Skip to content

Commit d8044e5

Browse files
jjxtrajjxtra
committed
New tests
1 parent 98c6645 commit d8044e5

File tree

5 files changed

+53
-4
lines changed

5 files changed

+53
-4
lines changed

IPBanCore/ipban.config

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -809,6 +809,43 @@
809809
</Expression>
810810
</Expressions>
811811
</Group>
812+
<Group>
813+
<Source>RDP</Source>
814+
<Keywords>0x4020000001000000</Keywords>
815+
<Path>Microsoft-Windows-TerminalServices-Gateway/Operational</Path>
816+
<Expressions>
817+
<Expression>
818+
<XPath>//EventID</XPath>
819+
<Regex>
820+
<![CDATA[
821+
^(?<log>200)$
822+
]]>
823+
</Regex>
824+
</Expression>
825+
<Expression>
826+
<XPath>//IpAddress</XPath>
827+
<Regex>
828+
<![CDATA[
829+
(?<ipaddress>.+)
830+
]]>
831+
</Regex>
832+
</Expression>
833+
<Expression>
834+
<XPath>//Username</XPath>
835+
<Regex>
836+
<![CDATA[
837+
(?<username>[^\\\/]+)$
838+
]]>
839+
</Regex>
840+
</Expression>
841+
<Expression>
842+
<XPath>//AuthType</XPath>
843+
<Regex>
844+
NTLM
845+
</Regex>
846+
</Expression>
847+
</Expressions>
848+
</Group>
812849

813850
<!-- Notify of succes SSH events -->
814851
<Group>

IPBanTests/IPBanConfigTests.cs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -207,13 +207,14 @@ private static void AssertEventViewer(IPBanConfig cfg)
207207
AssertEventViewerGroup(groups[i++], "0x80000000000000", minimumWindowsMajorVersion, 0, false, "System", "RRAS", "//EventID", "^20271$", "(//Data)[2]", @"(?<username>.*)", "(//Data)[3]", @"(?<ipaddress>.+)", "(//Data)[4]", @"(?<log>denied|connection\swas\sprevented|Die\sRemoteverbindung\swurde\sverweigert)");
208208
AssertEventViewerGroup(groups[i++], "0x80000000000000", minimumWindowsMajorVersion, 0, false, "VisualSVNServer", "SVN", "//EventID", "^1004$", "(//Data)[1]", @"user\s(?<username>.*?):\s\(.*\)\s.*?(?<log>falsch|wrong|incorrect|bad)", "(//Data)[2]", @"(?<ipaddress_exact>.+)");
209209

210-
groupCount = 7;
210+
groupCount = 8;
211211
groups = cfg.WindowsEventViewerExpressionsToNotify.Groups;
212212
i = 0;
213213
ClassicAssert.NotNull(groups);
214214
ClassicAssert.AreEqual(groupCount, groups.Count);
215215
AssertEventViewerGroup(groups[i++], "0x8020000000000000", minimumWindowsMajorVersion, 0, true, "Security", "RDP", "//EventID", "^4624$", "//Data[@Name='ProcessName' or @Name='LogonProcessName']", "winlogon|svchost|ntlmssp", "//Data[@Name='IpAddress' or @Name='Workstation' or @Name='SourceAddress']", "(?<ipaddress>.+)");
216216
AssertEventViewerGroup(groups[i++], "0x1000000000000000", minimumWindowsMajorVersion, 0, true, "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", "RDP", "//EventID", "^(?<log>25)$", "//Address", "(?<ipaddress>.+)", "//User", "(?<username>[^\\\\\\/]+)$");
217+
AssertEventViewerGroup(groups[i++], "0x4020000001000000", minimumWindowsMajorVersion, 0, true, "Microsoft-Windows-TerminalServices-Gateway/Operational", "RDP", "//EventID", "^(?<log>200)$", "//IpAddress", "(?<ipaddress>.+)", "//Username", "(?<username>[^\\\\\\/]+)$", "//AuthType", "NTLM");
217218
AssertEventViewerGroup(groups[i++], "0x4000000000000000", minimumWindowsMajorVersion, 0, true, "OpenSSH/Operational", "SSH", "//Data[@Name='payload']", @"Accepted\s+(?:password|publickey)\s+for\s+(?<username>[^\s]+)\s+from\s+(?<ipaddress>[^\s]+)\s+port\s+[0-9]+\s+ssh");
218219
AssertEventViewerGroup(groups[i++], "0x80000000000000", minimumWindowsMajorVersion, 0, true, "Application", "IPBanCustom", "//Data", @"(?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d(?:\.\d+)?Z?)?(?:,\s)?ipban\ssuccess\slogin,\sip\saddress:\s(?<ipaddress>[^,]+),\ssource:\s(?<source>[^,]+)?,\suser:\s(?<username>[^\s,]+)?");
219220
AssertEventViewerGroup(groups[i++], "0x80000000000000", minimumWindowsMajorVersion, 0, true, "Application", "VNC", "//EventID", "^257$", "//Data", @"Authentication\spassed\sby\s(?<ipaddress>.+)");

IPBanTests/IPBanEventViewerTests.cs

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -190,6 +190,10 @@ public void TestEventViewer()
190190
}
191191
resultIndex++;
192192
}
193+
if (resultIndex == 0 && test.EventType != IPAddressEventType.None)
194+
{
195+
ClassicAssert.Fail("No results found for test: " + test.Xml);
196+
}
193197
if ((int)test.EventType == 9999)
194198
{
195199
// return config to original state

