locked
Please add a logfile feature to RequestFilteringModule RRS feed

  • Question

  • User166670298 posted

     Hello,

    after deciding to use RequestFilteringModule instead of UrlScan, and tweaking the security in the different 'deny sections', I've noticed by accident that an URLExecution to an relative URL-Path in the CustomErrorModule triggered an 404.18 HTTP-Status: "Query String Sequence Denied" caused by the RequestFilteringModule. Couldn't see query string in the standard W3SVC-Protocol, only a 404-status and 18-substatus (maybe for security reasons). So I had to check by try&error which string sequence was triggering the RequestFiltering. It came out that it was a simple semicolon ";". Seems that URLExecution to an relative URL-Path in the CustomErrorModule is adding a ";" as a query string, and it gets blocked by RequestFilteringModule. I've spent some time looking for that. I think it's really necessary to add a logging feature in the RequestFilteringModule, just like in UrlScan.

     Thx a lot!

    Thursday, June 24, 2010 10:47 AM

All replies

  • User1073881637 posted

    Not sure this is possible, can the Advanced Logging Module perform this action?

    Saturday, June 26, 2010 11:30 AM
  • User-2064283741 posted

    Do you have anything configured in the denyQueryStringSequences ?

    http://learn.iis.net/page.aspx/504/using-enhanced-request-filtering-features-in-iis7/

    I am not sure but I don't think URLScan actually told you in its logs what the query string it rejected. There were some things missing from the logging features in URLscan, I think, this might have been one of them.

    However I agree that more logging would be great for modules like this. 

    Steve,

    I am not sure Advancing logging will pick this up. With the ISAPI URLScan filter it was processed before the IIS logs I am not sure if this module will do the same and how advanced logginng fits in with this.

    Sunday, June 27, 2010 5:41 AM
  • User1073881637 posted

    This was the only thing I could think of that might have logging capabilities.

    Sunday, June 27, 2010 11:01 PM
  • User166670298 posted

    As far as I can see, setting up the Advanced Logging would be far too complicated, because I would have to syncronize Advanced logging with requestfiltering. I've tried TracingModule only and it shows only information about module responses, like:

    =======================================================================================
    NOTIFY_MODULE_START ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", fIsPostNotification="false", fIsCompletion="false" 16:05:44.588
    =======================================================================================
    MODULE_SET_RESPONSE_ERROR_STATUS
    Warning ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", HttpStatus="404", HttpReason="Not Found", HttpSubStatus="18", ErrorCode="The Operation completed successfully.(0x0)", ConfigExceptionInfo="" 16:05:44.588
    ======================================================================================
    NOTIFY_MODULE_END ModuleName="RequestFilteringModule", Notification="BEGIN_REQUEST", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_FINISH_REQUEST" 16:05:44.588
    ======================================================================================

    It is possible to get the complete URL from Event Name "GENERAL_REQUEST_START" in the trace, but it would be nice to have logging capabilites like Urlscan does. UrlScan logs detailed information of a triggering sequence:

    [01-12-2009 - 03:39:31] Client at X.X.X.X: URL contains '.' in the path. Request will be rejected.  Site Instance='1', Raw URL='/phpMyAdmin-2.2.3/main.php'
    [01-12-2009 - 03:39:31] Client at X.X.X.X: URL contains '.' in the path. Request will be rejected.  Site Instance='1', Raw URL='/phpMyAdmin-2.2.6/main.php'
    [01-12-2009 - 03:39:31] Client at X.X.X.X: URL contains '.' in the path. Request will be rejected.  Site Instance='1', Raw URL='/phpMyAdmin-2.5.1/main.php'

    In my opinion the ability to log sequences that triggers the filter is very important for detecting inappropriate placed url- and query sequences of the filter. If requestfiltering was made to replace UrlScan, please consider logging feature somewhere (e.g. in the TracingModule could be a nice place) .

     Thanks!

    Tuesday, June 29, 2010 1:03 PM