Improved IIS decoder #701

danimegar · 2020-06-09T13:24:17Z

Related issue
#688

Description

I added another condition to the regex: https://github.com/wazuh/wazuh-ruleset/blob/688-correction-iis-decoder/decoders/0380-windows_decoders.xml#L94

Log tests

IIS 7.5
  -  2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624

**Phase 2: Completed decoding.
decoder: 'windows-date-format'
action: 'GET'
url: '/QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N'
srcport: '80'
srcip: '31.3.3.7'
user_agent: 'OpenSystems/1.0;+product-family="85";+product-version="123ER123"'
id: '302'

**Phase 3: Completed filtering (rules).
Rule id: '31108'
Level: '0'
Description: 'Ignored URLs (simple queries).'

IIS 8.5
  -  2015-03-11 20:28:21 1.2.3.4 GET /certsrv/Default.asp - 80 - 31.3.3.7 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0) - 401 2 5 0

**Phase 2: Completed decoding.
decoder: 'windows-date-format'
action: 'GET'
url: '/certsrv/Default.asp'
srcport: '80'
srcip: '31.3.3.7'
user_agent: 'Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0)'
id: '401'

**Phase 3: Completed filtering (rules).
Rule id: '31101'
Level: '5'
Description: 'Web server 400 error code.'
**Alert to be generated.

2015-03-11 21:59:09 1.2.3.4 GET /console/faces/com_sun_web_ui/jsp/version/version_30.jsp - 80 - 31.3.3.7 Sun+Web+Console+Fingerprinter/7.15 - 404 0 2 0

**Phase 2: Completed decoding.
decoder: 'windows-date-format'
action: 'GET'
url: '/console/faces/com_sun_web_ui/jsp/version/version_30.jsp'
srcport: '80'
srcip: '31.3.3.7'
user_agent: 'Sun+Web+Console+Fingerprinter/7.15'
id: '404'

**Phase 3: Completed filtering (rules).
Rule id: '31101'
Level: '5'
Description: 'Web server 400 error code.'
**Alert to be generated.

2015-03-11 22:01:58 1.2.3.4 GET /IISADMPWD/aexp.htr - 80 - 31.3.3.7 - - 404 0 2 0

**Phase 2: Completed decoding.
decoder: 'windows-date-format'
action: 'GET'
url: '/IISADMPWD/aexp.htr'
srcport: '80'
srcip: '31.3.3.7'
user_agent: '-'
id: '404'

**Phase 3: Completed filtering (rules).
Rule id: '31101'
Level: '5'
Description: 'Web server 400 error code.'
**Alert to be generated.

Another:
2020-05-30 22:33:20 1.2.3.4 GET /url/ - 80 url/url 1.2.3.4 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+10.0;+WOW64;+Trident/7.0;+.NET4.0C;+.NET4.0E;+Zoom+3.6.0) http://server/url/url466 200 0 0 38

**Phase 2: Completed decoding.
decoder: 'windows-date-format'
action: 'GET'
url: '/url/'
srcport: '80'
srcip: '1.2.3.4'
user_agent: 'Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+10.0;+WOW64;+Trident/7.0;+.NET4.0C;+.NET4.0E;+Zoom+3.6.0)'
id: '200'

**Phase 3: Completed filtering (rules).
Rule id: '31108'
Level: '0'
Description: 'Ignored URLs (simple queries).'

danimegar force-pushed the 688-correction-iis-decoder branch from cb83c37 to fed5849 Compare June 10, 2020 06:57

Improved iis decoder

b74cdae

danimegar force-pushed the 688-correction-iis-decoder branch from fed5849 to b74cdae Compare June 10, 2020 11:36

danimegar marked this pull request as ready for review June 10, 2020 11:39

vikman90 added the community label Jul 31, 2020

vikman90 changed the base branch from 3.13 to develop July 31, 2020 12:02

vikman90 changed the base branch from develop to master September 25, 2020 08:16

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improved IIS decoder #701

Improved IIS decoder #701

danimegar commented Jun 9, 2020 •

edited

Improved IIS decoder #701

Are you sure you want to change the base?

Improved IIS decoder #701

Conversation

danimegar commented Jun 9, 2020 • edited

Description

Log tests

danimegar commented Jun 9, 2020 •

edited