ASP script to parse URLSCAN.log file and add to a database.

From: Michelle Erbeck (michelle@MAEDATA.NET)
Date: 11/04/01 

Message-ID:  <004001c164c9$f0b9d840$020210ac@maedata.net>
Date:         Sat, 3 Nov 2001 19:45:02 -0500
From: Michelle Erbeck <michelle@MAEDATA.NET>
Subject:      ASP script to parse URLSCAN.log file and add to a database.
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Below is something we would like to share with others using URLSCAN. The
Active Server page content listed below we use to dynamically parse the
addresses in the URLSCAN log file and add them to a database. We use this
database to deny access to infected hosts thru code we place in a global.asa
file. This adds addition security to our pages as if URLSCAN misses
something and the host in question ever has tripped URLSCAN before then we
simply deny access. We also publish these addresses at
http://www.maedata.net/blacklist

The database used is MS SQL Server Version 7 however the code below could be
adapted for other platforms.

-------------------

<% Response.Buffer = true %>
<% Response.Expires = 0 %>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>

<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<meta http-equiv="pragma" content="no-cache">
<meta name="GENERATOR" content="Microsoft FrontPage 2.0">
<title></title>
</head>

<body>

<p align="center"><font size="+3"><strong>Compromised </strong>
or Infected Hosts</font></p>
<p align="center"><font size="+1" color="Darkblue"><strong>The host
addresses listed below are known to have been comprimised or infected by the
CODE RED, NIMBA or a similar worm. This list is dynamically generated from
the logs created by the Microsoft URLSCAN filter for IIS which has detected
attempts by the compromised hosts listed below to infect this or other
hosts.</strong>
</font></p>
<p align="center"><font size="+1" color="Darkblue"><strong>These addresses
are made public and are used by our server(s) to deny access to clients
using those addresses.</strong>
</font></p>

<p align="center">
 <% Dim Connect, RS, Query %>

 <% Set FileSys = CreateObject("Scripting.FileSystemObject") %>
 <% Set MyObj = FileSys.OpenTextFile(
"C:\winnt\system32\inetsrv\urlscan\urlscan.log") %>
 <% oldIpData = "" %>
 <% do while not MyObj.AtEndOfStream %>
  <% MyData = MyObj.Readline %>
  <% sPos = InStr(1,MyData,"Client at",1) %>
  <% if sPos > 0 then %>
   <% sPos = sPos + 10 %>
   <% ePos = InStr(sPos,MyData,":",1) %>
   <% IpData = Mid(MyData,sPos,ePos-sPos) %>
   <% if not oldIpData = IpData then %>
    <% oldIpData = IpData %>
    <% Set Connect = Server.CreateObject("ADODB.Connection") %>
    <% Connect.Open Session("DSN") %>
    <% Set RS = Server.CreateObject("ADODB.Recordset") %>
    <% RS.Open "SELECT * FROM IPBlacklist WHERE IPADDR = '" & IpData & "';",
Connect, adOpenStatic %>
    <% if not RS.EOF then %>
    <% else %>
     <% Query = "INSERT into IPBlacklist (ipaddr) values (" & "'" &
trim(IpData) & "'" & ")" %>
     <% Connect.Execute(Query) %>
     Added : <% Response.Write(IpData) %><br>
    <% end if %>
    <% RS.Close %>
    <% Connect.Close %>
   <% end if %>
  <% end if %>
 <% loop %>
 <% MyObj.Close %>

</p>
<hr>
<p align="center">
 <table cellspacing="10" cellpadding="10" border="1">
 <% Set Connect = Server.CreateObject("ADODB.Connection") %>
 <% Connect.Open Session("DSN") %>
 <% Set RS = Server.CreateObject("ADODB.Recordset") %>
 <% RS.Open "SELECT * FROM IPBlacklist ORDER by IPADDR", Connect,
adOpenStatic %>
 <% Do While not RS.EOF %>
  <tr><td><font size="+1"
color="blue"><%=RS("Entered")%></font></td><td><b><font size="+3"
color="darkblue"><%=RS("IPADDR")%></font></b></td></tr>
 <% RS.Movenext %>
 <% Loop %>
 <% RS.Close %>
 <% Connect.Close %>
 </table>
</P>
<hr>

<%Response.end%>
</body>
</html>

Relevant Pages