IIS Feature Feedback
Please add a logfile feature to RequestFilteringModule
Last post Jun 29, 2010 01:03 PM by user123456
Jun 24, 2010 10:47 AM|user123456|LINK
after deciding to use RequestFilteringModule instead of UrlScan, and tweaking the security in the different 'deny sections', I've noticed by accident that an URLExecution to an relative URL-Path in the CustomErrorModule triggered an 404.18 HTTP-Status: "Query
String Sequence Denied" caused by the RequestFilteringModule. Couldn't see query string in the standard W3SVC-Protocol, only a 404-status and 18-substatus (maybe for security reasons). So I had to check by try&error which string sequence was triggering the
RequestFiltering. It came out that it was a simple semicolon ";". Seems that URLExecution to an relative URL-Path in the CustomErrorModule is adding a ";" as a query string, and it gets blocked by RequestFilteringModule. I've spent some time looking for that.
I think it's really necessary to add a logging feature in the RequestFilteringModule, just like in UrlScan.
Thx a lot!
Jun 26, 2010 11:30 AM|steve schofield|LINK
Not sure this is possible, can the Advanced Logging Module perform this action?
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
Jun 27, 2010 05:41 AM|Rovastar|LINK
Do you have anything configured in the denyQueryStringSequences ?
I am not sure but I don't think URLScan actually told you in its logs what the query string it rejected. There were some things missing from the logging features in URLscan, I think, this might have been one of them.
However I agree that more logging would be great for modules like this.
I am not sure Advancing logging will pick this up. With the ISAPI URLScan filter it was processed before the IIS logs I am not sure if this module will do the same and how advanced logginng fits in with this.
Jun 27, 2010 11:01 PM|steve schofield|LINK
This was the only thing I could think of that might have logging capabilities.
Jun 29, 2010 01:03 PM|user123456|LINK
As far as I can see, setting up the Advanced Logging would be far too complicated, because I would have to syncronize Advanced logging with requestfiltering. I've tried TracingModule only and it shows only information about module responses, like:
NOTIFY_MODULE_START ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", fIsPostNotification="false", fIsCompletion="false" 16:05:44.588
Warning ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", HttpStatus="404", HttpReason="Not Found", HttpSubStatus="18", ErrorCode="The Operation completed successfully.(0x0)", ConfigExceptionInfo="" 16:05:44.588
NOTIFY_MODULE_END ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_FINISH_REQUEST" 16:05:44.588
It is possible to get the complete URL from Event Name "GENERAL_REQUEST_START" in the trace, but it would be nice to have logging capabilites like Urlscan does. UrlScan logs detailed information of a triggering sequence:
[01-12-2009 - 03:39:31] Client at X.X.X.X: URL contains '.' in the path. Request will be rejected. Site Instance='1', Raw URL='/phpMyAdmin-2.2.3/main.php'
[01-12-2009 - 03:39:31] Client at X.X.X.X: URL contains '.' in the path. Request will be rejected. Site Instance='1', Raw URL='/phpMyAdmin-2.2.6/main.php'
[01-12-2009 - 03:39:31] Client at X.X.X.X: URL contains '.' in the path. Request will be rejected. Site Instance='1', Raw URL='/phpMyAdmin-2.5.1/main.php'
In my opinion the ability to log sequences that triggers the filter is very important for detecting inappropriate placed url- and query sequences of the filter. If requestfiltering was made to replace UrlScan, please consider logging feature somewhere (e.g.
in the TracingModule could be a nice place) .