Improve event viewer query creation performance

jjxtra · jjxtra · commit 34cb6925bf67 · 2019-05-31T14:35:34.000-06:00
diff --git a/Core/IPBanConfigWindowsEventViewer.cs b/Core/IPBanConfigWindowsEventViewer.cs
@@ -145,10 +145,18 @@ public string Keywords
             }
         }
 
-        public string GetQueryString(int id = 1)
+        public void AppendQueryString(StringBuilder builder, int id = 1)
         {
             ulong keywordsDecimal = ulong.Parse(Keywords.Substring(2), NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture);
-            return "<Query Id='" + id.ToString(CultureInfo.InvariantCulture) + "' Path='" + Path + "'><Select Path='" + Path + "'>*[System[(band(Keywords," + keywordsDecimal.ToString() + "))]]</Select></Query>";
+            builder.Append("<Query Id='");
+            builder.Append(id.ToStringInvariant());
+            builder.Append("' Path='");
+            builder.Append(Path);
+            builder.Append("'><Select Path='");
+            builder.Append(Path);
+            builder.Append("'>*[System[(band(Keywords,");
+            builder.Append(keywordsDecimal.ToStringInvariant());
+            builder.Append("))]]</Select></Query>");
         }
 
         public void SetExpressionsFromExpressionsText()
diff --git a/Core/IPBanMemoryFirewall.cs b/Core/IPBanMemoryFirewall.cs
@@ -256,7 +256,7 @@ public bool Contains(UInt128 ipv6UInt128)
         private readonly Dictionary<string, MemoryFirewallRule> blockRules = new Dictionary<string, MemoryFirewallRule>();
         private readonly MemoryFirewallRule allowRule = new MemoryFirewallRule();
 
-        public string RulePrefix { get; set; }
+        public string RulePrefix { get; set; } = "IPBan_";
 
         private string ScrubRuleNamePrefix(string ruleNamePrefix)
         {
@@ -390,8 +390,8 @@ public IEnumerable<string> GetRuleNames(string ruleNamePrefix = null)
                 {
                     yield return key;
                 }
-                if (prefix.StartsWith(RulePrefix, StringComparison.OrdinalIgnoreCase) ||
-                    prefix.StartsWith(RulePrefix + "Allow", StringComparison.OrdinalIgnoreCase))
+                if (RulePrefix.StartsWith(prefix, StringComparison.OrdinalIgnoreCase) ||
+                    RulePrefix.StartsWith(prefix + "Allow", StringComparison.OrdinalIgnoreCase))
                 {
                     yield return RulePrefix + "Allow";
                 }
diff --git a/Core/IPBanService.cs b/Core/IPBanService.cs
@@ -1297,7 +1297,6 @@ public static T CreateAndStartIPBanTestService<T>(string directory = null, strin
             string configFilePath = Path.Combine(directory, configFileName);
             string configFileText = File.ReadAllText(configFilePath);
             configFilePath += ".tmp";
-            configFileText = configFileText.Replace("<add key=\"UseDefaultBannedIPAddressHandler\" value=\"true\" />", "<add key=\"UseDefaultBannedIPAddressHandler\" value=\"false\" />");
             if (configFileModifier != null)
             {
                 configFileText = configFileModifier(configFileText);
diff --git a/IPBanTests/IPBanConfigTests.cs b/IPBanTests/IPBanConfigTests.cs
@@ -152,7 +152,7 @@ public void TestDefaultConfig()
                 Assert.AreEqual("IPBan_", cfg.FirewallRulePrefix);
                 Assert.AreEqual(TimeSpan.FromSeconds(1.0), cfg.MinimumTimeBetweenFailedLoginAttempts);
                 Assert.IsEmpty(cfg.ProcessToRunOnBan);
-                Assert.IsFalse(cfg.UseDefaultBannedIPAddressHandler); // the create and start test service forces this false, it is true otherwise in production by default
+                Assert.IsTrue(cfg.UseDefaultBannedIPAddressHandler);
                 Assert.IsEmpty(cfg.UserNameWhitelist);
                 Assert.IsEmpty(cfg.WhiteList);
                 Assert.IsEmpty(cfg.WhiteListRegex);
diff --git a/IPBanTests/IPBanMemoryFirewallTests.cs b/IPBanTests/IPBanMemoryFirewallTests.cs
@@ -27,7 +27,7 @@ public void BasicTest()
             f.BlockIPAddresses("TestRule", new IPAddressRange[] { range }, new PortRange[0]);
             string[] banned = f.EnumerateBannedIPAddresses().ToArray();
             IPAddressRange[] banned2 = f.EnumerateIPAddresses("TestRule").ToArray();
-
+            Assert.AreEqual(0, f.GetRuleNames("CB").Count());
             Assert.IsTrue(f.IsIPAddressAllowed(allowIP));
             Assert.IsFalse(f.IsIPAddressBlocked(allowIP));
             Assert.IsFalse(f.IsIPAddressBlocked(otherIP));
diff --git a/Windows/IPBanWindowsEventViewer.cs b/Windows/IPBanWindowsEventViewer.cs
@@ -28,6 +28,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 using System.Diagnostics.Eventing.Reader;
 using System.Globalization;
 using System.IO;
+using System.Text;
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using System.Xml;
@@ -228,8 +229,8 @@ private string GetEventLogQueryString(List<string> ignored)
                 return null;
             }
 
