URLScan Logging

From: Thor@HammerofGod.com
Date: 11/03/01


From: Thor@HammerofGod.com
To: FOCUS-MS@SECURITYFOCUS.COM
Message-ID: <029401c163f4$139c1250$af05a8c0@anchorsign.com>
Subject: URLScan Logging
Date: Fri, 2 Nov 2001 15:14:03 -0800

Greetings:

We like to log server activity such as the IIS and ISA logs to a SQL server
for fast and efficient reporting of the log data. While MS's URLScan is a
great little filter program for IIS, its logging options are minimal. It
basically creates a single file to hold all log records for filtered URLs.
In our shop, it can get pretty big pretty quick, and it is rather difficult
to review.

I've created a DTS package that runs nightly on our logging SQL server that
ftp's in the urlscan.log from the servers we want (this way you can leave
IIS running), parses the data into a temp table, and posts only the
preceding day's activity to the warehouse table (run it after midnight). It
really speeds up the review process, and allows you to group by server, date
range, or ip address for incident response.

It has helped us manage the URLScan logs, so I've stuck it on the
http://www.hammerofgod.com site under downloads for anyone interested in
taking a look at it. You've got to make a couple of changes to the DTS
package to work with your servers, so read the readme.

Later.
---------------------------------
Attonbitus Deus
rm -rf /bin/laden



Relevant Pages

  • Re: URLscan problem
    ... I did indeed restart the IIS server after ... I took a look at the URLscan log files and found my ... >URLscan seems to be causing a problem with public folder ...
    (microsoft.public.inetserver.iis.security)
  • RE: W3SVC, SMTP, IISAdmin services stopping..hacking?
    ... That SEARCH request is indicative of an attempt to exploit the ... of URLScan blocks SEARCH requests such as this one. ... Internet Services Manager -> right click on your server name -> Properties ... does contain a number of other very important security fixes for IIS. ...
    (microsoft.public.inetserver.iis.security)
  • Re: VS .NET & SDK vs. IIS LockDown & URLScan
    ... The Web Server Has Been Locked Down and Is Blocking the DEBUG Verb ... Stepping into a Web application or XML Web service failed because the IIS ... URLScan is a security tool that works in conjunction with the IIS Lockdown ...
    (microsoft.public.inetserver.iis.security)
  • Re: ODBC logging inserts forward slash in front of target column dat
    ... I don't have ODBC logging to test now. ... but if IIS 6 logging detail changed ... I guessed you need to change your app to fit it. ... Windows 2000 Servers, but it fails on Windows 2003 Server (SP1, standard, ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: ISAPI Filter:How to hide/modify the response header
    ... Here's the section from that URL which deals just with IIS HTTP information: ... The free IISlockdown tool from www.microsoft.com/download includes URLScan, ... which can be used to change or remove the banner from your web server. ...
    (microsoft.public.inetserver.iis.security)