Rules for IIS

497 views
Skip to first unread message

Adiel Jesus Navarro Rosado

unread,
Jun 8, 2018, 3:06:34 PM6/8/18
to wa...@googlegroups.com

Witch rules are configured for Windows IIS?

 

 

 

 

 

alfonso.r...@wazuh.com

unread,
Jun 21, 2018, 11:42:37 AM6/21/18
to Wazuh mailing list

Hello Adiel,

I'm sorry for the delay. 

First, we can see the specific decoders for windows in the following link: 


In this file we find a selection of decoders dedicated to Windows IIS, for example: 

<!-- IIS 5 W3C FTP log format.
  - Examples:
  - #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
  - 2006-07-23 17:57:59 192.168.3.64 Administrator MSFTPSVC1 HAIJO2 192.168.1.12 21 [144]USER Administrator - 331 0 0 0 0 FTP - - - -
  - 2006-07-23 17:57:59 192.168.3.64 Administrator MSFTPSVC1 HAIJO2 192.168.1.12 21 [144]PASS - - 230 0 0 0 16 FTP - - - -
  -->
<decoder name="msftp">
  <parent>windows-date-format</parent>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^\S+ \S+ MSFTPSVC</prematch>
  <regex offset="after_parent">^(\S+) (\S+) \S+ \S+ \S+ </regex>
  <regex>\d+ [\d+](\S+) \S+ \S+ (\d+) </regex>
  <order>srcip,user,action,id</order>
</decoder>


However, the rules are not grouped by "IIS", but you can find interesting information in the following files, related to rules for FTP in Microsoft, specific rules for Windows, rules for web access or rules for Windows logs: 


If you do not find what you are looking for or need help building rules or decoders for one or more events, please do not hesitate to contact us. We will try to help you and offer you the best possible solution. 

Kind regards,

Alfonso Ruiz-Bravo 
Reply all
Reply to author
Forward
0 new messages