Aidan - By setting the following in URLScan.INI ----------------------- RejectResponseUrl= ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected-by-UrlScan> UseFastPathReject=0 ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request ----------------------- You should end up with logs that look like this: ----------------------- 2002-07-23 07:45:07 12.253.58.101 - W3SVC1 XXXXXXXX 192.168.0.2 80 GET /<Rejected-By-UrlScan> ~/scripts/root.exe 404 123 552 72 0 HTTP/1.0 www - - - 2002-07-23 07:45:07 12.253.58.101 - W3SVC1 XXXXXXXX 192.168.0.2 80 GET /<Rejected-By-UrlScan> ~/MSADC/root.exe 404 123 552 70 0 HTTP/1.0 www - - - 2002-07-23 07:45:07 12.253.58.101 - W3SVC1 XXXXXXXX 192.168.0.2 80 GET /<Rejected-By-UrlScan> ~/c/winnt/system32/cmd.exe 404 123 552 80 0 HTTP/1.0 www - - - 2002-07-23 07:45:07 12.253.58.101 - W3SVC1 XXXXXXXX 192.168.0.2 80 GET /<Rejected-By-UrlScan> ~/d/winnt/system32/cmd.exe 404 123 552 80 0 HTTP/1.0 www - - - 2002-07-23 07:45:07 12.253.58.101 - W3SVC1 XXXXXXXX 192.168.0.2 80 GET /<Rejected-By-UrlScan> ~/scripts/..%255c../winnt/system32/cmd.exe 404 123 552 96 10 HTTP/1.0 www - - - -----------------------
There's a little script that I use ( http://www.christopherlewis.com/Code/RemoveURLScan.VBS/RemoveURLScan_All.vbs ) to parse the log file and remove any line with /<Rejected-By-UrlScan> before Analog runs. This should remove the 404's from virii, and give you a "more correct" failure report. Chris Christopher G. Lewis Technical Consultant HTTP://www.ChristopherLewis.com > > > Here's how I handle the infected IIS server traffic that would > normally > > cause a 404 to be logged: > > [snip] > > Thanks for the reply. > > I installed URLScan on the server and set > UseAllowExtensions=1 (which tells URLScan to deny all > requests which aren't for a specific file > extension) and then listed file extensions in use on the site > (.cfm, .asp, .css, .jpg, .gif, etc). That prevents the > requests from Nimda, Code Red, whatever-it is infected boxes > from even reaching IIS (which is great from both a security > and "clean-log" point of view). > > Trouble is, there's still these pesky lines in the logs which > don't appear to be for *anything*. It's not a huge problem, > but I'd like to get analog to help show me where there are > problems with the site. > > BTW, do you know if the requests are for the default file in > the root folder by any chance? > > > > #Software: Microsoft Internet Information Services 5.0 > > #Version: 1.0 > > #Date: 2002-07-29 01:01:03 > > #Fields: date time c-ip cs-username s-sitename s-computername s-ip > > s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status > > sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) > > cs(Cookie) cs(Referer) > > 2002-07-29 01:01:04 217.37.111.57 - W3SVC1 ServerName > ServerIP 80 - - > - > > 404 2 245 97 0 HTTP/1.0 www - - - > > 2002-07-29 01:01:04 217.37.111.57 - W3SVC1 ServerName > ServerIP 80 - - > - > > 404 2 245 97 0 HTTP/1.0 www - - - > > 2002-07-29 01:01:04 217.37.111.57 - W3SVC1 ServerName > ServerIP 80 - - > - > > 404 2 245 98 0 HTTP/1.0 www - - - > > > Thanks > > -- > Aidan Whitehall<[EMAIL PROTECTED]> > Macromedia ColdFusion Developer > Fairbanks Environmental +44 (0)1695 51775 +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/[email protected]/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
