Skip to content

Improved IIS decoder#701

Open
danimegar wants to merge 1 commit intomasterfrom
688-correction-iis-decoder
Open

Improved IIS decoder#701
danimegar wants to merge 1 commit intomasterfrom
688-correction-iis-decoder

Conversation

@danimegar
Copy link
Copy Markdown
Contributor

@danimegar danimegar commented Jun 9, 2020
edited
Loading

Related issue
#688

Description

I added another condition to the regex: https://github.com/wazuh/wazuh-ruleset/blob/688-correction-iis-decoder/decoders/0380-windows_decoders.xml#L94

Log tests

IIS 7.5
  -  2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624

**Phase 2: Completed decoding.
decoder: 'windows-date-format'
action: 'GET'
url: '/QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N'
srcport: '80'
srcip: '31.3.3.7'
user_agent: 'OpenSystems/1.0;+product-family="85";+product-version="123ER123"'
id: '302'

**Phase 3: Completed filtering (rules).
Rule id: '31108'
Level: '0'
Description: 'Ignored URLs (simple queries).'

IIS 8.5
  -  2015-03-11 20:28:21 1.2.3.4 GET /certsrv/Default.asp - 80 - 31.3.3.7 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0) - 401 2 5 0

**Phase 2: Completed decoding.
decoder: 'windows-date-format'
action: 'GET'
url: '/certsrv/Default.asp'
srcport: '80'
srcip: '31.3.3.7'
user_agent: 'Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0)'
id: '401'

**Phase 3: Completed filtering (rules).
Rule id: '31101'
Level: '5'
Description: 'Web server 400 error code.'
**Alert to be generated.

2015-03-11 21:59:09 1.2.3.4 GET /console/faces/com_sun_web_ui/jsp/version/version_30.jsp - 80 - 31.3.3.7 Sun+Web+Console+Fingerprinter/7.15 - 404 0 2 0

**Phase 2: Completed decoding.
decoder: 'windows-date-format'
action: 'GET'
url: '/console/faces/com_sun_web_ui/jsp/version/version_30.jsp'
srcport: '80'
srcip: '31.3.3.7'
user_agent: 'Sun+Web+Console+Fingerprinter/7.15'
id: '404'

**Phase 3: Completed filtering (rules).
Rule id: '31101'
Level: '5'
Description: 'Web server 400 error code.'
**Alert to be generated.

2015-03-11 22:01:58 1.2.3.4 GET /IISADMPWD/aexp.htr - 80 - 31.3.3.7 - - 404 0 2 0

**Phase 2: Completed decoding.
decoder: 'windows-date-format'
action: 'GET'
url: '/IISADMPWD/aexp.htr'
srcport: '80'
srcip: '31.3.3.7'
user_agent: '-'
id: '404'

**Phase 3: Completed filtering (rules).
Rule id: '31101'
Level: '5'
Description: 'Web server 400 error code.'
**Alert to be generated.

Another:
2020-05-30 22:33:20 1.2.3.4 GET /url/ - 80 url/url 1.2.3.4 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+10.0;+WOW64;+Trident/7.0;+.NET4.0C;+.NET4.0E;+Zoom+3.6.0) http://server/url/url466 200 0 0 38

**Phase 2: Completed decoding.
decoder: 'windows-date-format'
action: 'GET'
url: '/url/'
srcport: '80'
srcip: '1.2.3.4'
user_agent: 'Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+10.0;+WOW64;+Trident/7.0;+.NET4.0C;+.NET4.0E;+Zoom+3.6.0)'
id: '200'

**Phase 3: Completed filtering (rules).
Rule id: '31108'
Level: '0'
Description: 'Ignored URLs (simple queries).'

@danimegar danimegar force-pushed the 688-correction-iis-decoder branch from cb83c37 to fed5849 Compare June 10, 2020 06:57
@danimegar danimegar force-pushed the 688-correction-iis-decoder branch from fed5849 to b74cdae Compare June 10, 2020 11:36
@danimegar danimegar marked this pull request as ready for review June 10, 2020 11:39
@vikman90 vikman90 changed the base branch from 3.13 to develop July 31, 2020 12:02
@vikman90 vikman90 changed the base branch from develop to master September 25, 2020 08:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

community

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danimegar @vikman90