Windows server has the ability to log records of events that include the following information in its IIS log file: Who visited your site, what visitors viewed, and so on. By periodically checking these log files, site administrators can detect which areas of the server or site are vulnerable or have other security implications.
However, the current log analysis tool is not perfect, some features do not have, especially for a URL address to attack the analysis is not much, the following is a VB script, save as a VBS program can be run on the server, An IP address that is used to parse and detect attacks against a URL address in the IIS log.
"Code starts
TargetUrl = "/archives/2761.html" "The URL address of the attacked Web site.
LogFilePath = "C:\LogFiles\W3SVC\ex110813.log" log path to the attack site.
On Error Resume Next
Set fileobj = CreateObject ("Scripting.FileSystemObject")
Set Fileobj2 = CreateObject ("Scripting.FileSystemObject")
Set myfile = Fileobj2.opentextfile (LogFilePath, 1, False)
Do While Myfile.atendofstream <> True
Myline = Myfile.readline ()
Myline2 = Split (Myline, "")
NEWIP = Myline2 (9)
Myurl = Myline2 (5)
If TargetUrl = Myurl Then
Writelog Newip
End If
Loop
MyFile. Close
Set Fileobj2 = Nothing
Msgbox "End."
Sub Writelog (Errmes)
Ipfilename = "Blockip.txt"
Set logfile = Fileobj.opentextfile (Ipfilename, 8, True)
Logfile.writeline Errmes
LogFile. Close
Set logfile = Nothing
End Sub
The code ends
Analysis of the IP if there is an exception, you can through the program, add its bulk to the list of IIS shielding IP, the following is found on the Internet a section of VBScript code, will be renamed as VBS, the above section of the IP import, you can bulk block the IP address of the attacker.
"Code starts
"/*=========================================================================
"* Intro VBScript Use ADSI to bulk add masks or allow access to IP for IIS
"* FileName Vbscript-adsi-iis-add-deny-grant-ip-change-metabase.xml.vbs
" *==========================================================================*/
"Adddenyip2all" 192.168.1.106,255.255.255.0 "
"Adddenyip" 123456 "," 127.0.0.1 "
"Adddenyip2all" 14.113.226.116 "
"Add IP or a group of computers to be screened, to a specific site
Sub Adddenyip (strwebno, Strdenyip)
On Error Resume Next
Set secobj = GetObject ("iis://localhost/w3svc/" & Strwebno & "/root")
Set myipsec = secobj.ipsecurity
MyIPSec.GrantByDefault = True
IPList = Myipsec.ipdeny
i = UBound (iplist) + 1
ReDim Preserve IPList (i)
IPList (i) = Strdenyip
Myipsec.ipdeny = IPList
Secobj.ipsecurity = MyIPSec
Secobj.setinfo
End Sub
"Add IP or a group of computers to be screened, to the IIS public configuration to apply to all sites
"If some sites have been previously shielded IP settings, in some settings will not take effect, you have to set up on the total site, and then cover all child nodes
Sub Adddenyip2all (STRDENYIP)
On Error Resume Next
Set secobj = GetObject ("Iis://localhost/w3svc")
Set myipsec = secobj.ipsecurity
MyIPSec.GrantByDefault = True
IPList = Myipsec.ipdeny
i = UBound (iplist) + 1
ReDim Preserve IPList (i)
IPList (i) = Strdenyip
Myipsec.ipdeny = IPList
Secobj.ipsecurity = MyIPSec
Secobj.setinfo
End Sub
"Add an allowed IP or a group of computers to a specified site
Sub Addgrantip (strwebno, Strgrantip)
On Error Resume Next
Set secobj = GetObject ("iis://localhost/w3svc/" & Strwebno & "/root")
Set myipsec = secobj.ipsecurity
MyIPSec.GrantByDefault = False
IPList = Myipsec.ipgrant
i = UBound (iplist) + 1
ReDim Preserve IPList (i)
IPList (i) = Strgrantip
Myipsec.ipgrant = IPList
Secobj.ipsecurity = MyIPSec
Secobj.setinfo
End Sub
"Add an allowed IP or a group of computers to the IIS public configuration to apply to all sites
"If some sites have been previously shielded IP settings, in some settings will not take effect, you have to set up on the total site, and then cover all child nodes
Sub Addgrantip2all (Strgrantip)
On Error Resume Next
Set secobj = GetObject ("Iis://localhost/w3svc")
Set myipsec = secobj.ipsecurity
MyIPSec.GrantByDefault = False
IPList = Myipsec.ipgrant
i = UBound (iplist) + 1
ReDim Preserve IPList (i)
IPList (i) = Strgrantip
Myipsec.ipgrant = IPList
Secobj.ipsecurity = MyIPSec
Secobj.setinfo
End Sub
"Displays banned IP in the IIS public configuration
Sub Listdenyip ()
Set secobj = GetObject ("Iis://localhost/w3svc")
Set myipsec = secobj.ipsecurity
IPList = Myipsec.ipdeny "Ipgrant/ipdeny
WScript.Echo Join (IPList, vbCrLf)
"For i = 0 to UBound (iplist)
"WScript.Echo i + 1 &"--> "& IPList (i)
"Next
End Sub