Skip to content

Microsoft IIS

Description

Constructor: Microsoft
Product: Internet Information Services (IIS)
Log type: web

Theoretical injector performance: 27760 EPS

Log sample

1
2017-02-23 12:34:55 W3SVC161035177 MYSERVER1 192.168.2.1 GET /Resources/WhiteLabel/default/default.css - 443 - 192.168.3.1 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:38.0)+Gecko/20100101+Firefox/38.0 ASP.NET_SessionId=y5cwrcmnjm2u2razndbeqd55 https://ipdata.my.corp/WebForms/Login.aspx?login=true&context=ASP.webforms_main_aspx ipdata.my.corp 200 0 0 2337 471 0
1
2017-02-23 14:21:19 W3SVC161035177 TPILVXWEB01P 1.1.195.196 POST /ws/dataexchange/datareceiver.asmx - 443 - 1.1.36.69 HTTP/1.1 Java/1.5.0_09 - - ipdata.thalesgroup.com 200 0 0 727 5700 156
1
2017-02-23 12:34:55 W3SVC161035177 MYSERVER1 192.168.2.1 POST /WebForms/Login.aspx login=true&context=ASP.webforms_main_aspx 443 - 192.168.3.1 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:38.0)+Gecko/20100101+Firefox/38.0 ASP.NET_SessionId=y5cwrcmnjm2u2razndbeqd55 https://ipdata.my.corp/WebForms/Login.aspx?login=true&context=ASP.webforms_main_aspx ipdata.my.corp 302 0 0 12993 1916 1078
1
#Software: Microsoft Internet Information Services 6.0
1
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

Parsing strategy

First, if the log starts with the char , we drop it without exception.

Else, the expected format is CSV so we check if we got the expected number of field and we delete ones with value.

Then, a mapping between found fields and normalization is made.

About normalization:

  • Fields [date] and [time] are combined to generate [obs][ts]
  • Fields [s-port], [cs-host], [cs-uri-stem] and [cs-uri-query] are combined to replace [c-uri] in [obs][uri][url] when it does not exist
  • [target] is copied from [obs]

Fields normalization

Constructor field LMC field
[s_ip] [obs][host][ip]
[c_ip] [init][host][ip]
[s_port] [init][host][port]
[cs_username] [init][usr][name]
[s_sitename] [init][host][name]
[cs_user_agent] [init][useragent]
[cs_user_stem] [target][uri][urn]
[cs_method] [app][method]
[sc_status] [app][return][code]
[cs_uri_query] [iis][uri][query]
[sc_substatus] [iis][substatus]
[sc_win32_status] [iis][win32_substatus]