Microsoft IIS¶
Description¶
Constructor: Microsoft
Product: Internet Information Services (IIS)
Log type: web
Theoretical injector performance: 27760 EPS
Log sample¶
1 | 2017-02-23 12:34:55 W3SVC161035177 MYSERVER1 192.168.2.1 GET /Resources/WhiteLabel/default/default.css - 443 - 192.168.3.1 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:38.0)+Gecko/20100101+Firefox/38.0 ASP.NET_SessionId=y5cwrcmnjm2u2razndbeqd55 https://ipdata.my.corp/WebForms/Login.aspx?login=true&context=ASP.webforms_main_aspx ipdata.my.corp 200 0 0 2337 471 0 |
1 | 2017-02-23 14:21:19 W3SVC161035177 TPILVXWEB01P 1.1.195.196 POST /ws/dataexchange/datareceiver.asmx - 443 - 1.1.36.69 HTTP/1.1 Java/1.5.0_09 - - ipdata.thalesgroup.com 200 0 0 727 5700 156 |
1 | 2017-02-23 12:34:55 W3SVC161035177 MYSERVER1 192.168.2.1 POST /WebForms/Login.aspx login=true&context=ASP.webforms_main_aspx 443 - 192.168.3.1 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:38.0)+Gecko/20100101+Firefox/38.0 ASP.NET_SessionId=y5cwrcmnjm2u2razndbeqd55 https://ipdata.my.corp/WebForms/Login.aspx?login=true&context=ASP.webforms_main_aspx ipdata.my.corp 302 0 0 12993 1916 1078 |
1 | #Software: Microsoft Internet Information Services 6.0 |
1 | #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken |
Parsing strategy¶
First, if the log starts with the char , we drop it without exception.
Else, the expected format is CSV so we check if we got the expected number of field and we delete ones with value.
Then, a mapping between found fields and normalization is made.
About normalization:
- Fields
[date]and[time]are combined to generate[obs][ts] - Fields
[s-port],[cs-host],[cs-uri-stem]and[cs-uri-query]are combined to replace[c-uri]in[obs][uri][url]when it does not exist [target]is copied from[obs]
Fields normalization¶
| Constructor field | LMC field |
|---|---|
| [s_ip] | [obs][host][ip] |
| [c_ip] | [init][host][ip] |
| [s_port] | [init][host][port] |
| [cs_username] | [init][usr][name] |
| [s_sitename] | [init][host][name] |
| [cs_user_agent] | [init][useragent] |
| [cs_user_stem] | [target][uri][urn] |
| [cs_method] | [app][method] |
| [sc_status] | [app][return][code] |
| [cs_uri_query] | [iis][uri][query] |
| [sc_substatus] | [iis][substatus] |
| [sc_win32_status] | [iis][win32_substatus] |