+            StringBuilder queryString = new StringBuilder("<QueryList>");
             int id = 0;
-            string queryString = "<QueryList>";
             HashSet<string> logNames = new HashSet<string>(System.Diagnostics.Eventing.Reader.EventLogSession.GlobalSession.GetLogNames());
             foreach (EventViewerExpressionGroup group in service.Config.WindowsEventViewerExpressionsToBlock.Groups)
             {
@@ -241,12 +242,12 @@ private string GetEventLogQueryString(List<string> ignored)
                 }
                 else
                 {
-                    queryString += group.GetQueryString(++id);
+                    group.AppendQueryString(queryString, ++id);
                 }
             }
-            queryString += "</QueryList>";
+            queryString.Append("</QueryList>");
 
-            return queryString;
+            return queryString.Length < 32 ? null : queryString.ToString();
         }
 
         private void SetupEventLogWatcher()
@@ -255,7 +256,7 @@ private void SetupEventLogWatcher()
             {
                 List<string> ignored = new List<string>();
                 string queryString = GetEventLogQueryString(ignored);
-                if (queryString != previousQueryString)
+                if (queryString != null && queryString != previousQueryString)
                 {
                     IPBanLog.Warn("Event viewer query string: {0}", queryString);
                     foreach (string path in ignored)

