-
Notifications
You must be signed in to change notification settings - Fork 10
/
Handler.cs
111 lines (103 loc) Β· 4.26 KB
/
Handler.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
using System;
using System.Collections.Generic;
using System.IO;
using System.Net.Http;
using System.Threading.Tasks;
using Amazon.DynamoDBv2;
using Amazon.Lambda.APIGatewayEvents;
using Microsoft.Extensions.Caching.Memory;
using Newtonsoft.Json;
namespace Trapdoor
{
public class Handler
{
private readonly HttpClient _client;
private readonly string tor_exit_list;
private readonly Storage<SessionLog> _storage;
private readonly List<ISender> _alerts;
public Handler(Config config, IMemoryCache memoryCache, List<ISender> alerts)
{
_alerts = alerts;
tor_exit_list = config.TorExitList;
_client = new HttpClient();
//_storage = new Storage<SessionLog>(new AmazonDynamoDBClient());
//_alerts.Add(new SlackSender(_storage, config, memoryCache));
}
public async Task<bool> SendAlerts(APIGatewayProxyRequest request, string guid)
{
(string, Dictionary<string, dynamic>) fields = default;
foreach (var alert in _alerts)
{
try
{
fields = await ParseAlert(request);
var sourceIp = request.RequestContext.Identity.SourceIp;
var res = await alert.SendAlert(fields, sourceIp, request.Path, guid);
if (fields.Item1 != null)
await alert.StoreLogs(fields.Item1, res);
else
await alert.StoreLogs(sourceIp, res);
}
catch (Exception e){
Console.WriteLine($"Error in {alert.GetType().Name}: {e.Message}");
}
}
return fields.Item1 == null;
}
private async Task<(string, Dictionary<string, dynamic>)> ParseAlert(APIGatewayProxyRequest request)
{
Dictionary<string, dynamic> alert = new Dictionary<string, dynamic>();
string id = null;
if (request.Body != null)
{
var collection = JsonConvert.DeserializeObject<Dictionary<string, string>>(request.Body);
foreach (string key in collection.Keys)
{
alert[key] = collection[key];
if (key == "Session ID")
id = collection["Session ID"];
}
}
alert["Path"] = request.Path;
alert["Full Path"] = request.RequestContext.Path;
alert["Host"] = request.Headers["Host"];
alert["HTTP Method"] = request.HttpMethod;
alert["User Agent"] = request.Headers["User-Agent"];
if (request.Headers.ContainsKey("CloudFront-Viewer-Country"))
alert["Viewer Country"] = request.Headers["CloudFront-Viewer-Country"];
else
alert["Viewer Country"] = "None";
if (request.Headers["CloudFront-Is-Tablet-Viewer"] == "true")
alert["Viewer Device"] = "Tablet";
else if (request.Headers["CloudFront-Is-Mobile-Viewer"] == "true")
alert["Viewer Device"] = "Mobile";
else if (request.Headers["CloudFront-Is-Desktop-Viewer"] == "true")
alert["Viewer Device"] = "Desktop";
else if (request.Headers["CloudFront-Is-SmartTV-Viewer"] == "true")
alert["Viewer Device"] = "SmartTV";
alert["Tor Network"] = await TorExitUsed(request);
alert["Source IP"] = request.RequestContext.Identity.SourceIp;
return (id, alert);
}
private async Task<string> TorExitUsed(APIGatewayProxyRequest request)
{
try
{
var result = await _client.GetAsync(tor_exit_list);
var stream = await result.Content.ReadAsStreamAsync();
using var reader = new StreamReader(stream);
string line;
while ((line = await reader.ReadLineAsync()) != null)
{
if (request.RequestContext.Identity.SourceIp == line)
return "true";
}
return "false";
}
catch (Exception)
{
return "false";
}
}
}
}