Improve event viewer query creation performance

DigitalRuby · May 31, 2019 · 34cb692 · 34cb692
1 parent 5787603
commit 34cb692
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 13 deletions.
diff --git a/Core/IPBanConfigWindowsEventViewer.cs b/Core/IPBanConfigWindowsEventViewer.cs
@@ -145,10 +145,18 @@ public string Keywords
  }
  }
 
- public string GetQueryString(int id = 1)
+ public void AppendQueryString(StringBuilder builder, int id = 1)
  {
  ulong keywordsDecimal = ulong.Parse(Keywords.Substring(2), NumberStyles.AllowHexSpecifier, CultureInfo.InvariantCulture);
- return "<Query Id='" + id.ToString(CultureInfo.InvariantCulture) + "' Path='" + Path + "'><Select Path='" + Path + "'>*[System[(band(Keywords," + keywordsDecimal.ToString() + "))]]</Select></Query>";
+ builder.Append("<Query Id='");
+ builder.Append(id.ToStringInvariant());
+ builder.Append("' Path='");
+ builder.Append(Path);
+ builder.Append("'><Select Path='");
+ builder.Append(Path);
+ builder.Append("'>*[System[(band(Keywords,");
+ builder.Append(keywordsDecimal.ToStringInvariant());
+ builder.Append("))]]</Select></Query>");
  }
 
  public void SetExpressionsFromExpressionsText()

diff --git a/Core/IPBanMemoryFirewall.cs b/Core/IPBanMemoryFirewall.cs
@@ -256,7 +256,7 @@ public bool Contains(UInt128 ipv6UInt128)
  private readonly Dictionary<string, MemoryFirewallRule> blockRules = new Dictionary<string, MemoryFirewallRule>();
  private readonly MemoryFirewallRule allowRule = new MemoryFirewallRule();
 
- public string RulePrefix { get; set; }
+ public string RulePrefix { get; set; } = "IPBan_";
 
  private string ScrubRuleNamePrefix(string ruleNamePrefix)
  {
@@ -390,8 +390,8 @@ public IEnumerable<string> GetRuleNames(string ruleNamePrefix = null)
  {
  yield return key;
  }
- if (prefix.StartsWith(RulePrefix, StringComparison.OrdinalIgnoreCase) ||
- prefix.StartsWith(RulePrefix + "Allow", StringComparison.OrdinalIgnoreCase))
+ if (RulePrefix.StartsWith(prefix, StringComparison.OrdinalIgnoreCase) ||
+ RulePrefix.StartsWith(prefix + "Allow", StringComparison.OrdinalIgnoreCase))
  {
  yield return RulePrefix + "Allow";
  }

diff --git a/Core/IPBanService.cs b/Core/IPBanService.cs
@@ -1297,7 +1297,6 @@ public static T CreateAndStartIPBanTestService<T>(string directory = null, strin
  string configFilePath = Path.Combine(directory, configFileName);
  string configFileText = File.ReadAllText(configFilePath);
  configFilePath += ".tmp";
- configFileText = configFileText.Replace("<add key=\"UseDefaultBannedIPAddressHandler\" value=\"true\" />", "<add key=\"UseDefaultBannedIPAddressHandler\" value=\"false\" />");
  if (configFileModifier != null)
  {
  configFileText = configFileModifier(configFileText);

diff --git a/IPBanTests/IPBanConfigTests.cs b/IPBanTests/IPBanConfigTests.cs
@@ -152,7 +152,7 @@ public void TestDefaultConfig()
  Assert.AreEqual("IPBan_", cfg.FirewallRulePrefix);
  Assert.AreEqual(TimeSpan.FromSeconds(1.0), cfg.MinimumTimeBetweenFailedLoginAttempts);
  Assert.IsEmpty(cfg.ProcessToRunOnBan);
- Assert.IsFalse(cfg.UseDefaultBannedIPAddressHandler); // the create and start test service forces this false, it is true otherwise in production by default
+ Assert.IsTrue(cfg.UseDefaultBannedIPAddressHandler);
  Assert.IsEmpty(cfg.UserNameWhitelist);
  Assert.IsEmpty(cfg.WhiteList);
  Assert.IsEmpty(cfg.WhiteListRegex);

diff --git a/IPBanTests/IPBanMemoryFirewallTests.cs b/IPBanTests/IPBanMemoryFirewallTests.cs
@@ -27,7 +27,7 @@ public void BasicTest()
  f.BlockIPAddresses("TestRule", new IPAddressRange[] { range }, new PortRange[0]);
  string[] banned = f.EnumerateBannedIPAddresses().ToArray();
  IPAddressRange[] banned2 = f.EnumerateIPAddresses("TestRule").ToArray();
-
+ Assert.AreEqual(0, f.GetRuleNames("CB").Count());
  Assert.IsTrue(f.IsIPAddressAllowed(allowIP));
  Assert.IsFalse(f.IsIPAddressBlocked(allowIP));
  Assert.IsFalse(f.IsIPAddressBlocked(otherIP));

diff --git a/Windows/IPBanWindowsEventViewer.cs b/Windows/IPBanWindowsEventViewer.cs
@@ -28,6 +28,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 using System.Diagnostics.Eventing.Reader;
 using System.Globalization;
 using System.IO;
+using System.Text;
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using System.Xml;
@@ -228,8 +229,8 @@ private string GetEventLogQueryString(List<string> ignored)
  return null;
  }
 
+ StringBuilder queryString = new StringBuilder("<QueryList>");
  int id = 0;
- string queryString = "<QueryList>";
  HashSet<string> logNames = new HashSet<string>(System.Diagnostics.Eventing.Reader.EventLogSession.GlobalSession.GetLogNames());
  foreach (EventViewerExpressionGroup group in service.Config.WindowsEventViewerExpressionsToBlock.Groups)
  {
@@ -241,12 +242,12 @@ private string GetEventLogQueryString(List<string> ignored)
  }
  else
  {
- queryString += group.GetQueryString(++id);
+ group.AppendQueryString(queryString, ++id);
  }
  }
- queryString += "</QueryList>";
+ queryString.Append("</QueryList>");
 
- return queryString;
+ return queryString.Length < 32 ? null : queryString.ToString();
  }
 
  private void SetupEventLogWatcher()
@@ -255,7 +256,7 @@ private void SetupEventLogWatcher()
  {
  List<string> ignored = new List<string>();
  string queryString = GetEventLogQueryString(ignored);
- if (queryString != previousQueryString)
+ if (queryString != null && queryString != previousQueryString)
  {
  IPBanLog.Warn("Event viewer query string: {0}", queryString);
  foreach (string path in ignored)