locked
how to search and monitor event code 3005 RRS feed

  • Question

  • User-258909851 posted

    I like to know how to search/detect or monitor for event code:3005 in my IIS box

     can i write script to pull that info and report to me?

    Any instructions on this will be helpfull(I searched already and can't find anything)

     Thanks

    Thursday, September 23, 2010 9:50 AM

Answers

  • User-1483414435 posted

    Go download LogParser 2.2 and install locally on server

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

    Execute this scommand line locally on the server

    logparser.exe -o:DATAGRID "SELECT TimeGenerated, EventID, message FROM Application WHERE EventID=3005"

     

    You can also execute this remotely from another machine against multiple servers (as long as you can authenticate using UNC or whatever) with:

    logparser.exe -o:DATAGRID "SELECT TimeGenerated, EventID, message FROM \\192.168.1.3\Application, \\192.168.1.4\Application, \\192.168.1.5\Application WHERE EventID=3005"

     

    192.168.1.3, .4, and .5 are your web servers IP address or name. 

     

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 23, 2010 11:46 AM
  • User-1483414435 posted

    Remove the -o:DATAGRID argument.  

    Add to the very end of the command a > c:\eventid.txt

    and all the output will be redireced to the eventid.txt file instead of the datagrid

     

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 23, 2010 12:49 PM
  • User2050624116 posted

    logparser.exe  "SELECT TimeGenerated, EventID, message FROM Application WHERE EventID=3005" a>file.txt

    I'm getting an error "argument after the command"

    Anybody knows what i'm doing wrong?


    Remove the "a":


    logparser.exe  "SELECT TimeGenerated, EventID, message FROM Application WHERE EventID=3005" > file.txt

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 30, 2010 12:25 AM

All replies

  • User-234406897 posted

    I would install and use logapraser for this to monitor the 3005 event and then base some logic on that.

    Thursday, September 23, 2010 10:19 AM
  • User-678074507 posted

    You can also use WMI to read from the EventLog as well. Either method would be sufficient for this action.

    Thursday, September 23, 2010 11:09 AM
  • User-1483414435 posted

    Go download LogParser 2.2 and install locally on server

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

    Execute this scommand line locally on the server

    logparser.exe -o:DATAGRID "SELECT TimeGenerated, EventID, message FROM Application WHERE EventID=3005"

     

    You can also execute this remotely from another machine against multiple servers (as long as you can authenticate using UNC or whatever) with:

    logparser.exe -o:DATAGRID "SELECT TimeGenerated, EventID, message FROM \\192.168.1.3\Application, \\192.168.1.4\Application, \\192.168.1.5\Application WHERE EventID=3005"

     

    192.168.1.3, .4, and .5 are your web servers IP address or name. 

     

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 23, 2010 11:46 AM
  • User-258909851 posted

    Thank you all and dm3281

    i downloaded the log parse and appreciated your guidance.

    The onlything i want know now that i'm playing with is:

    if i want this be written into a file, how do do that.

    Thursday, September 23, 2010 12:34 PM
  • User-1483414435 posted

    Remove the -o:DATAGRID argument.  

    Add to the very end of the command a > c:\eventid.txt

    and all the output will be redireced to the eventid.txt file instead of the datagrid

     

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 23, 2010 12:49 PM
  • User-826009519 posted

    I think there is some confusion with regard to the 3005.  The event id is a 1309.  That is a generic program fault ID, the event code is a 3005.  I believe by using the following where clause you will get the desired results:  WHERE EventID=1309 and message like '%CryptographicException%'

    Thursday, September 23, 2010 6:57 PM
  • User2050624116 posted

    I wrote a windows service specifically for this, it uses the .net eventing infrastructure to monitor the event log for the events in question and can send an email alert and/or block remote IPs in the windows firewall whenever a threshold is reached in # of logged exceptions with a specific timespan...

    More on that over in my blog:

    http://huagati.blogspot.com/2010/09/testing-aspnet-poet-sniffer-service.html

    http://huagati.blogspot.com/2010/09/installing-poet-sniffer-service.html

    http://huagati.blogspot.com/2010/09/detecting-poet-aspnet-attacks-poet.html


    Source code is included (C# 4 / .net 4), so feel free to change it to match your needs or do whatever you want with it.

    Disclaimer: No support is provided, no warranty, no guarantees, use at your own risk, use your own judgement etc. I wrote it for use on my own servers but figured others might find it useful too...

    Friday, September 24, 2010 6:09 AM
  • User-234406897 posted

    I think there is some confusion with regard to the 3005.  The event id is a 1309.  That is a generic program fault ID, the event code is a 3005.  I believe by using the following where clause you will get the desired results:  WHERE EventID=1309 and message like '%CryptographicException%'

    I would be worried about just using the cryptographicException in teh message as the only trigger for this.

    Has it been confirmed that only that is a problem.

    By using webresource.axd?aspxerrorpath=&d=

    and then a string, etc you can create many 500 errors occur.

    Exception information:
        Exception type: HttpException
        Exception message: Invalid viewstate.

    or

    Exception information:
        Exception type: CryptographicException
        Exception message: Length of the data to decrypt is invalid.

    or

    Exception information:
        Exception type: FormatException
        Exception message: Invalid character in a Base-64 string.

    are just a few I have created from random strings for d=

    I would not risk just one.

    I would also monitor your IIS logs for 404 and 500 errors after you have done your workaround (they could exist) and match them up with the event log for these 1309 errors

    Friday, September 24, 2010 5:40 PM
  • User2050624116 posted

    I would be worried about just using the cryptographicException in teh message as the only trigger for this.

    Has it been confirmed that only that is a problem.

    By using webresource.axd?aspxerrorpath=&d=

    and then a string, etc you can create many 500 errors occur.

    Exception information:
        Exception type: HttpException
        Exception message: Invalid viewstate.

    or

    Exception information:
        Exception type: CryptographicException
        Exception message: Length of the data to decrypt is invalid.

    or

    Exception information:
        Exception type: FormatException
        Exception message: Invalid character in a Base-64 string.

    are just a few I have created from random strings for d=

    I would not risk just one.

    I would also monitor your IIS logs for 404 and 500 errors after you have done your workaround (they could exist) and match them up with the event log for these 1309 errors


    The other exceptions you mention are thrown for other reasons; when the URL token is invalid in such a way that it can't be processed. For webresource.axd I think CryptographicException covers it. For other handlers/pages/controls, there may be a different exception or behavior to look out for, but since the POET demo video showed webresource.axd used as the target I think that is the one any malware authors will focus on. JMHO, but I may be wrong. :)

    Saturday, September 25, 2010 9:59 PM
  • User-258909851 posted

    I can't write this to a file by using

    logparser.exe  "SELECT TimeGenerated, EventID, message FROM Application WHERE EventID=3005" a>file.txt

    I'm getting an error "argument after the command"

    Anybody knows what i'm doing wrong?

    Wednesday, September 29, 2010 11:53 AM
  • User2050624116 posted

    logparser.exe  "SELECT TimeGenerated, EventID, message FROM Application WHERE EventID=3005" a>file.txt

    I'm getting an error "argument after the command"

    Anybody knows what i'm doing wrong?


    Remove the "a":


    logparser.exe  "SELECT TimeGenerated, EventID, message FROM Application WHERE EventID=3005" > file.txt

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 30, 2010 12:25 AM