The "web-accesslog-iis-default" decoder in 0380-windows_decoders.xml does not work

[maxverro]

Hi,

Our IIS (W3C) log format is the following. (It is the default value). We also use IIS 8.5 on Windows server 2012 R2.

date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

If we align the decoder regex with the fields, it is the username that gets inserted in the srcip.

date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
                         (\S+        \S*)         \.*    (\S+)       \S*\.*                          (\d\d\d)   \S+         \S+              \S+
                         url                             srcip                                       id

Even the sample log lines in the decoder file do not work.

<!-- Windows IIS decoder for default settings
  -  Tested with IIS 7.5 and IIS 8.5 (Windows 2008R2 and Windows 2012R2)
  -  Will extract URL, Source IP, and HTTP response code
  -  Examples:
  -  IIS 7.5
  -  2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624
  -  IIS 8.5
  -  2015-03-11 20:28:21 1.2.3.4 GET /certsrv/Default.asp - 80 - 31.3.3.7 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0) - 401 2 5 0
  -  2015-03-11 21:59:09 1.2.3.4 GET /console/faces/com_sun_web_ui/jsp/version/version_30.jsp - 80 - 31.3.3.7 Sun+Web+Console+Fingerprinter/7.15 - 404 0 2 0
  -  2015-03-11 22:01:58 1.2.3.4 GET /IISADMPWD/aexp.htr - 80 - 31.3.3.7 - - 404 0 2 0
-->

<decoder name="web-accesslog-iis-default">
  <parent>windows-date-format</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^\S+ GET |^\S+ POST </prematch>
  <regex offset="after_prematch">(\S+ \S*) \.* (\S+) \S*\.* (\d\d\d) \S+ \S+ \S+</regex>
  <order>url,srcip,id</order>
</decoder>

[maxverro]

Looks like a pending pull request will fix the issue.

Please review and approve PR #154

Thank you.

[maxverro]

The PR #154 seems to be problematic when the "Referer" URL ends with a number.

This log line will trigger a 503 alert. (it should not, the http status is 200)

2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=503 200 0 0 31

These 2 variants will not.

2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=yes 200 0 0 31
2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com 200 0 0 31

Please see logtest output

2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=503 200 0 0 31
2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=yes 200 0 0 31
2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com 200 0 0 31

**Phase 1: Completed pre-decoding.
       full event: '2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=503 200 0 0 31'
       timestamp: '(null)'
       hostname: 'dw-waz-01-a'
       program_name: '(null)'
       log: '2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=503 200 0 0 31'

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'
       action: 'GET'
       URL: '/my/web/site/page.html urlParam=this'
       srcport: '443'
       srcip: '100.100.100.1'
       user_agent: 'Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0'
       id: '503'

**Phase 3: Completed filtering (rules).
       Rule id: '31123'
       Level: '4'
       Description: 'Web server 503 error code (Service unavailable).'
**Alert to be generated.




**Phase 1: Completed pre-decoding.
       full event: '2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=yes 200 0 0 31'
       timestamp: '(null)'
       hostname: 'dw-waz-01-a'
       program_name: '(null)'
       log: '2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=yes 200 0 0 31'

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'
       action: 'GET'
       URL: '/my/web/site/page.html urlParam=this'
       srcport: '443'
       srcip: '100.100.100.1'
       user_agent: 'Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31108'
       Level: '0'
       Description: 'Ignored URLs (simple queries).'



**Phase 1: Completed pre-decoding.
       full event: '2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com 200 0 0 31'
       timestamp: '(null)'
       hostname: 'dw-waz-01-a'
       program_name: '(null)'
       log: '2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com 200 0 0 31'

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'
       action: 'GET'
       URL: '/my/web/site/page.html urlParam=this'
       srcport: '443'
       srcip: '100.100.100.1'
       user_agent: 'Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31108'
       Level: '0'
       Description: 'Ignored URLs (simple queries).'

[maxverro]

Simply adding a space before matching the three digits (\d\d\d) works.

@MiguelCasaresRobles could you review this?

<decoder name="web-accesslog-iis-default">
  <parent>windows-date-format</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^\S+ GET |^\S+ POST</prematch>
  <regex offset="after_parent">^\S+ (\w+) (\S+ \S+) (\S+) \S+ (\S+) (\S+) \.* (\d\d\d) </regex>
  <order>action, url, srcport, srcip, user_agent, id</order>
</decoder>

ossec-logtest output

2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=503 200 0 0 31
2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=yes 200 0 0 31
2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com 200 0 0 31

**Phase 1: Completed pre-decoding.
       full event: '2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=503 200 0 0 31'
       timestamp: '(null)'
       hostname: 'dw-waz-01-a'
       program_name: '(null)'
       log: '2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=503 200 0 0 31'

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'
       action: 'GET'
       url: '/my/web/site/page.html urlParam=this'
       srcport: '443'
       srcip: '100.100.100.1'
       user_agent: 'Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31108'
       Level: '0'
       Description: 'Ignored URLs (simple queries).'


**Phase 1: Completed pre-decoding.
       full event: '2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=yes 200 0 0 31'
       timestamp: '(null)'
       hostname: 'dw-waz-01-a'
       program_name: '(null)'
       log: '2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com?id=yes 200 0 0 31'

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'
       action: 'GET'
       url: '/my/web/site/page.html urlParam=this'
       srcport: '443'
       srcip: '100.100.100.1'
       user_agent: 'Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31108'
       Level: '0'
       Description: 'Ignored URLs (simple queries).'



**Phase 1: Completed pre-decoding.
       full event: '2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com 200 0 0 31'
       timestamp: '(null)'
       hostname: 'dw-waz-01-a'
       program_name: '(null)'
       log: '2018-08-22 11:55:03 10.0.0.1 GET /my/web/site/page.html urlParam=this 443 - 100.100.100.1 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0 my.url.referer.com 200 0 0 31'

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'
       action: 'GET'
       url: '/my/web/site/page.html urlParam=this'
       srcport: '443'
       srcip: '100.100.100.1'
       user_agent: 'Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:57.0)+Gecko/20100101+Firefox/57.0'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31108'
       Level: '0'
       Description: 'Ignored URLs (simple queries).'

[Lopuiz]

Hi @maxverro

First of all, sorry for the late response.
Thanks for your feedback. We have fixed it and #154 will merge in the 3.11 project.

Regards, Eva

[snaow]

Hi @maxverro,

Merged finally in 3.10 branch (#154)

Thanks for the feedback and support.

Regards,
Pedro.