[logs] IIS/WebDAV and logging

Previous message: Bennett Todd: "Re: [logs] How to forward syslog message to a central syslog server using snort"
Next in thread: Kevin W. Gagel: "Re: [logs] IIS/WebDAV and logging"
Reply: Kevin W. Gagel: "Re: [logs] IIS/WebDAV and logging"
Reply: Rainer Gerhards: "RE: [logs] IIS/WebDAV and logging"
Reply: Rainer Gerhards: "RE: [logs] IIS/WebDAV and logging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

tbird@precision-guesswork.com

Hi all --

It would appear that exploits of MS03-007 are not going to create entries
in the IIS access logs.  IIS doesn't log until a client request is
finished processing.  When the WebDAV vector is used to overflow
whatever-it-is in ntdll.dll, the client request never finishes, so no log
message is ever created.

There's no reason I can think of to expect this to create anything in the
Event Log, either.  So looks to me like the only way to see this will be
with network-based IDS -- or maybe one of the host IDS systems that
captures information on privilege escalation and kernel calls on Windows
boxes (and I'm not sure that such a thing even exists yet).  Although boy
I'd be delighted to find out I was wrong about this...

Thanks to Rainer Gerhards, who's taught me nearly everything I know about
IIS workflow and logging.

tbird

-- 
"I knew it! I knew it! Well, not in the sense of having the slightest
idea, but I knew there was something I didn't know."
                                 -- Willow, from "Buffy the Vampire Slayer"

http://www.shmoo.com/~tbird
Log Analysis http://www.loganalysis.org
VPN http://vpn.shmoo.com

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis