Please add a logfile feature to RequestFilteringModuleRSS

4 replies

Last post Jun 29, 2010 01:03 PM by user123456

  • Please add a logfile feature to RequestFilteringModule

    Jun 24, 2010 10:47 AM|user123456|LINK

     Hello,

    after deciding to use RequestFilteringModule instead of UrlScan, and tweaking the security in the different 'deny sections', I've noticed by accident that an URLExecution to an relative URL-Path in the CustomErrorModule triggered an 404.18 HTTP-Status: "Query String Sequence Denied" caused by the RequestFilteringModule. Couldn't see query string in the standard W3SVC-Protocol, only a 404-status and 18-substatus (maybe for security reasons). So I had to check by try&error which string sequence was triggering the RequestFiltering. It came out that it was a simple semicolon ";". Seems that URLExecution to an relative URL-Path in the CustomErrorModule is adding a ";" as a query string, and it gets blocked by RequestFilteringModule. I've spent some time looking for that. I think it's really necessary to add a logging feature in the RequestFilteringModule, just like in UrlScan.

     Thx a lot!

    logging requestFiltering

  • Re: Please add a logfile feature to RequestFilteringModule

    Jun 26, 2010 11:30 AM|steve schofield|LINK

    Not sure this is possible, can the Advanced Logging Module perform this action?

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Rovastar Rovastar

    5482 Posts

    MVP

    Moderator

    Re: Please add a logfile feature to RequestFilteringModule

    Jun 27, 2010 05:41 AM|Rovastar|LINK

    Do you have anything configured in the denyQueryStringSequences ?

    http://learn.iis.net/page.aspx/504/using-enhanced-request-filtering-features-in-iis7/

    I am not sure but I don't think URLScan actually told you in its logs what the query string it rejected. There were some things missing from the logging features in URLscan, I think, this might have been one of them.

    However I agree that more logging would be great for modules like this. 

    Steve,

    I am not sure Advancing logging will pick this up. With the ISAPI URLScan filter it was processed before the IIS logs I am not sure if this module will do the same and how advanced logginng fits in with this.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Please add a logfile feature to RequestFilteringModule

    Jun 27, 2010 11:01 PM|steve schofield|LINK

    This was the only thing I could think of that might have logging capabilities.

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Please add a logfile feature to RequestFilteringModule

    Jun 29, 2010 01:03 PM|user123456|LINK

    As far as I can see, setting up the Advanced Logging would be far too complicated, because I would have to syncronize Advanced logging with requestfiltering. I've tried TracingModule only and it shows only information about module responses, like:

    =======================================================================================
    NOTIFY_MODULE_START ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", fIsPostNotification="false", fIsCompletion="false" 16:05:44.588
    =======================================================================================
    MODULE_SET_RESPONSE_ERROR_STATUS
    Warning ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", HttpStatus="404", HttpReason="Not Found", HttpSubStatus="18", ErrorCode="The Operation completed successfully.(0x0)", ConfigExceptionInfo="" 16:05:44.588
    ======================================================================================
    NOTIFY_MODULE_END ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_FINISH_REQUEST" 16:05:44.588
    ======================================================================================

    It is possible to get the complete URL from Event Name "GENERAL_REQUEST_START" in the trace, but it would be nice to have logging capabilites like Urlscan does. UrlScan logs detailed information of a triggering sequence:

    [01-12-2009 - 03:39:31] Client at X.X.X.X: URL contains '.' in the path. Request will be rejected.  Site Instance='1', Raw URL='/phpMyAdmin-2.2.3/main.php'
    [01-12-2009 - 03:39:31] Client at X.X.X.X: URL contains '.' in the path. Request will be rejected.  Site Instance='1', Raw URL='/phpMyAdmin-2.2.6/main.php'
    [01-12-2009 - 03:39:31] Client at X.X.X.X: URL contains '.' in the path. Request will be rejected.  Site Instance='1', Raw URL='/phpMyAdmin-2.5.1/main.php'

    In my opinion the ability to log sequences that triggers the filter is very important for detecting inappropriate placed url- and query sequences of the filter. If requestfiltering was made to replace UrlScan, please consider logging feature somewhere (e.g. in the TracingModule could be a nice place) .

     Thanks!