Subscribe to Windows IT Pro
April 17, 2006 12:00 AM

Auditing IIS Security with Log Parser

Orin Thomas
Windows IT Pro
InstantDoc ID #49824
Rating: (0)

Identifying Unusual HTTP Requests
You can often find evidence of attacks on a Web site by looking for unusual verbs in HTTP requests. In general, most legitimate HTTP requests include either POST or GET. The following script will output any verb that exists within the WC3 Extended log file format that isn't POST or GET, as well as the request retrieved from the Web server, the status code of the request, and the requesting client's IP address. 

---UNUSUALVERBS.SQL---
SELECT c-ip, cs-method, 
  cs-uri-stem, sc-status, 
  sc-substatus, COUNT(*) 
FROM <1> 
WHERE (cs-method NOT IN 
  ('POST';'GET')) 
GROUP BY c-ip, cs-method, 
  cs-uri-stem, sc-status, 
  sc-substatus 
ORDER BY COUNT(*) DESC   
---UNUSUALVERBS.SQL---

Unusual verbs can be innocuous, but they can also be an anomaly that requires further investigation. Multiple instances of the same verb from many IP addresses are more likely to be innocuous than are multiple instances of a verb from the same IP address. Multiple verbs from the same IP address that no other Web site visitors have used are a red flag that you shouldn't ignore.

Tracing Web Site Activity
If you detect an anomaly linked to a particular IP address, that IP address becomes a leverage point you can use to dig deeper into the logs. To do so, use a query similar to this one: 

---TRACKIP.SQL-SELECT cs-username, 
  cs-uri-stem, sc-status, sc-substatus FROM <1> 
  WHERE c-ip = 'w.x.y.z' ---TRACKIP.SQL---

Before running the script, substitute the IP address you are interested in for w.x.y.z. Also make certain that the Web site identifier is correct so that you aren't looking at the wrong logs. The results of this output can give you further clues about what a suspicious visitor was doing when visiting your Web server.

Get to Work
I've only scratched the surface of Log Parser's ability to perform a security audit on IIS 6.0. If you've followed the examples and begun to put them to use on your Web server, you'll be able to generate your own queries to dig deeper into your logs, rooting out anomalies and putting a stop to suspicious activity.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
    There are no comments to display. Be the first one!
You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.