private void MyFireWall_OnDiskManipulation(object sender, DiskManipulationEventArgs e)
{
foreach (var item in e.Violation.Talking)
{
if (item.tcpRecord.Scope == Walter.Net.Networking.CommunicationScopes.WAN)
{
(this as IFireWall).SendEmail(EMailRoles.SecurityRelevant
, "A file change with external communication was detected"
, MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress)
, true);
}
else
{
(this as IFireWall).SendEmail(EMailRoles.SecurityRelevant
, "A file change with internal communication was detected"
, MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress)
, true);
}
}
e.Action = ApplicationCompromisedActions.ShutDown | ApplicationCompromisedActions.PersistOnReboot;
}
private string MakeEmailBody(Walter.Net.Networking.CommunicationScopes scope,string executingBinary, IPAddress remoteAddress)
{
private string MakeEmailBody(Walter.Net.Networking.CommunicationScope scope,string executingBinary, IPAddress remoteAddress)
{
if (scope == Walter.Net.Networking.CommunicationScopes.WAN)
{
var map = _geo.QueryMapLocation(remoteAddress);
var whois = Whois(remoteAddress);
return @"
We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}
While capturing the issue we recorded the IP coming from {City} - {Country} google maps linkThe IP address is managed by :
{WhoIs}
".Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase)
.Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase)
.Replace("{City}", map.City, StringComparison.OrdinalIgnoreCase)
.Replace("{Country}", map.Country, StringComparison.OrdinalIgnoreCase)
.Replace("{Link}", map.GoogleMapLocation().AbsoluteUri, StringComparison.OrdinalIgnoreCase)
.Replace("{WhoIs}", whois.ToHtml(), StringComparison.OrdinalIgnoreCase);
}
return @" We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}-{scope}"
.Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase)
.Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase)
.Replace("{Scope}",scope.ToString(),StringComparison.OrdinalIgnoreCase);
}
}
}