Yes, both IIS and the entire machine have been restarted since the install.
Here is my .ini file:
[options]
UseAllowVerbs=1 ; If 1, use [AllowVerbs] section, else use the
; [DenyVerbs] section. The default is 1.
UseAllowExtensions=0 ; If 1, use [AllowExtensions] section, else
; use the [DenyExtensions] section. The
; default is 0.
NormalizeUrlBeforeScan=1 ; If 1, canonicalize URL before processing.
; The default is 1. Note that setting this
; to 0 will make checks based on extensions,
; and the URL unreliable and is therefore not
; recommend other than for testing.
VerifyNormalization=1 ; If 1, canonicalize URL twice and reject
; request if a change occurs. The default
; is 1.
AllowHighBitCharacters=0 ; If 1, allow high bit (ie. UTF8 or MBCS)
; characters in URL. The default is 0.
AllowDotInPath=0 ; If 1, allow dots that are not file
; extensions. The default is 0. Note that
; setting this property to 1 will make checks
; based on extensions unreliable and is
; therefore not recommended other than for
; testing.
RemoveServerHeader=0 ; If 1, remove the 'Server' header from
; response. The default is 0.
EnableLogging=1 ; If 1, log UrlScan activity. The
; default is 1. Changes to this property
; will not take effect until UrlScan is
; restarted.
PerProcessLogging=0 ; This property is deprecated for UrlScan
; 3.0. UrlScan 3.0 can safely log output
; from multiple processes to the same log
; file. Changes to this property will not
; take effect until UrlScan is restarted.
AllowLateScanning=0 ; If 1, then UrlScan will load as a low
; priority filter. The default is 0. Note
; that this setting should only be used in
; the case where there another installed
; filter is modifying the URL and you wish
; to have UrlScan apply its rules to the
; rewritten URL. Changes to this property
; will not take effect until UrlScan is
; restarted.
PerDayLogging=1 ; If 1, UrlScan will produce a new log each
; day with activity in the form
; 'UrlScan.010101.log'. If 0, UrlScan will
; log activity to urlscan.log. The default
; is 1. Changes to this setting will not
; take effect until UrlScan is restarted.
UseFastPathReject=0 ; If 1, then UrlScan will not use the
; RejectResponseUrl or allow IIS to log the
; request. UrlScan will continue to write its
; own log as normal. The default is 0.
LogLongUrls=0 ; This property is deprecated for UrlScan 3.0.
; UrlScan 3.0 will always include the complete
; URL in its log file.
UnescapeQueryString=1 ; If 1, UrlScan will perform two passes on
; each query string scan, once with the raw
; query string and once after unescaping it.
; If 0, UrlScan will only look at the raw
; query string as sent by the client. The
; default is 1. Note that if this property is
; set to 0, then checks based on the query
; string will be unreliable.
;
; If UseFastPathReject is 0, then UrlScan will send
; rejected requests to the URL specified by RejectResponseUrl.
; If not specified, '/Rejected-by-UrlScan' will be used.
; Changes to this setting will not take effect until UrlScan
; is restarted.
;
; Note that setting "RejectResponseUrl=/~*" will put UrlScan into Logging
; Only Mode. In this mode, UrlScan will process all requests per the
; config settings, but it will only log the results and not actually
; reject the requests. This mode is useful for testing UrlScan settings
; on a production server without actually interrupting requests.
;
RejectResponseUrl=
;
; LoggingDirectory can be used to specify the directory where the
; log file will be created. This value should be the absolute path
; (ie. c:\some\path). If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
; Changes to this setting will not take effect until UrlScan is
; restarted.
;
LoggingDirectory=Logs
;
; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
;
AlternateServerName=
;
; UrlScan supports custom rules that can be applied in addition to the other
; checks and options specified in this configuration file. Rules should be
; listed in a comma separated string in the RuleList property. Each rule in
; the list corresponds to two sections in this configuration file, one
; containing the options for the rule, and one containing deny strings for
; the rule.
;
; Here is an example:
;
; [Options]
; RuleList=Rule1
;
; [Rule1]
; AppliesTo=.exe,.dll ; A comma separated list of file extensions to
; ; which the rule applies. If not specified,
; ; the rule will be applied to all requests.
;
; DenyDataSection=Rule1 Data ; The name of the section containing the
; ; rule's deny strings
;
; ScanURL=0 ; If 1, the URL will be scanned for deny
; ; strings. The default is 0.
;
; ScanAllRaw=0 ; If 1, then the raw request header data will
; ; be scanned for deny strings. The default
; ; is 0.
;
; ScanQueryString=0 ; If 1, the the query string will be scanned
; ; for deny strings. The default is 0. Note
; ; that if UnescapeQueryString=1 is set in the
; ; [Options] section, then two scans will be
; ; made of the query string, one with the raw
; ; query string and one with the query string
; ; unescaped.
;
; ScanHeaders= ; A comma separated list of request headers to
; ; be scanned for deny strings. The default is
; ; no headers.
;
; [Rule1 data]
; string1
; string2
;
RuleList=SQL Injection
[RequestLimits]
;
; The entries in this section impose limits on the length
; of allowed parts of requests reaching the server.
;
; It is possible to impose a limit on the length of the
; value of a specific request header by prepending "Max-" to the
; name of the header. For example, the following entry would
; impose a limit of 100 bytes to the value of the
; 'Content-Type' header:
;
; Max-Content-Type=100
;
; Any headers not listed in this section will not be checked for
; length limits.
