RE: [logs] IIS/WebDAV and logging

From: Rainer Gerhards (rgerhardsat_private)
Date: Thu Mar 20 2003 - 01:13:11 PST

  • Next message: Rainer Gerhards: "RE: [logs] IIS/WebDAV and logging" 

    As written on BugTraq, there are unfortunately some configurations in
which URLSCAN does *not* block WebDAV by default. Most prominent samples
are small biz server and servers with Exchange 2000 on them. 

I am not intending to say that URLSCAN is a bad thing - in fact it is an
excellent (but under-documented) tool. I just wanted to make you aware
that it sometimes leaves some holes, too ;)

Rainer

> -----Original Message-----
> From: Kevin W. Gagel [mailto:gagelat_private] 
> Sent: Wednesday, March 19, 2003 10:53 PM
> To: Tina Bird; loganalysisat_private; intrusionsat_private
> Cc: Rainer Gerhards
> Subject: Re: [logs] IIS/WebDAV and logging
> 
> 
> tbird,
> Actually if you are using the UrlScan.dll then it will get 
> stoped and logged in the urlscan.log file. So IDS is not the 
> only way and the UrlScan is a free utility from M$.
> 
> Imagine that! Free! hmm... ;-)
> 
> ----- Original Message Follows -----
> > Hi all --
> > 
> > It would appear that exploits of MS03-007 are not going to create 
> > entries in the IIS access logs.  IIS doesn't log until a client 
> > request is finished processing.  When the WebDAV vector is used to 
> > overflow whatever-it-is in ntdll.dll, the client request never 
> > finishes, so no log message is ever created.
> > 
> > There's no reason I can think of to expect this to create 
> anything in 
> > the Event Log, either.  So looks to me like the only way to 
> see this 
> > will be with network-based IDS -- or maybe one of the host 
> IDS systems 
> > that captures information on privilege escalation and 
> kernel calls on
> > Windows boxes (and I'm not sure that such a thing even
> > exists yet).  Although boy I'd be delighted to find out I
> > was wrong about this...
> > 
> > Thanks to Rainer Gerhards, who's taught me nearly
> > everything I know about IIS workflow and logging.
> > 
> > tbird
> > 
> > --
> > "I knew it! I knew it! Well, not in the sense of having
> > the slightest idea, but I knew there was something I
> > didn't know."
> >                                  -- Willow, from "Buffy
> > the Vampire Slayer"
> > 
> > http://www.shmoo.com/~tbird
> > Log Analysis http://www.loganalysis.org
> > VPN http://vpn.shmoo.com
> > 
> > 
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysisat_private 
> > http://lists.shmoo.com/mailman/listinfo/loganalysis
> 
> ===========================
> Kevin W. Gagel
> Network Administrator
> College of New Caledonia
> gagelat_private
> (250) 561-2131 loc 448
> 
> --------------------------------
> The College of New Caledonia    
> Visit us at http://www.cnc.bc.ca
> --------------------------------
> 
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

    This archive was generated by hypermail 2b30 : Thu Mar 20 2003 - 15:18:41 PST