Decoder for IIS 7 Logs

[James Whittington]

I have seen several examples of decoders folks have written for IIS 7. 

I have tried out a couple of different ones yet each time the ossec-logtest stops at the windows-date-format decoder.

Additionally one of the examples of an IIS 7 decoder is in a OSSEC bug "web-log category doesn't work" (https://github.com/ossec/ossec-hids/issues/164).

So I am left wondering if anyone is successfully decoding IIS logs on Windows 2008-2012 servers?  

I am currently running  OSSEC v2.7.1 , I see 2.8 is out but I didn't see anything in the release notes about updates to IIS logs?  

I would like to write some custom rules on post actions to specific urls but the windows-date-format decoder doesn't extract the correct fields that I need.

Here is an example line and what I am seeing when I run a logtest on it:

2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 _ga=GA1.2.1301279074.1406725635;+_dc=1 https://www.cognitoforms.com/register www.cognitoforms.com 302 0 0 949 2509 3667

 

**Phase 1: Completed pre-decoding.

       full event: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 _ga=GA1.2.1301279074.1406725635;+_dc=1 https://www.cognitoforms.com/register www.cognitoforms.com 302 0 0 949 2509 3667'

       hostname: 'monitor'

       program_name: '(null)'

       log: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 _ga=GA1.2.1301279074.1406725635;+_dc=1 https://www.cognitoforms.com/register www.cognitoforms.com 302 0 0 949 2509 3667'

**Phase 2: Completed decoding.

       decoder: 'windows-date-format'

       url: '/register -'

       srcip: '120.138.126.238'

       id: '302'

**Phase 3: Completed filtering (rules).

       Rule id: '120000'

       Level: '5'

       Description: 'Registration Attempt'

**Alert to be generated.

I am trying to track registration activity to a web service and trigger a custom AR script if multiple registration attempts occur from the same source ip.

If anyone would like to share their IIS decoders I would be most appreciative, I don't know why OSSEC doesn't have a user contributed exchange of decoders much like the nagios community used to have with custom plugins.

Any thanks for any advice on decoding IIS.

James Whittington 

 

[dan (ddp)]

Because so few people contribute them? I find it odd as well, I
thought more people would want to help.

> Any thanks for any advice on decoding IIS.
>

Give me sample logs.

> James Whittington
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[dan (ddp)]

On Wed, Jul 30, 2014 at 10:28 AM, James Whittington
<james.whit...@gmail.com> wrote:

> I have seen several examples of decoders folks have written for IIS 7.
> I have tried out a couple of different ones yet each time the ossec-logtest
> stops at the windows-date-format decoder.
>
> Additionally one of the examples of an IIS 7 decoder is in a OSSEC bug
> "web-log category doesn't work"
> (https://github.com/ossec/ossec-hids/issues/164).
>
> So I am left wondering if anyone is successfully decoding IIS logs on
> Windows 2008-2012 servers?
>
> I am currently running OSSEC v2.7.1 , I see 2.8 is out but I didn't see
> anything in the release notes about updates to IIS logs?
>
> I would like to write some custom rules on post actions to specific urls but
> the windows-date-format decoder doesn't extract the correct fields that I
> need.

What fields do you need that are missing?

[dan (ddp)]

On Wed, Jul 30, 2014 at 10:55 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Wed, Jul 30, 2014 at 10:28 AM, James Whittington
> <james.whit...@gmail.com> wrote:
>> I have seen several examples of decoders folks have written for IIS 7.
>> I have tried out a couple of different ones yet each time the ossec-logtest
>> stops at the windows-date-format decoder.
>>
>> Additionally one of the examples of an IIS 7 decoder is in a OSSEC bug
>> "web-log category doesn't work"
>> (https://github.com/ossec/ossec-hids/issues/164).
>>
>> So I am left wondering if anyone is successfully decoding IIS logs on
>> Windows 2008-2012 servers?
>>
>> I am currently running OSSEC v2.7.1 , I see 2.8 is out but I didn't see
>> anything in the release notes about updates to IIS logs?
>>
>> I would like to write some custom rules on post actions to specific urls but
>> the windows-date-format decoder doesn't extract the correct fields that I
>> need.
>
> What fields do you need that are missing?
>

(This gives me the POST:

<decoder name="web-accesslog-iis6">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^W3SVC\d+ \S+ \S+ </prematch>
<regex offset="after_prematch">^(\S+) (\S+ \S+) \d+ \S+
(\d+.\d+.\d+.\d+) </regex>
<regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
<order>action, url, srcip, id</order>
</decoder>

Just replace the current web-accesslog-iis6 entry. BUT TEST IT before
putting it into production.)

