Previous Next

• 06-27-2008, 9:12 PM

  wadeh Joined on 04-19-2005, 6:17 PM Posts 98

  UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact Hello and a big thanks to those of you out there trying the UrlScan 3.0 beta. I've created this sticky thread to for general feedback and suggestions to the product team.  If you have something you want the product team to hear or suggestions for changes to UrlScan for the final release of 3.0, please feel free to mention it here. If you have a specific problem or bug report, please create a new thread specific to the issue. As always, we cannot make promises that we can implement a specific feature suggestion in a particular release (or at all), but we will consider all of them. Thanks, -Wade

• 07-01-2008, 1:27 PM

  In reply to

  Madness80 Joined on 06-19-2007, 1:17 PM Posts 35	Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact We need a "enforce=log" and "enforce=block" option. "Log" would let the request thru but would log that it would be blocked in "block mode". That would let us implement urlscan on a production site without impacting its functionality and give us time to tweak settings so that legitimate requests are not blocked.

• 07-01-2008, 5:36 PM

  In reply to

  wadeh Joined on 04-19-2005, 6:17 PM Posts 98

  Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact It turns out that UrlScan has had this functionality since version 1. If you want to put UrlScan in Logging Only Mode, you can set RejectResponseUrl to a magic value of '/~*', like this: RejectResponseUrl=/~* When I get a chance, I will write another blog entry that discusses some of the hidden features in UrlScan.  This won't be for the next week or two though. Thanks, -Wade

• 07-02-2008, 8:39 AM

  In reply to

  Madness80 Joined on 06-19-2007, 1:17 PM Posts 35

  Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact The logging only mode option should not be a hidden feature, it should be well documented. Many of us support multiple web sites and servers that have passed thru the hands of any number of sysadmins and content developers. We don't know the specifics of every legitimate HTTP request, and not everything gets hit on a test server. So we take a best guess at urlscan settings and hope it doesn't make our customers too mad until we realize that it's broke and can fix it. Is RejectResponseUrl dynamic or do I have to IISReset to enable it?

• 07-02-2008, 9:16 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 758

  Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact I agree it should not be hidden. Just comment out a line in the notes explaining this feature. Just a blog post is no good. We already have 5-10 blog post on URLScan 3.0 some contradicting each other now as new information comes to light. That I find is a problem with blogs and too much info is that there is so much now that unless you read the blogs daily you will never know enough about a subject. Regarding feedback I already have suggestions/comments in various blogs and forum posts around here I will try and convert them all to this thread. I started to install URL last night with the news we could have a logging only mode. Test environments are great but in the real world this is needs to be tested on live to tweak stuff. I think the RejectResponse is dynamic I don't remember restarting IIS. Suggestions. a) Options for an AND clause. Currently rules simply have an OR clause e.g.   < (or) > Will be rejected. In this case AFAIK you will need both <> in the URI query / cookie to have implement a script. If your legit site has a need for a certain symbol or keyword but a combination of groups of keywords together not allowed then that would help a lot. b) A URLScan addin/tool that take URLs and tests them through URLscan and reports the results. You can take a list of URLs from the previous IIS Logs or simply a CSV of URLs. This could be perform offline say on a staging/test box. This is to cover legit URLs that your sites already has in production. You can identify many problem areas based off real world URLs for your sites and have a huge test bed.   Then you can then tweak your rules easily for the legit requests (change rules or change code so that these situations do not occur) and depoly with confidence. This will give you a better understanding of the cases that could come up. c) more detailed SQL injection scripts. I am sure we could get better rules that break less legit sites and still capture a hack attempts (even capture more and further attempts). I hope to engage Nazim more and here are the start of some suggestions: http://blogs.iis.net/nazim/archive/2008/06/30/using-the-new-rules-configuration-in-urlscan-v3-0-beta-part-2.aspx Hope this helps. Most overused word in IT is 'should' as in 'That should work!?!'

