Walter.BOM Namespace
Walter.Web.FireWall Namespace
ASP-WAF Web application firewall for .Net 6, .Net 5, .Net Standard 2.1 and .Net Core 3.x

DiskManipulationEventArgs Class

Event arguments raised by the firewall when disk manipulations has been discovered

Namespace:  Walter.IO.EventArguments
Assembly:  Walter.BOM (in Walter.BOM.dll)

Syntax


public class DiskManipulationEventArgs

Remarks


This argument allows you to perform a choice of actions the firewall will do for all future requests

Examples


The following code shows how to use the firewall to send an mail (if mail add-on installed) when a change on disk is detected by a application that is actually communicating via the network. This could be RemoteDesktop WinVCM or TeamViewer, Telnet, FTP etc.
C#
 private void MyFireWall_OnDiskManipulation(object sender, DiskManipulationEventArgs e)
 {
     foreach (var item in e.Violation.Talking)
     {
         if (item.tcpRecord.Scope == Walter.Net.Networking.CommunicationScopes.WAN)
         {
             (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant
                                         , "A file change with external communication was detected"
                                         , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress)
                                         , true);
         }
         else
         {
             (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant
                                         , "A file change with internal communication was detected"
                                         , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress)
                                         , true);

         }
     }
     e.Action = ApplicationCompromisedActions.ShutDown | ApplicationCompromisedActions.PersistOnReboot;
 }

 private string MakeEmailBody(Walter.Net.Networking.CommunicationScopes scope,string executingBinary, IPAddress remoteAddress)
 {
    private string MakeEmailBody(Walter.Net.Networking.CommunicationScope scope,string executingBinary, IPAddress remoteAddress)
    {
        if (scope == Walter.Net.Networking.CommunicationScopes.WAN)
        {
            var map = _geo.QueryMapLocation(remoteAddress);
            var whois = Whois(remoteAddress);
            return @"
            <p>
                We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}
            </p><p>
                While capturing the issue we recorded the IP coming from {City} - {Country} <a hfref="{Link}">google maps link</a></p><p>The IP address is managed by :<br />
                {WhoIs}
            </p>
             ".Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase)
                .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase)
                .Replace("{City}", map.City, StringComparison.OrdinalIgnoreCase)
                .Replace("{Country}", map.Country, StringComparison.OrdinalIgnoreCase)
                .Replace("{Link}", map.GoogleMapLocation().AbsoluteUri, StringComparison.OrdinalIgnoreCase)
                .Replace("{WhoIs}", whois.ToHtml(), StringComparison.OrdinalIgnoreCase);
        }

        return  @"<p> We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}-{scope}</p>"
                   .Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase)
                   .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase)
                   .Replace("{Scope}",scope.ToString(),StringComparison.OrdinalIgnoreCase);
     }
   }
}