|
Home > Archive > IIS Server Security > January 2006 > urlscan question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| running w2k3 with latest urlscan update. this is new server and new
experience for me also. got 3 sites running with host headers, one site
includes a web service that is only lightly used right now, mostly by me and
a couple friends just for testing. the question is, i am seeing lots of
what looks like urlscan log entries about it starting and stopping. i had
enabled per process log files and dailly log files, i have just changed that
to remove those two options... does it perhaps log the start and end of the
filter each time the web service app pool recycles? or is there some other
problem i should be looking for?
| |
| Bernard Cheah [MVP] 2005-12-29, 7:50 am |
| Well, I'm guessing you will got one file - urlscan.log when you set
PerProcessLogging=0
PerDayLogging=0
And each time the filter get loaded, iis services or application pool
recycle.
you will see the urlscan initializing heading... so the start and end time
is there, but I doubt you will be able to know which app pool recycled. and
for rejected entries, you still be able to identify by the site instance
detail.
--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/
"Dave" <noone@nowhere.com> wrote in message
news:uNP1AWADGHA.916@TK2MSFTNGP10.phx.gbl...
> running w2k3 with latest urlscan update. this is new server and new
> experience for me also. got 3 sites running with host headers, one site
> includes a web service that is only lightly used right now, mostly by me
> and a couple friends just for testing. the question is, i am seeing lots
> of what looks like urlscan log entries about it starting and stopping. i
> had enabled per process log files and dailly log files, i have just
> changed that to remove those two options... does it perhaps log the start
> and end of the filter each time the web service app pool recycles? or is
> there some other problem i should be looking for?
>
| |
| David Wang [Msft] 2005-12-29, 6:04 pm |
| If you are using IIS6 Worker Process Isolation Mode (Default), you *must*
have PerProcessLogging=1 or else urlscan simply fails to log for all but one
Application Pool, period.
PerDayLogging can be any value as you wish.
I suspect that you are seeing those URLScan logs because of the following:
1. By default, w3wp will idle timeout
2. Everytime a process demand-starts up, ISAPI Filters are loaded and
URLScan will write its startup log entry
3. Suppose you get a random request (from worms, for example) to your
website every 25 minutes. Each request will trigger #2, and after idle
timeout, the next request triggers #2 again...
So you get lots of apparent "starts and stops", but it's pretty normal.
Anyways. It's a log file. You can't get rid of this stuff from being put in.
You can only filter it out at analysis time. Besides, as soon as your server
has a public IP, everyone knows about it -- even if you've only told your
friends about it -- so expect to see traffic from anyone in the world.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
news:%23rO70YGDGHA.4080@TK2MSFTNGP09.phx.gbl...
> Well, I'm guessing you will got one file - urlscan.log when you set
>
> PerProcessLogging=0
> PerDayLogging=0
>
> And each time the filter get loaded, iis services or application pool
> recycle.
> you will see the urlscan initializing heading... so the start and end time
> is there, but I doubt you will be able to know which app pool recycled.
> and for rejected entries, you still be able to identify by the site
> instance detail.
>
> --
> Regards,
> Bernard Cheah
> http://www.iis-resources.com/
> http://www.iiswebcastseries.com/
> http://msmvps.com/blogs/bernard/
>
>
> "Dave" <noone@nowhere.com> wrote in message
> news:uNP1AWADGHA.916@TK2MSFTNGP10.phx.gbl...
>
>
| |
|
| ok, i changed it back to perprocesslogging. i know that you can't hide
servers, i just haven't advertised this service to a group that would make
regular use out of it, so its mostly random hits and my testing right now.
i was just wondering if urlscan should be showing init's and terminations
that often or if it was stopping for some other reason... sounds like its
normal so i won't worry about it. i did send it a few bad request and they
were stopped so it seems to be working properly.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:egs$3yJDGHA.2908@TK2MSFTNGP09.phx.gbl...
> If you are using IIS6 Worker Process Isolation Mode (Default), you *must*
> have PerProcessLogging=1 or else urlscan simply fails to log for all but
> one Application Pool, period.
>
> PerDayLogging can be any value as you wish.
>
> I suspect that you are seeing those URLScan logs because of the following:
> 1. By default, w3wp will idle timeout
> 2. Everytime a process demand-starts up, ISAPI Filters are loaded and
> URLScan will write its startup log entry
> 3. Suppose you get a random request (from worms, for example) to your
> website every 25 minutes. Each request will trigger #2, and after idle
> timeout, the next request triggers #2 again...
>
> So you get lots of apparent "starts and stops", but it's pretty normal.