• 07-02-2008, 10:10 AM

  In reply to

  Madness80 Joined on 06-19-2007, 1:17 PM Posts 35

  Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact It is not dynamic. IIS must be restarted. Look for this in the log. [07-02-2008 - 10:05:09] ----- UrlScan v3.0 Beta Config Initialization ---- [07-02-2008 - 10:05:09] ************************************************ [07-02-2008 - 10:05:09] *** UrlScan is in Logging-Only Mode.  Request ** [07-02-2008 - 10:05:09] *** analysis will be logged, but no requests  ** [07-02-2008 - 10:05:09] *** will be rejected.                         ** [07-02-2008 - 10:05:09] ************************************************

• 07-02-2008, 10:20 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 758

  Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact OK cool. I must have it wrong. I thought (and only played with it for a little late last night) that all changes seemed dynamic when I chnaged and saved the ini file. I know the rules did. But if it does, does IIS have to be restarted or could you just disable/uninstall the URLScan ISAPI filter and then re-enable it? I would have thought that that would then get the new settings. I don't know the answer to this but if you could it could save you restarting IIS on a production box. Most overused word in IT is 'should' as in 'That should work!?!'

• 07-03-2008, 4:08 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 758

  Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact  Ok some more suggestions to keep them all in one place a) Better logging information  Lets take this example: [07-03-2008 - 09:03:36] Client at 195.10.45.219: Rule ' SQL Injection Headers' detected string 'select' in the Cookie: header. UrlScan is in Logging-Only mode - request allowed.  Site Instance='153179633', Raw URL='/Main/frmMessagesX.aspx'  i) For rules where a cookie is prohibited can we show what the cookie is. I know not all people recorded the cookies in IIS logs as they are so big.  ii) Friendly site names One of my servers has hundreds of sites and although I can lookup Site Instance='153179633' it would be so much more easier for me if it said what this website name real world name was. Admin need to quickly be able to tell what real world information is. 153179633 is not very useful. Knowing it was mywebsite.co.uk makes it quicker to identify friendly nmaes. Most overused word in IT is 'should' as in 'That should work!?!'

• 07-10-2008, 11:12 AM

  In reply to

  pabloweyne Joined on 08-27-2007, 2:18 PM Posts 19

  Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact  Hi! I have 2 questions: 1- I have a PHP aplication that have been blocked by URL Scan. My rule was set to .asp and .aspx , but URL Scan is still aplying the rule for my PHP aplication ( its a < that goes in the URL, so the log file report the %%3C ). I would like to know how do I configure URL Scan to ignore the .php extension p.s.: The url string is like www.mywebsite.com/index.php?db=DATABASE%table=TABLE and than there is a %%3E 2 - how do i cponfigure to URLScan igonre a word like alterar in portuguese, because the URLScan "think" thats an ALTER sql query. Pablo Weyne

  Tags: UrlScan

• 07-10-2008, 11:23 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 758	Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact  Start a new thread and I will help you answers these. this is not the right place for questions. Most overused word in IT is 'should' as in 'That should work!?!'

• 07-11-2008, 12:02 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 758

  Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact I am not sure how you can do this but this is what I am after: Multiple words rejection in rules It is known that it will take multiple keywords to co-ordinate an attack. Just and only having SELECT in a query string is unlikely to do too much if no other keys are present. (Edit: thinking about it SELECT might be a example just SELECT might do some harm) Now I want to reject a request if x keyterms are found. Now by default I want this as 1 but I would like the option words in a given list to be rejected. I might then have multiple rules. Say one specifically for CAST with count =1 And other more general ones can have count =2 This might stop 'false positives' with only 1 term appearing randomly. Obviously careful consideration is needed. I hope you understand from that poor description.......I know this feature will be a long shot. Most overused word in IT is 'should' as in 'That should work!?!'

• 07-12-2008, 12:58 PM

  In reply to

  andrius Joined on 07-12-2008, 4:57 PM Posts 1	Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact Is it possible to filter POST requests?
  	Tags: POST

• 07-14-2008, 6:14 PM

  In reply to

  wadeh Joined on 04-19-2005, 6:17 PM Posts 98	Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact andrius: Is it possible to filter POST requests? No, the ISAPI filter APIs do not provide robust access to request entity.  UrlScan cannot - and won't ever - filter POST requests. Thanks, -Wade

• 07-28-2008, 8:40 AM

  In reply to

  Goliathx Joined on 07-28-2008, 12:36 PM Posts 3	Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact When installing UrlScan 3.0 Beta on a Windows 2008 server with IIS 7.0 I get the following error: "iis metabase is required to install Urlscan filter v3.0 beta" Anybody any suggestions? Maarten

• 07-28-2008, 10:40 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 758	Re: UrlScan 3.0 Beta Feedback and Suggestions Locked Reply Contact  Post in a seperate thread - not this one and someone will probably be able to help you. Most overused word in IT is 'should' as in 'That should work!?!'