Original file line number	Diff line number	Diff line change
`@@ -145,10 +145,18 @@ public string Keywords`
`145`	`145`	`}`
`146`	`146`	`}`
`147`	`147`
`148`		`- public string GetQueryString(int id = 1)`
	`148`	`+ public void AppendQueryString(StringBuilder builder, int id = 1)`
`149`	`149`	`{`
`150`	`150`	`ulong keywordsDecimal = ulong.Parse(Keywords.Substring(2), NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture);`
`151`		`- return "<Query Id='" + id.ToString(CultureInfo.InvariantCulture) + "' Path='" + Path + "'><Select Path='" + Path + "'>*[System[(band(Keywords," + keywordsDecimal.ToString() + "))]]</Select></Query>";`
	`151`	`+ builder.Append("<Query Id='");`
	`152`	`+ builder.Append(id.ToStringInvariant());`
	`153`	`+ builder.Append("' Path='");`
	`154`	`+ builder.Append(Path);`
	`155`	`+ builder.Append("'><Select Path='");`
	`156`	`+ builder.Append(Path);`
	`157`	`+ builder.Append("'>*[System[(band(Keywords,");`
	`158`	`+ builder.Append(keywordsDecimal.ToStringInvariant());`
	`159`	`+ builder.Append("))]]</Select></Query>");`
`152`	`160`	`}`
`153`	`161`
`154`	`162`	`public void SetExpressionsFromExpressionsText()`
Original file line number	Diff line number	Diff line change
`@@ -256,7 +256,7 @@ public bool Contains(UInt128 ipv6UInt128)`
`256`	`256`	`private readonly Dictionary<string, MemoryFirewallRule> blockRules = new Dictionary<string, MemoryFirewallRule>();`
`257`	`257`	`private readonly MemoryFirewallRule allowRule = new MemoryFirewallRule();`
`258`	`258`
`259`		`- public string RulePrefix { get; set; }`
	`259`	`+ public string RulePrefix { get; set; } = "IPBan_";`
`260`	`260`
`261`	`261`	`private string ScrubRuleNamePrefix(string ruleNamePrefix)`
`262`	`262`	`{`
`@@ -390,8 +390,8 @@ public IEnumerable<string> GetRuleNames(string ruleNamePrefix = null)`
`390`	`390`	`{`
`391`	`391`	`yield return key;`
`392`	`392`	`}`
`393`		`- if (prefix.StartsWith(RulePrefix, StringComparison.OrdinalIgnoreCase) \|\|`
`394`		`- prefix.StartsWith(RulePrefix + "Allow", StringComparison.OrdinalIgnoreCase))`
	`393`	`+ if (RulePrefix.StartsWith(prefix, StringComparison.OrdinalIgnoreCase) \|\|`
	`394`	`+ RulePrefix.StartsWith(prefix + "Allow", StringComparison.OrdinalIgnoreCase))`
`395`	`395`	`{`
`396`	`396`	`yield return RulePrefix + "Allow";`
`397`	`397`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1297,7 +1297,6 @@ public static T CreateAndStartIPBanTestService<T>(string directory = null, strin`
`1297`	`1297`	`string configFilePath = Path.Combine(directory, configFileName);`
`1298`	`1298`	`string configFileText = File.ReadAllText(configFilePath);`
`1299`	`1299`	`configFilePath += ".tmp";`
`1300`		`- configFileText = configFileText.Replace("<add key=\"UseDefaultBannedIPAddressHandler\" value=\"true\" />", "<add key=\"UseDefaultBannedIPAddressHandler\" value=\"false\" />");`
`1301`	`1300`	`if (configFileModifier != null)`
`1302`	`1301`	`{`
`1303`	`1302`	`configFileText = configFileModifier(configFileText);`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE`
`28`	`28`	`using System.Diagnostics.Eventing.Reader;`
`29`	`29`	`using System.Globalization;`
`30`	`30`	`using System.IO;`
	`31`	`+using System.Text;`
`31`	`32`	`using System.Text.RegularExpressions;`
`32`	`33`	`using System.Threading.Tasks;`
`33`	`34`	`using System.Xml;`
`@@ -228,8 +229,8 @@ private string GetEventLogQueryString(List<string> ignored)`
`228`	`229`	`return null;`
`229`	`230`	`}`
`230`	`231`
	`232`	`+ StringBuilder queryString = new StringBuilder("<QueryList>");`
`231`	`233`	`int id = 0;`
`232`		`- string queryString = "<QueryList>";`
`233`	`234`	`HashSet<string> logNames = new HashSet<string>(System.Diagnostics.Eventing.Reader.EventLogSession.GlobalSession.GetLogNames());`
`234`	`235`	`foreach (EventViewerExpressionGroup group in service.Config.WindowsEventViewerExpressionsToBlock.Groups)`
`235`	`236`	`{`
`@@ -241,12 +242,12 @@ private string GetEventLogQueryString(List<string> ignored)`
`241`	`242`	`}`
`242`	`243`	`else`
`243`	`244`	`{`
`244`		`- queryString += group.GetQueryString(++id);`
	`245`	`+ group.AppendQueryString(queryString, ++id);`
`245`	`246`	`}`
`246`	`247`	`}`
`247`		`- queryString += "</QueryList>";`
	`248`	`+ queryString.Append("</QueryList>");`
`248`	`249`
`249`		`- return queryString;`
	`250`	`+ return queryString.Length < 32 ? null : queryString.ToString();`
`250`	`251`	`}`
`251`	`252`
`252`	`253`	`private void SetupEventLogWatcher()`
`@@ -255,7 +256,7 @@ private void SetupEventLogWatcher()`
`255`	`256`	`{`
`256`	`257`	`List<string> ignored = new List<string>();`
`257`	`258`	`string queryString = GetEventLogQueryString(ignored);`
`258`		`- if (queryString != previousQueryString)`
	`259`	`+ if (queryString != null && queryString != previousQueryString)`
`259`	`260`	`{`
`260`	`261`	`IPBanLog.Warn("Event viewer query string: {0}", queryString);`
`261`	`262`	`foreach (string path in ignored)`