Re: URLScan

From: David Wang <w3.4you@xxxxxxxxx>
Date: Wed, 9 Jan 2008 12:49:13 -0800 (PST)

On Jan 9, 6:50 am, Kenny <subf...@xxxxxxxxx> wrote:

Hello,

URLScan breaks the formatting of the IIS 5.0 logs by including a
single space character in it's entry in the IIS log, for example, the
following entry:

/<Rejected-By-UrlScan> ~/

As each column in the IIS 5.0 log is delimited by the space character,
I can find no way to load the IIS log into SQL Server.

My IIS log file is rather too big to load into a text editor and
perform a find / replace, and I don't have access to sed or awk.

Is it possible to configure URLScan so that it leaves a different
message (with no whitespace) in the IIS log, such that the structure
of the log file is kept intact?

Or is it possible to configure IIS 5.0 to use Tabs to delimit the
columns in the log file?

Many thanks

Kenny

The delimiter of the log file is defined by W3C specification, so
there is no way that IIS can be configured to use Tabs to delimit
columns.

Are you sure that URLScan is inserting the white space? Where is the
~/ coming from -- it seems like you have something else modifying the
log entry.

URLScan does not insert white spaces anywhere. It does the fast path
rejection by rewriting the URL to: /<Rejected-By-UrlScan> (no spaces
nor ~/). Thus, if you see any other characters in the log for that log
field, it is not coming from URLScan.

Now, you can configure URL to rewrite the URL to a different value
(look inside URLSCAN.INI for the property -- it is visible and
documented), and if that still has " ~/" trailing it, then the problem
is definitely not with URLScan because it does not append what you
claim.

Honestly, I do not see URLScan do what you claim, so I think you have
some other ISAPI Filter causing this issue.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.

Follow-Ups:
- Re: URLScan
  - From: Kenny

References:
- URLScan
  - From: Kenny

Prev by Date: Re: Authentication Security Problem WSS and OWA - Possible Bug?
Next by Date: RE: SSL 2.0
Previous by thread: URLScan
Next by thread: Re: URLScan
Index(es):
- Date
- Thread

Relevant Pages

Re: malformed request in log from SRP 2.5
... urlscan rejected with 400 errors and yet IIS log ... > Balancer Cisco CSS is forwarding connections to this webs site instance ... > web server. ... apparently at the same time the URLSCAN log ...
(microsoft.public.inetserver.iis.security)
Re: AllowDotInPath
... URLScan with AllowDotInPath set to 1? ... >What is in the IIS log when you ... just fine on my development machine without URLScan ...
(microsoft.public.inetserver.iis.security)
URLScan
... URLScan breaks the formatting of the IIS 5.0 logs by including a ... single space character in it's entry in the IIS log, for example, the ... As each column in the IIS 5.0 log is delimited by the space character, ... I can find no way to load the IIS log into SQL Server. ...
(microsoft.public.inetserver.iis.security)
Re: non-ssl virtual directory in ssl website
... This would be diagnosable if you start tracking things down in the IIS log ... about URLScan - we did indeed have it installed, ... without any customisation of the original install values. ... So, URLScan was rejecting requests to .ini and .exe files, ...
(microsoft.public.inetserver.iis.security)
Re: I was hacked
... What about the IIS log from just before 5:55? ... And any snort logs for the next few minutes? ... If URLScan was rejecting stuff right up until then, ...
(microsoft.public.win2000.security)