public class FireWallDiskManipulationEventArgs : Walter.IO.EventArguments.DiskManipulationEventArgs
public class FireWallDiskManipulationEventArgs : Walter.IO.EventArguments.DiskManipulationEventArgs
private void MyFireWall_OnDiskManipulation(object sender, DiskManipulationEventArgs e) { foreach (var item in e.Violation.Talking) { if (item.tcpRecord.Scope == Walter.Net.Networking.CommunicationScopes.WAN) { (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant , "A file change with external communication was detected" , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress) , true); } else { (this as IFireWall).SendEmail(EMailRoles.SecurityRelevant , "A file change with internal communication was detected" , MakeEmailBody(item.tcpRecord.Scope,e.Violation.ExecutingBinary, item.tcpRecord.RemoteAddress) , true); } } e.Action = ApplicationCompromisedActions.ShutDown | ApplicationCompromisedActions.PersistOnReboot; } private string MakeEmailBody(Walter.Net.Networking.CommunicationScopes scope,string executingBinary, IPAddress remoteAddress) { private string MakeEmailBody(Walter.Net.Networking.CommunicationScope scope,string executingBinary, IPAddress remoteAddress) { if (scope == Walter.Net.Networking.CommunicationScopes.WAN) { var map = _geo.QueryMapLocation(remoteAddress); var whois = Whois(remoteAddress); return @" We have detected a disk change by {ApplicationPath} from IP address: {IPAddress} While capturing the issue we recorded the IP coming from {City} - {Country} google maps linkThe IP address is managed by : {WhoIs} ".Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase) .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase) .Replace("{City}", map.City, StringComparison.OrdinalIgnoreCase) .Replace("{Country}", map.Country, StringComparison.OrdinalIgnoreCase) .Replace("{Link}", map.GoogleMapLocation().AbsoluteUri, StringComparison.OrdinalIgnoreCase) .Replace("{WhoIs}", whois.ToHtml(), StringComparison.OrdinalIgnoreCase); } return @" We have detected a disk change by {ApplicationPath} from IP address: {IPAddress}-{scope}" .Replace("{ApplicationPath}", executingBinary, StringComparison.OrdinalIgnoreCase) .Replace("{IPAddress}", remoteAddress.ToString(), StringComparison.OrdinalIgnoreCase) .Replace("{Scope}",scope.ToString(),StringComparison.OrdinalIgnoreCase); } } }
System.Object
System.EventArgs
Walter.IO.EventArguments.DiskManipulationEventArgs
Walter.Web.FireWall.EventArguments.FireWallDiskManipulationEventArgs
Target Platforms: Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2