[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] IIS 6 log decoder issue
- To: ossec-list@xxxxxxxxx
- Subject: [ossec-list] IIS 6 log decoder issue
- From: "Worawit Wang" <worawita@xxxxxxxxx>
- Date: Fri, 4 May 2007 15:36:30 +0700
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=aUe4iP3zfvq+3yb74UuWO/TkmKs8E4chnUUYx3qA+fS27R5UL0539ElYcD52Dgi2sQmtFz9BFOsTuypVOE42iytlVhnIws2WtVFIGEKJiboWxXGXGC3mPyNLuZ+VB8EqnZI7sw5UP5gHPddFcSdX0LQ77H0sOTqs0BLh+JNT8Wk=
Hi all,
I've just found bug in decoder.xml, named web-accesslog-iis6. cs-uri-query field is not included in URL field.
Here is a original decoder:
<decoder name="web-accesslog-iis6">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch>
<regex offset="after_prematch">^(\S+) \S+ \d+ \S+ (\d+.\d+.\d+.\d+) </regex>
<regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
<order>url, srcip, id</order>
</decoder>
line: <regex offset="after_prematch">^(\S+) \S+ \d+ \S+ (\d+.\d+.\d+.\d+) </regex>
need to be: <regex offset="after_prematch">^(\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+) </regex>
I hope this issue will be fixed in next version.
Also I have a request about web rules. Can you modify OSSEC to matching url rule case insensitively? Because it's very easy to evade detection, such as using "SeLeCt" for doing sql injection
Thanks,
Worawit
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.