Re: urlscan log
From: Wade A. Hilmo [MS] (wadeh_at_microsoft.com)
Date: 10/29/03
- Next message: Wade A. Hilmo [MS]: "Re: Urlscan 2.5 unattended install"
- Previous message: Jayashree Iyer: "Re: Help Required : Authentication across trusted domains in IIS 6.0"
- In reply to: karl: "Re: urlscan log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Oct 2003 07:29:15 -0800
Hi Karl,
Not all 400 responses get logged in the w3svc log. The reason for this is
that the w3svc log is site based, and sometimes the request is malformed to
the point that IIS can't even figure out the site it was sent to.
Starting with IIS 6, such requests would get logged in the HTTPERR log.
Thank you,
-Wade A. Hilmo,
-Microsoft
"karl" <anonymous@discussions.microsoft.com> wrote in message
news:01e901c39cc9$319454b0$a501280a@phx.gbl...
> Wade,
>
> Thanks a lot for the detailed explanation. Much
> appreciated. I have enabled urlscan to block requests,
> and the number of entries for these errors does not
> correspond to the 400 responses in the iis weblog.
> I assumed I would see a higher number of 400 responses.
> Does a request blocked with urlscan get logged in the
> weblog ?
>
>
> >-----Original Message-----
> >Hi Karl,
> >
> >Error 50 is ERROR_NOT_SUPPORTED.
> >
> >The reason that this error occurs is that, when IIS
> parsed the original
> >request from the client, it did not meet the criteria to
> be either HTTP/1.0
> >or HTTP/1.1. When IIS receives such a request, it
> treats it as a "simple
> >HTTP" request. Simple HTTP predates HTTP/1.1 and it
> basically allows the
> >client to send a "GET <url>" request and receive only
> the entity body from
> >the server in response. No headers are supported with
> simple HTTP.
> >
> >As a result of the fact that headers are not supported
> in this case,
> >UrlScan's attempt to either remove or alter the server
> header in the
> >response results in this error. When it occurs,
> UrlScan "swallows" the
> >response, since it cannot alter it, and replaces it with
> a 400 response. So
> >the client ends up seeing a "400 Bad Request".
> >
> >In practice, there are very few (if any) simple HTTP
> clients in use as
> >browsers out there. More often than not, these requests
> are from
> >non-browser clients (like someone using Telnet to
> connect to your HTTP port
> >and manually typing a request, or some custom client
> someone's written for
> >whatever purpose.)
> >
> >The reason that you are seeing a 200 in the W3SVC log is
> that, in logging
> >only mode, UrlScan does not modify any responses.
> Because of this, a 200
> >gets sent instead of the 400 that UrlScan would normally
> use.
> >
> >I hope that this clarifies this for you.
> >
> >Thank you,
> >-Wade A. Hilmo,
> >-Microsoft
> >
> >"karl" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:043401c39b76$3478bd00$a401280a@phx.gbl...
> >> Hi,
> >>
> >> Anyone knows what the below entry in a urlscan log
> means?
> >> "Received malformed request which resulted in error 50
> >> while modifying the 'SERVER' header.Request will be
> >> rejected with response code 400."
> >> I looked up the corresponding entry in the weblog, and
> it
> >> was served with a 200 status OK.
> >> I'm using urlscan 2.5 (logging only mode) with iis 5.0.
> >> I'm concerned this would cause a problem when I enable
> >> urlscan to reject requests.
> >> Thanks for your help.
> >>
> >> karl
> >>
> >
> >
> >.
> >
- Next message: Wade A. Hilmo [MS]: "Re: Urlscan 2.5 unattended install"
- Previous message: Jayashree Iyer: "Re: Help Required : Authentication across trusted domains in IIS 6.0"
- In reply to: karl: "Re: urlscan log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
