Please add a logfile feature to RequestFilteringModule RRS feed

  • Question

  • User166670298 posted


    after deciding to use RequestFilteringModule instead of UrlScan, and tweaking the security in the different 'deny sections', I've noticed by accident that an URLExecution to an relative URL-Path in the CustomErrorModule triggered an 404.18 HTTP-Status: "Query String Sequence Denied" caused by the RequestFilteringModule. Couldn't see query string in the standard W3SVC-Protocol, only a 404-status and 18-substatus (maybe for security reasons). So I had to check by try&error which string sequence was triggering the RequestFiltering. It came out that it was a simple semicolon ";". Seems that URLExecution to an relative URL-Path in the CustomErrorModule is adding a ";" as a query string, and it gets blocked by RequestFilteringModule. I've spent some time looking for that. I think it's really necessary to add a logging feature in the RequestFilteringModule, just like in UrlScan.

     Thx a lot!

    Thursday, June 24, 2010 10:47 AM

All replies

  • User1073881637 posted

    Not sure this is possible, can the Advanced Logging Module perform this action?

    Saturday, June 26, 2010 11:30 AM
  • User-2064283741 posted

    Do you have anything configured in the denyQueryStringSequences ?


    I am not sure but I don't think URLScan actually told you in its logs what the query string it rejected. There were some things missing from the logging features in URLscan, I think, this might have been one of them.

    However I agree that more logging would be great for modules like this. 


    I am not sure Advancing logging will pick this up. With the ISAPI URLScan filter it was processed before the IIS logs I am not sure if this module will do the same and how advanced logginng fits in with this.

    Sunday, June 27, 2010 5:41 AM
  • User1073881637 posted

    This was the only thing I could think of that might have logging capabilities.

    Sunday, June 27, 2010 11:01 PM
  • User166670298 posted

    As far as I can see, setting up the Advanced Logging would be far too complicated, because I would have to syncronize Advanced logging with requestfiltering. I've tried TracingModule only and it shows only information about module responses, like:

    NOTIFY_MODULE_START ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", fIsPostNotification="false", fIsCompletion="false" 16:05:44.588
    Warning ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", HttpStatus="404", HttpReason="Not Found", HttpSubStatus="18", ErrorCode="The Operation completed successfully.(0x0)", ConfigExceptionInfo="" 16:05:44.588
    NOTIFY_MODULE_END ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_FINISH_REQUEST" 16:05:44.588

    It is possible to get the complete URL from Event Name "GENERAL_REQUEST_START" in the trace, but it would be nice to have logging capabilites like Urlscan does. UrlScan logs detailed information of a triggering sequence:

    [01-12-2009 - 03:39:31] Client at X.X.X.X: URL contains '.' in the path. Request will be rejected.  Site Instance='1', Raw URL='/phpMyAdmin-2.2.3/main.php'
    [01-12-2009 - 03:39:31] Client at X.X.X.X: URL contains '.' in the path. Request will be rejected.  Site Instance='1', Raw URL='/phpMyAdmin-2.2.6/main.php'
    [01-12-2009 - 03:39:31] Client at X.X.X.X: URL contains '.' in the path. Request will be rejected.  Site Instance='1', Raw URL='/phpMyAdmin-2.5.1/main.php'

    In my opinion the ability to log sequences that triggers the filter is very important for detecting inappropriate placed url- and query sequences of the filter. If requestfiltering was made to replace UrlScan, please consider logging feature somewhere (e.g. in the TracingModule could be a nice place) .


    Tuesday, June 29, 2010 1:03 PM