[ossec-list] Re: SQL Injection Detection

saman Fri, 08 Sep 2006 00:18:24 -0700

Agent is Windows 2000 5.00.2195 SP 4. I get security, application, event logs 
from that agent except IIS logs.


File
----

C:\WINNT\system32\LogFiles\W3SVC1\ex060907.log

IIS Log with XSS and SQL Injection logs
-----------------------------------------------

2006-09-07 08:22:39 10.1.X.X - 195.X.X.X 80 GET /dohtaccess.html 
dir=><script>alert(document.cookie);</script> 404 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
2006-09-07 08:22:39 10.1.X.X - 195.X.X.X 80 GET /modules.php 
op=modload&name=Kalender&file=index&type=view&eid=<script>alert(document.cookie)</script>
 404 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
2006-09-07 08:23:30 10.1.X.X - 195.X.X.X 80 GET /reports/x.asp t=^' 302 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
2006-09-07 08:23:30 10.1.X.X - 195.X.X.X 80 GET /reports/x.asp t=\' 302 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
2006-09-07 08:23:30 10.1.X.X - 195.X.X.X 80 GET /reports/x.asp t=/' 302 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
2006-09-07 08:23:49 10.1.X.X - 195.X.X.X 80 GET /page1.asp 
xformname=olasistudy1&__instanceid__=' 200 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
2006-09-07 08:30:37 10.1.X.X - 195.X.X.X 80 TRACE 
/<script>alert('TRACE');</script> - 200 -

Agent's IIS Config Line
----------------------------

 <localfile>
   <location>C:\WINNT/System32/LogFiles/W3SVC1/ex%y%m%d.log</location>
   <log_format>iis</log_format>
 </localfile>

Agent's ossec.log
---------------------------

2006/08/25 14:11:02 ossec-agent: Starting syscheckd thread.
2006/08/25 14:11:02 ossec-agent(1951): Analyzing event log: 'Application'.
2006/08/25 14:11:03 ossec-agent(1951): Analyzing event log: 'Security'.
2006/08/25 14:11:03 ossec-agent(1951): Analyzing event log: 'System'.
2006/08/25 14:11:04 ossec-agent(1950): Analyzing file: 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060825.log'.
2006/08/25 14:11:04 ossec-agent: Started (pid: 2328).
2006/08/26 00:00:59 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'.
2006/08/26 00:00:59 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'.
2006/08/26 00:05:19 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'.
2006/08/26 00:09:39 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'.
2006/08/26 00:13:59 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'.
2006/08/26 00:18:19 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'.
2006/08/26 00:22:39 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'.
2006/08/26 00:27:00 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'.
2006/08/26 00:31:20 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'.
2006/08/26 00:35:40 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'.
2006/08/26 00:40:00 ossec-agent(1904): Unable to read file: 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'
2006/08/28 16:51:01 ossec-agent: Starting syscheckd thread.
2006/08/28 16:51:01 ossec-agent: No previous counter available for 'SERVER3'.
2006/08/28 16:51:01 ossec-agent: Assigning counter for agent SERVER3: '0:0'.
2006/08/28 16:51:01 ossec-agent: Assigning sender counter: 4:6987
2006/08/28 16:51:02 ossec-agent(1951): Analyzing event log: 'Application'.
2006/08/28 16:51:02 ossec-agent(1951): Analyzing event log: 'Security'.
2006/08/28 16:51:05 ossec-agent(1951): Analyzing event log: 'System'.
2006/08/28 16:51:06 ossec-agent(1950): Analyzing file: 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060828.log'.
2006/08/28 16:51:06 ossec-agent: Started (pid: 2276).
2006/08/29 00:00:26 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'.
2006/08/29 00:00:26 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'.
2006/08/29 00:04:46 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'.
2006/08/29 00:09:06 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'.
2006/08/29 00:13:26 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'.
2006/08/29 00:17:46 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'.
2006/08/29 00:22:06 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'.
2006/08/29 00:26:27 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'.
2006/08/29 00:30:47 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'.
2006/08/29 00:35:07 ossec-agent(1103): Unable to open file 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'.
2006/08/29 00:39:27 ossec-agent(1904): Unable to read file: 
'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'

[ossec-list] Re: SQL Injection Detection

Reply via email to