;
; There are 3 special case limits:
;
; - MaxAllowedContentLength specifies the maximum allowed
; numeric value of the Content-Length request header. For
; example, setting this to 1000 would cause any request
; with a content length that exceeds 1000 to be rejected.
; The default is 30000000.
;
; - MaxUrl specifies the maximum length of the request URL,
; not including the query string. The default is 260 (which
; is equivalent to MAX_PATH).
;
; - MaxQueryString specifies the maximum length of the query
; string. The default is 2048.
;
MaxAllowedContentLength=30000000
MaxUrl=260
MaxQueryString=2048
[AllowVerbs]
;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;
GET
HEAD
POST
[DenyVerbs]
;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;
PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH
[DenyHeaders]
;
; The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.
;
Translate:
If:
Lock-Token:
Transfer-Encoding:
[AllowExtensions]
;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;
.htm
.html
.txt
.jpg
.jpeg
.gif
[DenyExtensions]
;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;
; Also note that ASP scripts are denied with the below
; settings. If you wish to enable ASP, remove the
; following extensions from this list:
; .asp
; .cer
; .cdx
; .asa
;
; Deny executables that could run on the server
.exe
.bat
.cmd
.com
; Deny infrequently used scripts
.htw ; Maps to webhits.dll, part of Index Server
.ida ; Maps to idq.dll, part of Index Server
.idq ; Maps to idq.dll, part of Index Server
.htr ; Maps to ism.dll, a legacy administrative tool
.idc ; Maps to httpodbc.dll, a legacy database access tool
.shtm ; Maps to ssinc.dll, for Server Side Includes
.shtml ; Maps to ssinc.dll, for Server Side Includes
.stm ; Maps to ssinc.dll, for Server Side Includes
.printer ; Maps to msw3prt.dll, for Internet Printing Services
; Deny various static files
.ini ; Configuration files
.log ; Log files
.pol ; Policy files
.dat ; Configuration files
.config ; Configuration files
[AlwaysAllowedUrls]
;
; URLs listed here will always be explicitly allowed by UrlScan
; and will bypass all URL based checks. URLs must be listed
; with a leading '/' character. For example:
;
; /SampleURL.htm
;
[DenyUrlSequences]
;
; If any character sequences listed here appear in the URL for
; any request, that request will be rejected.
;
.. ; Don't allow directory traversals
./ ; Don't allow trailing dot on a directory name
\ ; Don't allow backslashes in URL
: ; Don't allow alternate stream access
% ; Don't allow escaping after normalization
& ; Don't allow multiple CGI processes to run on a single request
[AlwaysAllowedQueryStrings]
;
; Query strings listed here will always be explicitly allowed by
; UrlScan and will bypass all query string based checks.
;
[DenyQueryStringSequences]
;
; If any character sequences listed here appear in the query
; string for any request, that request will be rejected.
;
< ; Commonly used by script injection attacks
> ; Commonly used by script injection attacks
[SQL Injection]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=
[SQL Injection Strings]
--
%3b ; a semi-colon
@ ; also catches @@
char ; also catches nchar and varchar
alter
begin
cast
convert
create
cursor
declare
delete
drop
end
exec ; also catches execute
fetch
insert
kill
open
select
sys ; also catches sysobjects and syscolumns
table
update
And here is a portion of my logs:
#Software: Microsoft UrlScan 3.0
#Version: 1.0
#Date: 2008-09-04 14:07:32
#Fields: Date Time c-ip s-siteid cs-method cs-uri x-action x-reason x-context cs-data x-control
#Software: Microsoft UrlScan 3.0
#Version: 1.0
#Date: 2008-09-04 14:14:54
#Fields: Date Time c-ip s-siteid cs-method cs-uri x-action x-reason x-context cs-data x-control
2008-09-04 14:16:15 127.0.0.1 1 GET /testexec.asp Rejected rule+'SQL+Injection'+triggered URL - exec
#Software: Microsoft UrlScan 3.0
#Version: 1.0
#Date: 2008-09-04 14:16:55
#Fields: Date Time c-ip s-siteid cs-method cs-uri x-action x-reason x-context cs-data x-control
#Software: Microsoft UrlScan 3.0
#Version: 1.0
#Date: 2008-09-04 14:17:49
#Fields: Date Time c-ip s-siteid cs-method cs-uri x-action x-reason x-context cs-data x-control
2008-09-04 14:18:00 127.0.0.1 1 GET /testexec.asp Rejected rule+'SQL+Injection'+triggered URL - exec
2008-09-04 14:18:05 127.0.0.1 1 GET /testdeclare.asp Rejected rule+'SQL+Injection'+triggered URL - declare
#Software: Microsoft UrlScan 3.0
#Version: 1.0
#Date: 2008-09-04 14:19:01
#Fields: Date Time c-ip s-siteid cs-method cs-uri x-action x-reason x-context cs-data x-control
#Software: Microsoft UrlScan 3.0
#Version: 1.0
#Date: 2008-09-04 14:23:17
#Fields: Date Time c-ip s-siteid cs-method cs-uri x-action x-reason x-context cs-data x-control
The blocked requests recorded in the logs were when I had the .ini set to use ScanUrl=1 in the SQL Injection section. But when I changed the .ini to use ScanQueryString=1, requests like http://localhost/test.asp?id=exec were not blocked or logged. Thanks for your help.