IPBanTests/TestData/EventViewer/EventViewerTests.txt

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,12 @@
1313
#RDP
1414
#FailedLogin
1515
#---
16+
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4d5ae6a1-c7c8-4e6d-b840-4d8080b42e1b}" /><EventID>200</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>30</Opcode><Keywords>0x4020000001000000</Keywords><TimeCreated SystemTime="2024-11-06T17:25:40.9886726Z" /><EventRecordID>26463</EventRecordID><Correlation ActivityID="{fb9bcc6c-2afa-4558-8a59-71e851160000}" /><Execution ProcessID="1912" ThreadID="3500" /><Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel><Computer>my.computer.local</Computer><Security UserID="S-1-5-20" /></System><UserData><EventInfo xmlns="aag"><Username>domain\user1</Username><IpAddress>2.3.4.5</IpAddress><AuthType>NTLM</AuthType><Resource></Resource><ConnectionProtocol>HTTP</ConnectionProtocol><ErrorCode>0</ErrorCode></EventInfo></UserData></Event>
17+
2.3.4.5
18+
user1
19+
RDP
20+
SuccessfulLogin
21+
---
1622
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime="2024-10-30T20:47:38.2268891Z" /><EventRecordID>25733169</EventRecordID><Correlation ActivityID="{2a259816-1d3c-0001-f998-252a3c1ddb01}" /><Execution ProcessID="724" ThreadID="5860" /><Channel>Security</Channel><Computer>MyCPU</Computer><Security /></System><EventData><Data Name="SubjectUserSid">S-1-0-0</Data><Data Name="SubjectUserName">-</Data><Data Name="SubjectDomainName">-</Data><Data Name="SubjectLogonId">0x0</Data><Data Name="TargetUserSid">S-1-5-21-2187489938-3058984627-757040018-1787</Data><Data Name="TargetUserName">sadmin</Data><Data Name="TargetDomainName">CD1</Data><Data Name="TargetLogonId">0x2dd254a7</Data><Data Name="LogonType">3</Data><Data Name="LogonProcessName">NtLmSsp</Data><Data Name="AuthenticationPackageName">NTLM</Data><Data Name="WorkstationName">CPU1</Data><Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data><Data Name="TransmittedServices">-</Data><Data Name="LmPackageName">NTLM V2</Data><Data Name="KeyLength">128</Data><Data Name="ProcessId">0x0</Data><Data Name="ProcessName">-</Data><Data Name="IpAddress">5.5.5.5</Data><Data Name="IpPort">59312</Data><Data Name="ImpersonationLevel">%%1833</Data><Data Name="RestrictedAdminMode">-</Data><Data Name="TargetOutboundUserName">-</Data><Data Name="TargetOutboundDomainName">-</Data><Data Name="VirtualAccount">%%1843</Data><Data Name="TargetLinkedLogonId">0x0</Data><Data Name="ElevatedToken">%%1842</Data></EventData></Event>
1723
5.5.5.5
1824
sadmin

Recipes/Windows/LogFile/IIS_RDWeb.xml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ Two Example Failed Logins (1.2.3.4 Server IP 2.3.4.5 Client IP):
1212
Two Example successful logins:
1313
2023-03-20 06:38:54 1.2.3.4 POST /RDWeb/Pages/en-US/login.aspx - 443 username 2.3.4.5 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_15_7)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/111.0.0.0+Safari/537.36 https://your.rdsserver.org.uk/RDWeb/webclient/ 302 0 0 31
1414
2023-03-20 15:36:09 1.2.3.4 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=%2FRDWeb%2FPages%2Fen-US%2FDefault.aspx 443 domain\username 2.3.4.5 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/111.0.0.0+Safari/537.36 https://your.rdsserver.org.uk/RDWeb/Pages/en-US/login.aspx?ReturnUrl=%2FRDWeb%2FPages%2Fen-US%2FDefault.aspx 302 0 0 31
15+
2024-11-06 17:43:23 10.1.11.1 GET /RDWeb/FeedLogin/WebFeedLogin.aspx - 443 domain\user 1.2.3.4 TSWorkspace/2.0 - 200 0 0 103
1516
-->
1617
<LogFile>
1718
<Source>RDWeb</Source>
@@ -22,9 +23,9 @@ Two Example successful logins:
2223
]]>
2324
</FailedLoginRegex>
2425
<SuccessfulLoginRegex>
25-
<![CDATA[
26-
(?<timestamp_utc>\d\d\d\d\-\d\d\-\d\d\s\d\d\:\d\d\:\d\d)\s[^\s]+\sPOST\s\/RDWeb\/Pages\/[^\/]+\/login\.aspx\s[^\s]+\s[0-9]+\s(?<username>[^\s]+)\s(?<ipaddress>[^\s]+).*\s302\s[^\n]+\n
27-
]]>
26+
<![CDATA[
27+
(?<timestamp_utc>\d\d\d\d\-\d\d\-\d\d\s\d\d\:\d\d\:\d\d)\s[^\s]+\s(?:(?:POST\s\/RDWeb\/Pages\/[^\/]+\/login\.aspx\s[^\s]+\s[0-9]+\s(?<username>[^\s]+)\s(?<ipaddress>[^\s]+).*\s302\s[^\n]+)|(?:GET\s\/RDWeb\/FeedLogin\/WebFeedLogin.aspx\s[^\s]+\s443\s(?<username>[^\s]+)\s(?<ipaddress>[^\s]+)\sTSWorkspace\/2\.0\s[^\s]+\s200\s0\s0\s[0-9]+))\n
28+
]]>
2829
</SuccessfulLoginRegex>
2930
<PlatformRegex>Windows</PlatformRegex>
3031
<PingInterval>10000</PingInterval>

0 commit comments

Comments
 (0)