Microsoft Log Parser Toolkit

Scanning for Security Breaches

Log files are an important and useful troubleshooting channel to resolve failure or error requests, as well as the monitor usage status of the IIS server. The other key factor in why log files are so important is that they are also a valuable source of information for identifying potential attack behavior and intrusion patterns.

By understanding these attack requests, not only are you able to tell whether the attacks have been successful or not, you also can plan the next course of action against these failed requests. These requests could be anything, including information disclosure, unauthorized access, and more.

Analyzing Illegal Requests

An illegal request is any request that a user should not send to the server under normal circumstances, but would send in the case of an attack. For example, a hacker trying to gain remote access might try exploiting a known vulnerability via IIS. Hence, it is vital to be aware of illegal requests made to the server and ensure the server is running with the latest service packs and hot fixes.

This section analyzes all IIS-related log sources, ranging from W3C extended logs to HTTPERR and URLSCAN log files. For more information, please refer to:

  • Table 2.2 W3C Extended Log Fields

  • Table 2.3 HTTPERR Log Fields

  • Table 2.4 URLSCAN Log Fields

Scanning For Failed Authentication and Unauthorized Access

Failed authentication occurs when a user accessing protected content fails to properly authenticate with the server, while unauthorized access indicates that a user failed...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Cluster Software and Tools
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.