#184 Support for Microsoft's UrlScan tool

open
nobody
None
5
2012-10-11
2002-12-13
No

Microsoft has release a tool named UrlScan as part of their IIS
Lockdown tool. UrlScan is a very powerful addition to IIS while it
allows blocking requests by their content on HTTP query
level.

Below is a clip from an IIS web log where UrlScan has
bloked a couple of off the shelf attacks based on blocking rule of
"root.exe" query:

2002-12-12 02:53:59 10.0.0.1 - GET
/<Rejected-By-UrlScan> ~/scripts/root.exe 404 4157 HTTP/1.0 - -

2002-12-12 02:54:00 10.0.0.1 - GET /<Rejected-By-UrlScan>
~/MSADC/root.exe 404 4157 HTTP/1.0 - -

Please note that
above is from IIS's log, not from a separate log by
UrlScan.

The compatibility problem with AWStats arises
from fact that AWStats reads such entries as "404 on /" thus
hurting the usability of actually having HTTP errors section on
analysis at all.

I am suggesting that future release of
AWStats would recognize such entries by UrlScan and not
register them as "404 on /". There might be entirely new section for
"blocked by UrlScan", which would greatly help when debugging
UrlScan rules.

Discussion

  • Danny Jones

    Danny Jones - 2003-05-26

    Logged In: YES
    user_id=784236

    I agree... this would be very useful, would provide more
    accurate statistics, and serve as a security report.

     
  • Anson Chuang

    Anson Chuang - 2003-07-09

    Logged In: YES
    user_id=813818

    Definitely a worthwhile addition

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks