' Push Event Viewer Alert
Set objWMIService = GetObject("winmgmts:{(security)}!root/cimv2")
Set eventSink = wscript.CreateObject("WbemScripting.SWbemSink", "EVSINK_")
strWQL = "Select * from __InstanceCreationEvent where TargetInstance isa  'Win32_NTLogEvent' and TargetInstance.SourceName = 'MSFTPSVC' and TargetInstance.EventCode = 100"
objWMIService.ExecNotificationQueryAsync eventSink,strWQL

'Keep it going forever
While (True)
Wscript.Sleep(1000)
Wend

Sub EVSINK_OnObjectReady(objObject, objAsyncContext)

 Set objDictionary = CreateObject("Scripting.Dictionary")
 Set objFSO = CreateObject("Scripting.FileSystemObject")
 Set objLog = CreateObject("MSWC.IISLog")
 Set WshShell = WScript.CreateObject("WScript.Shell")

 serverIP =  "65.23.156.121"
 xMax = 3   'Max number of invalid login attempts
              xLogFiles = 10  'Max number of log files to keep in the folder before deleting them

 Set objFolder = objFSO.GetFolder("C:\WINDOWS\system32\LogFiles\MSFTPSVC1\")
 Set objFiles = objFolder.Files
 For Each fileName In objFiles
  lastFile = fileName
  Set f = objFSO.GetFile(fileName)
  If f.DateCreated <= Date - xLogFiles Then objFSO.DeleteFile FileName, True
  Set f = Nothing
 Next
 Set objFiles = Nothing
 Set objFolder = Nothing

              objLog.OpenLogFile lastFile, 1, "MSFTPSVC", 1, 0
 While NOT objLog.AtEndOfLog
  objLog.ReadLogRecord
  clientIP = trim(objLog.ClientIP)
  xStatus = trim(objLog.ProtocolStatus)
  If xStatus = "530" AND NOT (clientIP = serverIP) then
   If objDictionary.Exists(ClientIP) Then
    objDictionary.Item(clientIP) = cStr(Clng(objDictionary.Item(clientIP)) + 1)
   Else
    objDictionary.Add  clientIP,"1"
   End If
  End If
 Wend 
 objLog.CloseLogFiles 1

 xTest = xTest
 For Each xClient in objDictionary.Keys
  If Clng(objDictionary.Item(xClient)) < xMax then
   objDictionary.Remove(xClient)
  Else
   xTest = True
   WshShell.Run "ROUTE ADD " & xClient & " MASK 255.255.255.255 " & serverIP & " METRIC 10", 1, True     
  End If
 Next

 If xTest then WshShell.LogEvent 0, "FTP 530 Event(s) exceeded xMax occurrances. BAD ROUTE(s) assigned"

 Set WshShell = Nothing
 Set objLog = Nothing
 Set objFSO = Nothing
 Set objDictionary = Nothing
End Sub