, IPAddress remoteAddress) { if (scope == Walter.Net.Networking.CommunicationScopes.WAN) { var map = _geo.QueryMapLocation(remoteAddress); var whois = Whois(remoteAddress); return @" <p> We have detected a disk change by {ApplicationPath} from IP address: {IPAddress} </p><p> While capturing the issue we recorded the IP coming from {City} - {Country} <a hfref="{Link}">google maps link</a></p><p>The IP address is managed by :<br /> {WhoIs} </p> ".Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase) .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase) .Replace("{City}", map.City, StringComparison.OrdinalIgnoreCase) .Replace("{Country}", map.Country, StringComparison.OrdinalIgnoreCase) .Replace("{Link}", map.GoogleMapLocation().AbsoluteUri, StringComparison.OrdinalIgnoreCase) .Replace("{WhoIs}", whois.ToHtml(), StringComparison.OrdinalIgnoreCase); } return @"<p> We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}-{scope}</p>" .Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase) .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase) .Replace("{Scope}",scope.ToString(),StringComparison.OrdinalIgnoreCase); } } }