Re: Realtime log file anlayser

From: Scarlet (Scarletpimpernel666@hotmail.com)
Date: 01/21/03 

From: "Scarlet" <Scarletpimpernel666@hotmail.com>
Date: Tue, 21 Jan 2003 14:15:54 -0800

Well it doesnt have to search in any file.Just insted of
the log file, the output of the IIS will be redirected to
that analyzer, and it analyse it realtime, I dont think
that searching in a short string for a specified phrase
will be a big task for a server even for thousands of
requests.
And as for the spoofing of the source address, as far as I
gathered its not that easy to really spoof an IP address.
Yes, you can use those malformed anonymous proxies or
socks and connect via them or chaining them, but the real
IP spoofing and specially spoofing the IP's of my ISP name
server seems not real easy. If it is that easy, please let
me know how its done, so I apply more security on our
servers not letting ppl spoof their IPs.

>-----Original Message-----
>> So what i need is a realtime logfile analyser that when
>> faces that phrase in the log line automatically bans-
>> permanent or temporary- the ip of the attacker and
>> disconnects any session with that IP. So the first
>> malicious request will lead to restriction of the access
>> from that IP.
>
>Not the best idea in the world. And believe me, it's
been considered and
>debated many, many times.
>
>For starters, that list has to be searched each time a
request is handed to
>IIS. I'll let you figure what would happen to
performance once that list
>grew to several hundred (or very likely thousand)
addresses.
>
>Add to that the fact that it is trivial to spoof a source
address. Again,
>I'll let you figure out what happens when someone spoofs
the source address
>of your biggest client, your ISP's name server, etc. The
list could go on
>for days...
>
>In my opinion, your time would be much better spent
refining your security
>measures and hardening your systems. If you've built
your network and
>security infrastructure correctly, who cares what some
clown with a cable
>modem is throwing at your systems?
>
>Hope this helps.
>
>--
>Keith W. McCammon
>
>
>
>.
>

Relevant Pages

  • RE: 401.2 Errors
    ... the server name as their proxy server, ... really understand the point in deploying the Firewall Client to all clients. ... I had a look at the log file but it only seems to be ... recording access that the IIS Server itself goes through. ...
    (microsoft.public.windows.server.sbs)
  • [EXPL] IIS Information Disclosure
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... for all versions of Windows Server 2003." ... * Microsoft IIS version 5.x ... IIS 5.x and IIS 6.0 Server Name Spoof PoC ...
    (Securiteam)
  • Sharity Light -v- SMBFS
    ... I've got a win2k server running IIS that keeps it's logs on a local drive. ... If I use smbfs to access the shares so I can run awstats on the iis log ... I can't read the current log file if iis is running. ...
    (freebsd-questions)
  • Re: IIS6.0 - Error 500.13 Web server is busy
    ... HTTP Error 500.13 - Server error: ... Internet Information Services (IIS) ... Should I check off unlimited connections. ...
    (microsoft.public.exchange.admin)
  • Re: IIS6 and .Net Framework.
    ... check the log file for more clues? ... > Win2k server which currently host my website and aspx ... I started IIS. ... > extension, there is no .net extension listed like in my ...
    (microsoft.public.inetserver.iis)