Windows IIS Log File Analyzer

Source: Internet
Author: User
Tags add end iis log

Windows server has the ability to log records of events that include the following information in its IIS log file: Who visited your site, what visitors viewed, and so on. By periodically checking these log files, site administrators can detect which areas of the server or site are vulnerable or have other security implications.

However, the current log analysis tool is not perfect, some features do not have, especially for a URL address to attack the analysis is not much, the following is a VB script, save as a VBS program can be run on the server, An IP address that is used to parse and detect attacks against a URL address in the IIS log.

"Code starts
TargetUrl = "/archives/2761.html" "The URL address of the attacked Web site.
LogFilePath = "C:\LogFiles\W3SVC\ex110813.log" log path to the attack site.

On Error Resume Next
Set fileobj = CreateObject ("Scripting.FileSystemObject")
Set Fileobj2 = CreateObject ("Scripting.FileSystemObject")
Set myfile = Fileobj2.opentextfile (LogFilePath, 1, False)

Do While Myfile.atendofstream <> True
Myline = Myfile.readline ()
Myline2 = Split (Myline, "")
NEWIP = Myline2 (9)
Myurl = Myline2 (5)
If TargetUrl = Myurl Then
Writelog Newip
End If
Loop

MyFile. Close
Set Fileobj2 = Nothing
Msgbox "End."

Sub Writelog (Errmes)
Ipfilename = "Blockip.txt"
Set logfile = Fileobj.opentextfile (Ipfilename, 8, True)
Logfile.writeline Errmes
LogFile. Close
Set logfile = Nothing
End Sub
The code ends

Analysis of the IP if there is an exception, you can through the program, add its bulk to the list of IIS shielding IP, the following is found on the Internet a section of VBScript code, will be renamed as VBS, the above section of the IP import, you can bulk block the IP address of the attacker.

"Code starts
"/*=========================================================================
"* Intro VBScript Use ADSI to bulk add masks or allow access to IP for IIS
"* FileName Vbscript-adsi-iis-add-deny-grant-ip-change-metabase.xml.vbs
" *==========================================================================*/
"Adddenyip2all" 192.168.1.106,255.255.255.0 "
"Adddenyip" 123456 "," 127.0.0.1 "
"Adddenyip2all" 14.113.226.116 "

"Add IP or a group of computers to be screened, to a specific site
Sub Adddenyip (strwebno, Strdenyip)
On Error Resume Next
Set secobj = GetObject ("iis://localhost/w3svc/" & Strwebno & "/root")
Set myipsec = secobj.ipsecurity
MyIPSec.GrantByDefault = True
IPList = Myipsec.ipdeny
i = UBound (iplist) + 1
ReDim Preserve IPList (i)
IPList (i) = Strdenyip
Myipsec.ipdeny = IPList
Secobj.ipsecurity = MyIPSec
Secobj.setinfo
End Sub
"Add IP or a group of computers to be screened, to the IIS public configuration to apply to all sites
"If some sites have been previously shielded IP settings, in some settings will not take effect, you have to set up on the total site, and then cover all child nodes
Sub Adddenyip2all (STRDENYIP)
On Error Resume Next
Set secobj = GetObject ("Iis://localhost/w3svc")
Set myipsec = secobj.ipsecurity
MyIPSec.GrantByDefault = True
IPList = Myipsec.ipdeny
i = UBound (iplist) + 1
ReDim Preserve IPList (i)
IPList (i) = Strdenyip
Myipsec.ipdeny = IPList
Secobj.ipsecurity = MyIPSec
Secobj.setinfo
End Sub
"Add an allowed IP or a group of computers to a specified site
Sub Addgrantip (strwebno, Strgrantip)
On Error Resume Next
Set secobj = GetObject ("iis://localhost/w3svc/" & Strwebno & "/root")
Set myipsec = secobj.ipsecurity
MyIPSec.GrantByDefault = False
IPList = Myipsec.ipgrant
i = UBound (iplist) + 1
ReDim Preserve IPList (i)
IPList (i) = Strgrantip
Myipsec.ipgrant = IPList
Secobj.ipsecurity = MyIPSec
Secobj.setinfo
End Sub
"Add an allowed IP or a group of computers to the IIS public configuration to apply to all sites
"If some sites have been previously shielded IP settings, in some settings will not take effect, you have to set up on the total site, and then cover all child nodes
Sub Addgrantip2all (Strgrantip)
On Error Resume Next
Set secobj = GetObject ("Iis://localhost/w3svc")
Set myipsec = secobj.ipsecurity
MyIPSec.GrantByDefault = False
IPList = Myipsec.ipgrant
i = UBound (iplist) + 1
ReDim Preserve IPList (i)
IPList (i) = Strgrantip
Myipsec.ipgrant = IPList
Secobj.ipsecurity = MyIPSec
Secobj.setinfo
End Sub
"Displays banned IP in the IIS public configuration
Sub Listdenyip ()
Set secobj = GetObject ("Iis://localhost/w3svc")
Set myipsec = secobj.ipsecurity
IPList = Myipsec.ipdeny "Ipgrant/ipdeny
WScript.Echo Join (IPList, vbCrLf)
"For i = 0 to UBound (iplist)
"WScript.Echo i + 1 &"--> "& IPList (i)
"Next
End Sub



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.