[Michael Starks]

On 2014-07-30 9:28, James Whittington wrote:
> I have seen several examples of decoders folks have written for IIS
> 7. 
> I have tried out a couple of different ones yet each time the
> ossec-logtest stops at the windows-date-format decoder.

This is something I have in my local decoder file that I was tinkering
with. I don't remember where I left off with it, but it may work:

<decoder name="web-accesslog-iis7">

<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>

<regex offset="after_parent">^(\d+.\d+.\d+.\d+) (\w+) (\S+ \S+) (\d+)
(\S+) (\d+.\d+.\d+.\d+) \.+ (\d+) \d+ \d+ \d+$</regex>
<order>dstip, action, url, dstport, dstuser, srcip, status</order>
</decoder>

[James Whittington]

Dan, thanks for taking a quick look at the log line.

I'll try to modify the iis6 decoder and see what happens then.

I have a OSSEC test system I feed logs to so I can try it out on that system first.

I think this would give me enough info to work with.

I am trying to catch multiple website registration attempts from the same ip but only on post actions.

I need to filter out some http 500 errors alarms from google bots

I work with web applications with about 90% being IIS based and 10% Apache based so I would love to see more progress on the Windows Client side and Windows support.

Also was there discussion in the past about having a place for user contributed content?

I know OSSEC has invited folks to help develop but I bet a LOT of the OSSEC userbase are more systems people than pure developers.

But I bet those systems people have created really great decoders to fully utilize OSSEC that they would share if there were a place for them to do so.

James Whittington

[dan (ddp)]

On Wed, Jul 30, 2014 at 11:31 AM, James Whittington
<james.whit...@gmail.com> wrote:
> Dan, thanks for taking a quick look at the log line.
> I'll try to modify the iis6 decoder and see what happens then.
> I have a OSSEC test system I feed logs to so I can try it out on that system
> first.
>
> I think this would give me enough info to work with.
>
> I am trying to catch multiple website registration attempts from the same ip
> but only on post actions.
> I need to filter out some http 500 errors alarms from google bots
>
> I work with web applications with about 90% being IIS based and 10% Apache
> based so I would love to see more progress on the Windows Client side and
> Windows support.
>

Fire up a text editor and jump aboard.

> Also was there discussion in the past about having a place for user
> contributed content?

I don't think there's been enough interest lately to even worry about
that yet. Emailing decoders/rules or contributing via github are both
easy to do. I try not to linger too long on decoder/rule
contributions.

> I know OSSEC has invited folks to help develop but I bet a LOT of the OSSEC
> userbase are more systems people than pure developers.
> But I bet those systems people have created really great decoders to fully
> utilize OSSEC that they would share if there were a place for them to do so.
>

And most of those people have not tried to contribute those decoders.

[James Whittington]

Okay this message is wandering into a whole separate topic but I have found examples of rules and decoders scattered throughout OSSEC message lists that may or may not be committed into OSSEC official source

- I found fixes to the broken Windows null route routines

- I found a decoder for IIS 7.5 FTP

- I also had written a simple decoder for Filezilla FTP Logs

My point is there has been some really good user contributed content sitting in OSSEC forums and I can only guess at reasons why those users never saw fit to contribute officially to OSSEC.

In my case I would want others to provide feedback and improve upon a decoder before I would offer it up as a decoder.

After all it may work for me but not for other setups.

I think about places like splunkbase,nagiosexchange and osticket where users could easily contribute to the project without having to dig into source code.

Just my two cents. 

[dan (ddp)]

On Wed, Jul 30, 2014 at 12:26 PM, James Whittington
<james.whit...@gmail.com> wrote:
> Okay this message is wandering into a whole separate topic but I have found
> examples of rules and decoders scattered throughout OSSEC message lists that
> may or may not be committed into OSSEC official source
> - I found fixes to the broken Windows null route routines
> - I found a decoder for IIS 7.5 FTP
> - I also had written a simple decoder for Filezilla FTP Logs
>
> My point is there has been some really good user contributed content sitting
> in OSSEC forums and I can only guess at reasons why those users never saw
> fit to contribute officially to OSSEC.
>

I can't test a lot of the Windows stuff, especially when there aren't
log samples to go with it. So I was hoping other people would try them
out and contribute. I'll try not to do that in the future.