>
> Anyways. It's a log file. You can't get rid of this stuff from being put
> in. You can only filter it out at analysis time. Besides, as soon as your
> server has a public IP, everyone knows about it -- even if you've only
> told your friends about it -- so expect to see traffic from anyone in the
> world.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
>
> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
> news:%23rO70YGDGHA.4080@TK2MSFTNGP09.phx.gbl...
>
>
| |
| David Wang [Msft] 2005-12-30, 3:00 am |
| When you see URLScan init/shutdown log entries, you should also see
corresponding #-commented entries in the IIS web log files -- this would
corroborate with my idle-timeout/restart theory...
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Dave" <noone@nowhere.com> wrote in message
news:U5qdnap-18088CneRVn-sA@crocker.com...
> ok, i changed it back to perprocesslogging. i know that you can't hide
> servers, i just haven't advertised this service to a group that would make
> regular use out of it, so its mostly random hits and my testing right now.
> i was just wondering if urlscan should be showing init's and terminations
> that often or if it was stopping for some other reason... sounds like its
> normal so i won't worry about it. i did send it a few bad request and
> they were stopped so it seems to be working properly.
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:egs$3yJDGHA.2908@TK2MSFTNGP09.phx.gbl...
>
>
| |
| Bernard Cheah [MVP] 2005-12-30, 3:00 am |
| I just got it tested, it wills log all initializing header of all app ppols
to 1single file.
Nevertheless, I still preper the default option.
--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:egs$3yJDGHA.2908@TK2MSFTNGP09.phx.gbl...
> If you are using IIS6 Worker Process Isolation Mode (Default), you *must*
> have PerProcessLogging=1 or else urlscan simply fails to log for all but
> one Application Pool, period.
>
> PerDayLogging can be any value as you wish.
>
> I suspect that you are seeing those URLScan logs because of the following:
> 1. By default, w3wp will idle timeout
> 2. Everytime a process demand-starts up, ISAPI Filters are loaded and
> URLScan will write its startup log entry
> 3. Suppose you get a random request (from worms, for example) to your
> website every 25 minutes. Each request will trigger #2, and after idle
> timeout, the next request triggers #2 again...
>
> So you get lots of apparent "starts and stops", but it's pretty normal.
>
> Anyways. It's a log file. You can't get rid of this stuff from being put
> in. You can only filter it out at analysis time. Besides, as soon as your
> server has a public IP, everyone knows about it -- even if you've only
> told your friends about it -- so expect to see traffic from anyone in the
> world.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
>
> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
> news:%23rO70YGDGHA.4080@TK2MSFTNGP09.phx.gbl...
>
>
| |
|
| i don't know if i like the process id logging, it would be better if it
could log the site id so at least it could match up with the site log... or
could there be multiple processes for a site at the same time?
btw, i'm not seeing nearly as much activity caught in urlscan as there was a
year or two ago with all the code red and other attackers running around.
has most of this dropped off? or is my isp blocking icmp helping to keep
some of those automatic scanners from finding my site?
"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
news:e5OUMcRDGHA.3528@TK2MSFTNGP10.phx.gbl...
>I just got it tested, it wills log all initializing header of all app
>ppols to 1single file.
> Nevertheless, I still preper the default option.
>
> --
> Regards,
> Bernard Cheah
> http://www.iis-resources.com/
> http://www.iiswebcastseries.com/
> http://msmvps.com/blogs/bernard/
>
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:egs$3yJDGHA.2908@TK2MSFTNGP09.phx.gbl...
>
>
| |
| Bernard Cheah [MVP] 2006-01-03, 7:50 am |
| > could there be multiple processes for a site at the same time?
Yes, you could have 2 app pools serving 1 site.
The two options you edit is the only logging option for Urlscan. Personnaly,
I leave the default setting as it is. I have a batch file to parse all log
files. then it will be backup and archived
as for the 2nd questions. most of the machines that infected has been clean
or fix or removed. you will see less traffic compare to previous year.
--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/
"Dave" <noone@nowhere.com> wrote in message
news:n9mdnQGN8J_k6CvenZ2dnUVZ_sSdnZ2d@cr
ocker.com...
>i don't know if i like the process id logging, it would be better if it
>could log the site id so at least it could match up with the site log... or
>could there be multiple processes for a site at the same time?
>
> btw, i'm not seeing nearly as much activity caught in urlscan as there was
> a year or two ago with all the code red and other attackers running
> around. has most of this dropped off? or is my isp blocking icmp helping
> to keep some of those automatic scanners from finding my site?
>
> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
> news:e5OUMcRDGHA.3528@TK2MSFTNGP10.phx.gbl...
>
>
|
|
|
|
|