分析IIS日志匹配恶意规则会加入防火墙拦截
/// <summary> /// IIS日志分析器 /// </summary> /// <param name="filepath"></param> public static void IISlogAnalyzer(string filepath, Func<IISLogEvent, bool> express, Func<IISLogEvent, bool> whiteExpress, string rulename, int cnt = 1000) { List<IISLogEvent> logs = new List<IISLogEvent>(); using (ParserEngine parser = new ParserEngine(filepath)) { while (parser.MissingRecords) { logs = parser.ParseLog().ToList(); } List<string> ipList = new List<string>(); string hostIp = logs.Select(g => g.sIp).FirstOrDefault(); string expireTS = ConfigurationManager.AppSettings["expirets"].ToString(); ResetFireWallBlackIp(rulename, hostIp, expireTS);//清除防火墙中过期的黑名单Ip ipList = logs.Where(whiteExpress).Where(express).Select(i => i.cIp).Distinct().ToList(); ipList = ipList.Union(logs.Where(whiteExpress).GroupBy(item => item.cIp).Select(g => new { cip = g.Key, cnt = g.Count() }).Where(g => g.cnt > cnt).Select(i => i.cip).ToList()).ToList(); SaveToDB(hostIp, ipList); string ips = string.Join(",", ipList); if (!string.IsNullOrEmpty(ips)) { LogHelper.WriteLog("warnning", "IISlogAnalyzer", "发现异常IP:" + ips); PutFireWall(rulename, ips); } } }
/// <summary> /// 加入防火墙黑名单 /// </summary> /// <param name="ip"></param> public static void PutFireWall(string ruleName, string ip) { try { INetFwPolicy2 firewallPolicy = (INetFwPolicy2)Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2")); var rule = firewallPolicy.Rules.Item(ruleName); rule.RemoteAddresses += "," + ip; } catch (Exception ex) { LogHelper.WriteLog("error", "防火墙操作", ex.ToString()); } }