> In my case I would want others to provide feedback and improve upon a
> decoder before I would offer it up as a decoder.
> After all it may work for me but not for other setups.
>
> I think about places like splunkbase,nagiosexchange and osticket where users
> could easily contribute to the project without having to dig into source
> code.
> Just my two cents.
>

Build it, I'll contribute.

[James Whittington]

Thanks for the feedback on this issue where I couldn't fetch action types (POST,GET) on newer versions of IIS

Updating the web-accesslog-iis6 decoder as follows seemed to work on IIS7, IIS7.5, and IIS8 all long as you remember to log all fields in IIS (one of my servers wasn't thus we weren't triggering on things properly)..

<decoder name="web-accesslog-iis6">
  <parent>windows-date-format</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ </prematch>
  <regex offset="after_prematch">^(\S+) (\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+) </regex>
  <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
  <order>action, url, srcip, id</order>
</decoder>

A point of confusion for me was that ossec logtester doesn't seem to display the child decoder, so although decoder web-accesslog-iis6 is being triggered the only decoder that is referenced in logtest is the parent (windows-date-format).

Also I am a little confused about whether or not local_decoder.xml has to be defined in the ossec.conf file to be seen?

I found this blog article ( http://jentalkstoomuch.blogspot.com/2010/09/writing-custom-ossec-rules-for-your.html )

Someone had an issue where windows-date-format was showing as the decoder instead of the one they expected.

It was suggested to add the following to /etc/ossec.conf inside the rules element:

<decoder>etc/local_decoder.xml</decoder>

<decoder>etc/decoder.xml</decoder> 

However I am pretty sure on our production instance we don't specifically define local_decoder.xml so I think OSSEC must discover it if it's in the "./ossec/etc" folder

Thanks again for the help.

James Whittington

On Wed, Jul 30, 2014 at 10:55 AM, dan (ddp) <ddp...@gmail.com> wrote:

[dan (ddp)]

On Wed, Jul 30, 2014 at 3:29 PM, James Whittington
<james.whit...@gmail.com> wrote:
> Thanks for the feedback on this issue where I couldn't fetch action types
> (POST,GET) on newer versions of IIS
> Updating the web-accesslog-iis6 decoder as follows seemed to work on IIS7,
> IIS7.5, and IIS8 all long as you remember to log all fields in IIS (one of
> my servers wasn't thus we weren't triggering on things properly)..
>
>
> <decoder name="web-accesslog-iis6">
> <parent>windows-date-format</parent>
> <type>web-log</type>
> <use_own_name>true</use_own_name>
> <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ </prematch>
> <regex offset="after_prematch">^(\S+) (\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+)
> </regex>
> <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
> <order>action, url, srcip, id</order>
> </decoder>
>
> A point of confusion for me was that ossec logtester doesn't seem to display
> the child decoder, so although decoder web-accesslog-iis6 is being triggered
> the only decoder that is referenced in logtest is the parent
> (windows-date-format).
>

The parent decoder is the what a message is decoded as, child decoders
just offer finer grained bits. It is confusing, but I'm not sure how
to handle it better (easily).

> Also I am a little confused about whether or not local_decoder.xml has to be
> defined in the ossec.conf file to be seen?
>

No, it should be automagically applied.

> I found this blog article (
> http://jentalkstoomuch.blogspot.com/2010/09/writing-custom-ossec-rules-for-your.html
> )
> Someone had an issue where windows-date-format was showing as the decoder
> instead of the one they expected.
>
> It was suggested to add the following to /etc/ossec.conf inside the rules
> element:
> <decoder>etc/local_decoder.xml</decoder>
> <decoder>etc/decoder.xml</decoder>
>
> However I am pretty sure on our production instance we don't specifically
> define local_decoder.xml so I think OSSEC must discover it if it's in the
> "./ossec/etc" folder
>

Just a guess (based on the order), they wanted the local decoder to be
applied before the OSSEC decoder. In that case it would have to be
added manually. But for a default install it should work just fine.